Ubuntu 24 and ubuntu 22(rare) problem with unknow capability CAP_PERFMON

[langerc]

If i run the container on the latest docker on latest ubuntu 24.04 the rabbitmq container can not be started.

Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: container_linux.go:349: starting container process caused "unknown capability "CAP_PERFMON"": unknown

I tried alpine and ubuntu images of rabbitmq. This happens on all ubuntu 24 - and on some 22 as well. I have several ubuntu 22 where the container is working like a charm.
All other containers (tomcat, some other java related containers) work on the same machine like a charm just rabbitmq is not.

If i do a "new" install for ubuntu 22 it usually works.
If i do a new install for ubuntu 24 it does not work from the start.

I use docker 27.2.1
Rabbitmq 3.13.7

I also tried CapAdd but there was no change.

The container is up in promiscous mode so it should not be a permission problem

The image is created but can not be started

any ideas?

[lukebakken]

This feels like a Ubuntu or docker issue, not one that is specific to this image (search).

When I have time this week, I will double-check using my Ubuntu and Arch Linux envs.

@tianon, no rush, but anything to add?

[langerc]

Well its definetly connected to your image all other docker images and there are countless work like a charm. Your image works on almost all of the current ubunut (i got like 20 running, 2 have problems on obuntu 22) the new ones break all the times.
Can be a docker issue - but could be about the settings you require from docker as well.

I did a week of reserch could find people who have this problem with docker and even some with rabbit - no solution so far.

[lukebakken]

Can be a docker issue - but could be about the settings you require from docker as well.

Everything you need to check is in this repository -
https://github.com/docker-library/rabbitmq/blob/master/Dockerfile-ubuntu.template

There is nothing complicated about the build, or anything "required" from Docker.

[michaelklishin]

@langerc even if it is somehow "connected", it's on you to prove that, not on the maintainers of this image to prove the contrary.

You did a week of research and only have a couple of sentences that come down to "it does not work the way I expect" to share? I'm afraid we won't spend another week guessing what specifically you are trying to do.

[michaelklishin]

A very quick search suggests it is a known phenomenon with certain container engines and it affects "privileged containers" ("privileged pods") only, so the difference with "other images that work like a charm" can be that they do not run as privileged.

It even affects parts of Kubernetes.

cri-o/cri-o#4478, kubernetes-sigs/kind#2058, opencontainers/runtime-spec#1094, k3s-io/k3s#3296

[tianon]

To add to this -- I don't think there's any compelling reason to run RabbitMQ containers with "privileged" permissions. If there's some specific capability/permission necessary for a given use case, that permission should be added directly (using "privileged" is a catch-all hammer that disables most of the security properties of the container).

[langerc]

Removing privileged solved my problem. I did not think about removing it because other forums even suggested to add it to get rid of the CAP_PERFMON error.

The container is starting and working like a charm now. With ubuntu 22 and ubuntu 24.

Thank you for your input!!!