Valerio's CaveKind on Rootless Docker Does Not Work on openSUSE Leap:Deep Analysis and the Definitive Fix
Kind on Rootless Docker Does Not Work on openSUSE Leap
Full analysis of the “Delegate=yes” issue and the definitive solution
In this article I analyze a real case on openSUSE Leap where kind
fails during the creation of a Kubernetes cluster using rootless Docker,
showing the well-known error:
ERROR: failed to create cluster: running kind with rootless provider requires setting systemd property "Delegate=yes"
The message seems to indicate that Delegate=yes is not configured, but the real issue is deeper: cgroup controller delegation.
Let’s walk step-by-step through how I reached the correct diagnosis and the final solution.
Context
- Distribution: openSUSE Leap (latest available release)
- Configuration:
- Rootless Docker enabled
- cgroup v2 active
- kind installed via Go (
~/go/bin/kind)
- Correct environment variables:
XDG_RUNTIME_DIR=/run/user/1000
DOCKER_HOST=unix:///run/user/1000/docker.sockDespite this, the cluster would not be created.
First check: cgroup v2
Kind in rootless mode requires cgroup v2:
docker info --format '{{.CgroupVersion}}'
Output:
2
Verifying Delegate=yes in systemd
systemctl show "user@$(id -u).service" -p Delegate
Output:
Delegate=yes
But kind kept failing anyway.
Analysis of the actually delegated cgroup controllers
Check:
cat /sys/fs/cgroup/user.slice/cgroup.controllers
Output:
cpuset cpu io memory pids
Then:
cat /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/cgroup.controllers
Output:
pids
And:
cat /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/cgroup.subtree_control
Output:
pids
Here the real problem becomes clear: only pids is delegated, not cpu, memory, io, cpuset.
Kind requires at least cpu and memory to run in rootless mode.
If it cannot find them, it displays the misleading error referring to
“Delegate=yes”.
Alternative attempt: running in a dedicated scope
systemd-run --scope --user -p "Delegate=yes" kind create cluster
Same failure → further confirmation that the issue is with cgroup controllers.
Definitive solution: explicit delegation of controllers
sudo mkdir -p /etc/systemd/system/user@.service.d
cat << 'EOF' | sudo tee /etc/systemd/system/user@.service.d/delegate.conf
[Service]
Delegate=cpu cpuset io memory pids
EOF
sudo systemctl daemon-reload
sudo rebootAfter reboot:
systemctl show "user@$(id -u).service" -p Delegate
Output:
Delegate=cpu cpuset io memory pids
And most importantly:
cat /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/cgroup.controllers
Correct output:
cpu cpuset io memory pids
Restarting rootless Docker
systemctl --user restart docker
Kind works
kind create cluster
Cluster created successfully.
kind create cluster
Creating cluster "kind" ...
✓ Ensuring node image (kindest/node:v1.34.0) 🖼
✓ Preparing nodes 📦
✓ Writing configuration 📜
✓ Starting control-plane 🕹
✓ Installing CNI 🔌
✓ Installing StorageClass 💾
Set kubectl context to "kind-kind"
You can now use your cluster with:
kubectl cluster-info --context kind-kind
Have a nice day! 👋Conclusions
The message:
requires setting systemd property "Delegate=yes"
appears even when Delegate is already set, because kind checks the actually delegated controllers.
openSUSE Leap delegates only pids by default, so you must explicitly delegate:
Delegate=cpu cpuset io memory pids
to allow rootless Docker to run the containers needed by kind.
Full solution code
sudo mkdir -p /etc/systemd/system/user@.service.d
cat << 'EOF' | sudo tee /etc/systemd/system/user@.service.d/delegate.conf
[Service]
Delegate=cpu cpuset io memory pids
EOF
sudo systemctl daemon-reload
sudo reboot