Description
I have Ubuntu focal based devices with long-term support. We are using the moby-* packages from https://packages.microsoft.com/ubuntu/20.04/prod The systems run unattended upgrades so receive updates without intervention. They are also running Microsoft's aziot-edged.service which is orchestrating containers on the system.
On 19 June, 2026, we saw moby-runc upgrade from 1.4.2-ubuntu20.04u1 to 1.4.3-ubuntu20.04u1, at which time, all containers failed to start. We quickly set the devices back to 1.4.2 and apt-mark hold moby-runc to get things back to operational.
I finally had an opportunity to investigate more thoroughly today and found the problem was really easy to reproduce as all docker run ... commands failed.
Reproduce
root@SOLU220609002:~# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
4f55086f7dd0: Pull complete
Digest: sha256:96498ffd522e70807ab6384a5c0485a79b9c7c08ca79ba08623edcad1054e62d
Status: Downloaded newer image for hello-world:latest
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: can't mask dir "/proc/acpi": mount src=tmpfs, dst=/proc/acpi, flags=MS_RDONLY, data=nr_blocks=1,nr_inodes=1: invalid argument
Run 'docker run --help' for more information
Expected behavior
Hello-world normal output.
docker version
Client:
Version: 29.6.0-1
API version: 1.55
Go version: go1.26.4
Git commit: fb59821d450bc76c97e52617f66dde0c6035e332
Built: Fri Jun 19 11:16:30 2026
OS/Arch: linux/amd64
Context: default
Server:
Engine:
Version: 29.6.0-1
API version: 1.55 (minimum version 1.40)
Go version: go1.26.4
Git commit: 70eaf5ef6f274623ddcca8eb634ccf7cba15cbc5
Built: Fri Jun 19 11:18:13 2026
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 2.3.2-1
GitCommit: fff62f14765df376e5fc36f5a8f8e795b5670f61
runc:
Version: 1.5.0-1
GitCommit: c4bb59526d0c9cf3a3a46a04d08ca031749a2119
docker-init:
Version: 0.19.0
GitCommit:
docker info
Client:
Version: 29.6.0-1
Context: default
Debug Mode: false
Server:
Containers: 4
Running: 0
Paused: 0
Stopped: 4
Images: 6
Server Version: 29.6.0-1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: fff62f14765df376e5fc36f5a8f8e795b5670f61
runc version: c4bb59526d0c9cf3a3a46a04d08ca031749a2119
init version:
Security Options:
apparmor
seccomp
Profile: builtin
Kernel Version: 5.4.0-216-generic
Operating System: Ubuntu 20.04.6 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 3.726GiB
Name: SOLU220609002
ID: ec60c6ff-cf8b-4327-a6e8-d174a9c83f82
Docker Root Dir: /var/lib/docker
Debug Mode: true
File Descriptors: 30
Goroutines: 47
System Time: 2026-06-26T20:52:52.178877141Z
EventsListeners: 0
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: false
Firewall Backend: iptables
EnableUserlandProxy: true
UserlandProxyPath: /usr/libexec/docker/docker-proxy
WARNING: No swap limit support
WARNING: Support for cgroup v1 is deprecated and planned to be removed by no later than May 2029 (https://github.com/moby/moby/issues/51111)
Additional Info
If run with --security-opt systempaths=unconfined, the command works:
root@SOLU220609002:~# docker run --rm --security-opt systempaths=unconfined hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
Description
I have Ubuntu focal based devices with long-term support. We are using the moby-* packages from
https://packages.microsoft.com/ubuntu/20.04/prodThe systems run unattended upgrades so receive updates without intervention. They are also running Microsoft's aziot-edged.service which is orchestrating containers on the system.On 19 June, 2026, we saw moby-runc upgrade from 1.4.2-ubuntu20.04u1 to 1.4.3-ubuntu20.04u1, at which time, all containers failed to start. We quickly set the devices back to 1.4.2 and
apt-mark hold moby-runcto get things back to operational.I finally had an opportunity to investigate more thoroughly today and found the problem was really easy to reproduce as all
docker run ...commands failed.Reproduce
Expected behavior
Hello-world normal output.
docker version
Client: Version: 29.6.0-1 API version: 1.55 Go version: go1.26.4 Git commit: fb59821d450bc76c97e52617f66dde0c6035e332 Built: Fri Jun 19 11:16:30 2026 OS/Arch: linux/amd64 Context: default Server: Engine: Version: 29.6.0-1 API version: 1.55 (minimum version 1.40) Go version: go1.26.4 Git commit: 70eaf5ef6f274623ddcca8eb634ccf7cba15cbc5 Built: Fri Jun 19 11:18:13 2026 OS/Arch: linux/amd64 Experimental: false containerd: Version: 2.3.2-1 GitCommit: fff62f14765df376e5fc36f5a8f8e795b5670f61 runc: Version: 1.5.0-1 GitCommit: c4bb59526d0c9cf3a3a46a04d08ca031749a2119 docker-init: Version: 0.19.0 GitCommit:docker info
Additional Info
If run with
--security-opt systempaths=unconfined, the command works: