Privileged container Issue with python3-docker package on Ubuntu 22.04

[ninja9k1]

I have the following system:

Salt Version:
          Salt: 3005.1

Dependency Versions:
          cffi: Not Installed
      cherrypy: Not Installed
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.0.3
       libgit2: Not Installed
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.3
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: Not Installed
      pycrypto: Not Installed
  pycryptodome: 3.11.0
        pygit2: Not Installed
        Python: 3.10.6 (main, Nov 14 2022, 16:10:14) [GCC 11.3.0]
  python-gnupg: 0.4.8
        PyYAML: 5.4.1
         PyZMQ: 22.3.0
         smmap: Not Installed
       timelib: Not Installed
       Tornado: 4.5.3
           ZMQ: 4.3.4

System Versions:
          dist: ubuntu 22.04 Jammy Jellyfish
        locale: utf-8
       machine: x86_64
       release: 5.15.0-1028-aws
        system: Linux
       version: Ubuntu 22.04 Jammy Jellyfish

I have come across an issue where using:

docker:
  pkg:
    docker:
      # choice is 'archive' (default) or 'repo' (yum/apt)
      use_upstream: repo
  containers:
    running:
      - mycontainer
    mycontainer:
      privileged: true
      cap_add:
        - ALL

Results in not being able to run privileged containers. I have done the following things:

1. Installed docker-ce manully from apt repository: container works
2. Installed docker.io manually from apt repository: container works
3. Use docker formula with the above configuration and I am getting:

Created container 'mycontainer'. Failed to start container 'mycontainer': 'Error 500: failed to create shim task: OCI runtime create failed: container_linux.go:349: starting container process caused "unknown capability \"CAP_PERFMON\"": unknown'.

I compared all the packages and I discovered that the python3-docker package is responsible for this issue which you will find below.

Manual install with apt install docker.io, mycontainer works:

ii  containerd                       1.5.9-0ubuntu3.1                        amd64        daemon to control runC
ii  docker.io                        20.10.12-0ubuntu4                       amd64        Linux container runtime

Manual install with apt install docker-ce, mycontainer works:

ii  containerd.io                    1.6.18-1                                amd64        An open and reliable container runtime
ii  docker-ce                        5:23.0.1-1~ubuntu.22.04~jammy           amd64        Docker: the open-source application container engine

Install with docker salt formula, mycontainer does not work:

ii  containerd.io                    1.6.18-1                                amd64        An open and reliable container runtime
ii  docker-ce                        5:23.0.1-1~ubuntu.22.04~jammy           amd64        Docker: the open-source application container engine
ii  python3-docker                   5.0.3-1                                 all          Python 3 wrapper to access docker.io's control socket

If I remove the python3-docker package after the salt state has ran for the docker formula, I am presented with this error:

----------
          ID: docker-containers-crowdstrike-running
    Function: docker_container.running
        Name: crowdstrike
      Result: False
     Comment: State 'docker_container.running' was not found in SLS 'docker.containers.running'
              Reason: 'docker_container' __virtual__ returned False: 'docker.version' is not available.
     Changes:

I wanted to know if anybody else has experienced this issue and if they have, what they've done to resolve it.

[ninja9k1]

I have changed from repo to archive and came across a similar error:

Comment: Container 'mycontainer' is already configured as specified. Failed to start container 'mycontainer': 'Error 500: cgroups: cgroup mountpoint does not exist: unknown'.

Which has lead me to perform the following:

sudo mkdir /sys/fs/cgroup/systemd
sudo mount -t cgroup -o none,name=systemd cgroup /sys/fs/cgroup/systemd

Which now allows the container to run.