Error starting atopacct.service
liutingjieni opened this issue · 2 comments
I am working on the ci/cd of atop. l want to open the container in docker to compile and test atop related functions. But when starting systemctl start atopacct.service, it will return NETLINK family, errno -2. Do you know why this is, I still can't understand it.
l want to open the container in docker to compile and test atop related functions. But when starting systemctl start atopacct.service, it will return NETLINK family, errno -2. Do you know why this is, I still can't understand it.
This issue is on dockers, not on atopacctds, side, as docker is heavily limiting the containers privileges, as well as on the way netlink sockets behave in a containerized environment.
Docker supports altering privileges of containers using linux.die.net: capabilities(7) by passing them via --cap-add, but your best bet would probably to start with a permissive container configuration (something like docker run --privileged --pid=host), see if it solves the issue, and if it does, limiting the privileges again until you got a minimal working configuration.
My best bet would be that you may need something like NET_ADMIN as a capability (see the security considerations of RFC 3549 as a reference here), --pid=host is probably useful if you want to share the host’s process namespace with the container (though it's not mandatory for this issue, it could be beneficial in general).
I assume that the comment of Wilko clarified the issue.