I ran into an error the other day in a Github action that involves the building of a Docker image:
ERROR: Cannot start service xxxxx: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "/docker-entrypoint.sh": permission denied: unknown.
While it is easily understood that the issue here is the script docker-entrypoint.sh was not made executable, I had no idea what a shim was. A journey of Google searching then started.
What is a shim
In software engineering, a shim is a general concept that refers to a component which acts as an intermediary or compatibility layer between two incompatible interfaces or components. The term is sometimes used interchangeably with an adapter or a driver, but depending on the specific context, there could be slight technical differences in their meanings. These differences can vary based on the software domain or the specific technologies involved.
Here is a cartoonized explanation of a shim, where the concept of a shim is demonstrated by the fairy dog mother.
What was the error about
Docker Engine uses containerd as the container manager for managing the container lifecycle. By default, containerd uses runc as its container runtime.
The failed to create shim task error originated from containerd. The containerd shim refers to a component in the containerd that serves as an intermediary between the containerd runtime/manager and the lower-level container runtime used to execute containers, such as runc. It helps to abstract and manage the interactions between the two counterparts and is required for proper integrations of the two.
See this blog for a fantastic illustration of how a containerd shim fits into the Docker architecture.
Additional readings
There’s a lot more information and materials around these topics that could be further explored, some of which that helped me were:
- Open Container Initiative (OCI): an open governance structure which has developed specifications of industry standards on container formats and runtimes.
- runc: a CLI tool, donated by Docker to the OCI, for spawning and running containers on Linux according to the OCI specifications.
- containerd: open source container runtime used by Docker. It manages the container lifecycle, such as creating, starting, and stopping containers.
- alternative Docker container runtimes: use any other container runtime that implements the containerd shim API.
- Ivan Velichko’s blog on Implementing Container Runtime Shim.
Bonne lecture!