Message boards : ATLAS application : ATLAS native tasks failing with computation error after Docker upgrade — tmpfs FIX (solved locally)
Message board moderation

To post messages, you must log in.

AuthorMessage
superkali

Send message
Joined: 25 Mar 24
Posts: 7
Credit: 1,216,751
RAC: 564
Message 53327 - Posted: 28 Mar 2026, 19:25:39 UTC

Hi all,
I'm running LHC@home on Kubuntu 24.04 with BOINC 8.2.9 and recently resolved a complete breakdown of ATLAS task completion following an upgrade from docker.io to docker-ce 29.x. Posting here because I see others hitting the same wall.
The symptom
ATLAS tasks fail with "computation error." Tasks may die immediately or run to 100% then fail. No credits awarded. In the task's stderr output you will find:
mount: /var/www/lighttpd: cannot mount tmpfs read-only
The cause
Docker 29.x tightened its default security profiles. Containers now launch without CAP_SYS_ADMIN unless explicitly requested. The ATLAS wrapper runs a lighttpd instance inside the container to serve simulation results back to BOINC. Lighttpd needs to mount a tmpfs filesystem internally — which requires CAP_SYS_ADMIN. Without it, lighttpd cannot start, results cannot be delivered, and the task fails.
This is not AppArmor. Not Landlock. Not seccomp. It is a missing container capability introduced by the docker-ce 29.x default profile change.
Why cc_config.xml doesn't help
You may find references to a docker_container_options directive in cc_config.xml. This field does not exist in the BOINC codebase — it is not parsed and has no effect. A feature request to implement it has been filed as BOINC GitHub issue #6931 and is currently assigned to the BOINC client developer and the LHC@home project contact at CERN.
The fix
Deploy a wrapper script at /usr/bin/docker that intercepts docker run and docker create calls and injects --privileged automatically. The --user flag sets the container to run as boinc:boinc so output files are created with correct ownership — without this they come out as root:root and BOINC cannot move them from the slot directory.
Protect the wrapper from being overwritten by future docker-ce package upgrades using dpkg-divert:
sudo dpkg-divert --divert /usr/bin/docker.real --rename /usr/bin/docker
Then place your wrapper script at /usr/bin/docker. After any docker-ce upgrade, the new binary installs to /usr/bin/docker.real and the wrapper is untouched.
Verify
Confirm the first line of /usr/bin/docker is a bash shebang, then re-enable LHC@home tasks and confirm the next ATLAS task completes and uploads successfully.
Tested on: Kubuntu 24.04, BOINC 8.2.8 and 8.2.9, docker-ce 29.2.1 and 29.3.0.
Full documentation including wrapper script source: github.com/black-vajra/boinc-devel
ID: 53327 · Report as offensive     Reply Quote

Message boards : ATLAS application : ATLAS native tasks failing with computation error after Docker upgrade — tmpfs FIX (solved locally)


©2026 CERN