Skip to content

fix: Docker Compose fails inside session containers#177

Merged
mensfeld merged 2 commits intomasterfrom
fix/docker-compose-session-containers
Mar 2, 2026
Merged

fix: Docker Compose fails inside session containers#177
mensfeld merged 2 commits intomasterfrom
fix/docker-compose-session-containers

Conversation

@mensfeld
Copy link
Owner

@mensfeld mensfeld commented Mar 2, 2026

Summary

  • Fixed Docker/nested container support flags (security.nesting, security.syscalls.intercept.mknod, security.syscalls.intercept.setxattr) not being set on session containers created via coi shell
  • Changed LaunchContainer/LaunchContainerPersistent to use incus init + configure + incus start instead of incus launch + configure, eliminating a race condition where security flags were set after boot
  • Exported enableDockerSupport as EnableDockerSupport so it can be called from the session setup path

Root cause

The main session path (session/setup.go) used incus init + incus start but never called enableDockerSupport(). These flags only existed in LaunchContainer()/LaunchContainerPersistent() in commands.go, which are used by coi container launch and coi run but not by coi shell.

Docker Compose fails with:

open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd 8: permission denied

because the seccomp profile loaded at boot time doesn't include the required syscall interception rules.

Test plan

  • go build ./... passes
  • go vet ./... passes
  • Existing Docker tests pass (test_docker_flags_enabled, test_docker_works_in_container, test_docker_fails_without_nesting)
  • New Docker Compose integration test passes (test_docker_compose_works.py)
  • ruff check and ruff format --check pass on new test file

mensfeld added 2 commits March 2, 2026 10:53
@mensfeld
fix: enable Docker support flags on session containers before first boot
3cb42b2 
Session containers created via `coi shell` never called
`enableDockerSupport()`, so Docker Compose failed with sysctl
permission errors (net.ipv4.ip_unprivileged_port_start). Also changed
`LaunchContainer`/`LaunchContainerPersistent` from `incus launch` +
configure to `incus init` + configure + `incus start` to eliminate a
race condition where security flags were set after boot.

- Export `enableDockerSupport` as `EnableDockerSupport`
- Add `EnableDockerSupport` call in session/setup.go before first boot
- Fix LaunchContainer/LaunchContainerPersistent to use init+configure+start
- Add Docker Compose integration test
@mensfeld
fix: check combined stdout+stderr for docker compose ps output
70456eb 
The `docker compose ps --format json` output goes to stderr when
piped through `coi container exec`, so check both streams.
@mensfeld mensfeld merged commit 45602af into master Mar 2, 2026
12 checks passed
@mensfeld mensfeld deleted the fix/docker-compose-session-containers branch March 2, 2026 10:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mensfeld