Ask questionsRootless Docker fails at detecting root-requiring overlay support

<!-- This issue tracker is for bug reports and feature requests. For questions, and getting help on using docker:

  • Docker documentation -
  • Docker Forums -
  • Docker community Slack - (register here:
  • Post a question on StackOverflow, using the Docker tag -->
  • [x] This is a bug report
  • [ ] This is a feature request
  • [x] I searched existing issues before opening this one

<!-- DO NOT report security issues publicly! If you suspect you discovered a security issue, send your report privately to -->

Expected behavior

Rootless Docker detection of filesystem support should exclude CentOS's implementation of overlay as it requires root to work

Actual behavior

Rootless Docker detects the overlay kernel module is loaded and assumes it will work causing runtime failures

Steps to reproduce the behavior

<!-- Describe the exact steps to reproduce. If possible, provide a minimum reproduction example; take into account that others do not have access to your private images, source code, and environment.

REMOVE SENSITIVE DATA BEFORE POSTING (replace those parts with "REDACTED") --> I worked with the docker:dind-rootless image team on docker-library/docker#193 to work this out.


  • sudo modprobe overlay
  • ./ --experimental
  • docker -H unix:///run/user/1000/docker.sock run -ti alpine

docker: Error response from daemon: error creating overlay mount to /home/brian/.local/share/docker/overlay/918283926d7ce7e89ed73b6b17034793980a11b4f07534ba411bd54ee177dece-init/merged: operation not permitted.

I believe the problem lies with which doesn't check the return of the mount attempt to see if there was an error.

Output of docker version:

Client: Docker Engine - Community
 Version:           19.03.4
 API version:       1.40
 Go version:        go1.12.10
 Git commit:        9013bf583a
 Built:             Fri Oct 18 15:52:22 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
  Version:          19.03.4
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.10
  Git commit:       9013bf583a
  Built:            Fri Oct 18 15:50:54 2019
  OS/Arch:          linux/amd64
  Experimental:     true
  Version:          1.2.10
  GitCommit:        b34a5c8af56e510852c35414db4c1f4fa6172339
  Version:          1.0.0-rc8+dev
  GitCommit:        3e425f80a8c931f88e6d94a8c831b9d5aa481657
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info:

 Debug Mode: false

 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 1
 Server Version: 19.03.4
 Storage Driver: overlay
  Backing Filesystem: xfs
  Supports d_type: true
 Logging Driver: json-file
 Cgroup Driver: none
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
 runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
 init version: fec3683
 Security Options:
   Profile: default
 Kernel Version: 3.10.0-1062.4.1.el7.x86_64
 Operating System: CentOS Linux 7 (Core)
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 3.701GiB
 Name: localhost.localdomain
 Docker Root Dir: /home/brian/.local/share/docker
 Debug Mode: false
 Experimental: true
 Insecure Registries:
 Live Restore Enabled: false

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
WARNING: the overlay storage-driver is deprecated, and will be removed in a future release.

Additional environment details (AWS, VirtualBox, physical, etc.) This testing has been done entirely on CentOS 7 VMs using various hypervisors


Answer questions Caligatio

PR is now at moby/moby#40131


Related questions

cgroups: cannot found cgroup mount destination: unknown hot 4
[openvpn] ERROR: could not find an available, non-overlapping IPv4 address pool among the defaults to assign to the network hot 2
Error grabbing logs: invalid character '\x00' looking for beginning of value hot 2
apparmor: config provided but apparmor not supported hot 2
docker 18.03.1-ce network not working on Deepin 15.7 - socket permission denied hot 2
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? hot 2
Docker Randomly Crashes - (rpc error: code = Unavailable desc = transport is closing) hot 2
yum install docker failing hot 1
Incorrect Ubuntu Bionic InRelease file hot 1
17.06.0 on Ubuntu - Docker system service fails to start. hot 1
Docker-CE package is missing for Ubuntu 19.10 "Eoan" hot 1
docker build slow due to slow docker-untar (not using server capacity) hot 1
Docker-CE package is missing for Ubuntu 19.10 "Eoan" hot 1
Failed install on Ubuntu bionic 18.04 in WSL hot 1
Error response from daemon: failed to listen to abstract unix socket "/containerd-shim/moby/<uuid>/shim.sock": listen unix /containerd-shim/moby/<uuid>/shim.sock: bind: address already in use: unknown hot 1
Github User Rank List