-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support or disable direct unpack when running in userns #3762
Comments
PR to disable direct unpack: #3763 |
`OverlayConvertWhiteout` calls `mknod c 0 0` which is not allowed when running in a user namespace, even in Ubuntu kernel. Although there is an alternative hacky way to create whiteouts without calling mknod as Moby `overlay2` actually does(see containerd#3762), let's use naive applier when running in UserNS and call it a day. Close containerd#3762 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
`OverlayConvertWhiteout` calls `mknod c 0 0` which is not allowed when running in a user namespace, even in Ubuntu kernel. Although there is an alternative hacky way to create whiteouts without calling mknod as Moby `overlay2` actually does(see containerd#3762), let's use naive applier when running in UserNS and call it a day. Close containerd#3762 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit c224edc) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* Update the runc vendor to v1.0.0-rc9 which includes an additional mitigation for [CVE-2019-16884](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16884). - More details on the runc CVE in [opencontainers/runc#2128](opencontainers/runc#2128), and the additional mitigations in [opencontainers/runc#2130](opencontainers/runc#2130). * Add local-fs.target to service file to fix corrupt image after unexpected host reboot. Reported in [containerd#3671](containerd#3671), and fixed by [containerd#3745](containerd#3745). * Fix large output of processes with TTY getting occasionally truncated. Reported in [containerd#3738](containerd#3738) and fixed by [containerd#3754](containerd#3754). * Fix direct unpack when running in user namespace. Reported in [containerd#3762](containerd#3762), and fixed by [containerd#3779](containerd#3779). * Update Golang runtime to 1.12.13, which includes security fixes to the `crypto/dsa` package made in Go 1.12.11 ([CVE-2019-17596](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17596)), and fixes to the go command, `runtime`, `syscall` and `net` packages (Go 1.12.12). * Add Windows process shim installer [containerd#3792](containerd#3792) * CRI fixes: - Fix shim delete error code to avoid unnecessary retries in the CRI plugin. Discovered in [containerd/cri#1309](containerd/cri#1309), and fixed by [containerd#3733](containerd#3733) and [containerd#3740](containerd#3740). Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
In case anyone else reads this, I faced same issue with containerd 1.3.3 running in kata pod, turned out it was to do with |
`OverlayConvertWhiteout` calls `mknod c 0 0` which is not allowed when running in a user namespace, even in Ubuntu kernel. Although there is an alternative hacky way to create whiteouts without calling mknod as Moby `overlay2` actually does(see containerd#3762), let's use naive applier when running in UserNS and call it a day. Close containerd#3762 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
I don't think you should use root on a tmpfs -- your state won't get saved on machine restart and will cause unexpected behavior when trying to start containerd service |
it fails in user namespace with error
@AkihiroSuda how can I get this to work within the user namespace? |
@mathis-m Could you open a new issue with details (minimum repro steps, host kernel version, filesystem, etc.) |
Description
Direct unpack added in #3528 (v1.3.0) doesn't work well when running in user namespace:
The error happens because whiteout cannot be created with
mknod
in user namespace.Moby implementation supports creating whiteout in a hacky alternative way:
https://github.com/moby/moby/blob/a8b04b17fd37ed797e34bea6534d307929c6337b/pkg/archive/archive_linux.go#L122-L175
Steps to reproduce the issue:
Describe the results you received:
failed to convert whiteout file "etc/ca-certificates/.wh..wh..opq": operation not permitted: unknown
Describe the results you expected:
It should either support or disable direct unpack
Output of
containerd --version
:1.3.0
The text was updated successfully, but these errors were encountered: