Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

can't run container in container for reason 'failed to mount /tmp/containerd-mount: read-only file system' #4236

Closed
yylt opened this issue May 7, 2020 · 4 comments
Closed

can't run container in container for reason 'failed to mount /tmp/containerd-mount: read-only file system' #4236

yylt opened this issue May 7, 2020 · 4 comments
Labels
kind/bug

Comments

@yylt
Copy link
Contributor

yylt commented May 7, 2020

mount ctr and containerd sock file into container, and try ctr run in container, but it failed

Steps to reproduce the issue:

  1. in host terminal, ctr run --privileged -t --mount type=bind,src=/home/xxx/gopath/bin,dst=/usr/local/bin,options=rbind:ro --mount type=bind,src=/run,dst=/run,options=rbind:ro kubernetes-entrypoint:v0.3.1 foo bash
  2. in container foo, try run another container, ctr run --mount type=bind,src=/tmp,dst=/tmp,options=rbind:ro docker.io/library/busybox:glibc bar sh

Describe the results you received:
ctr: failed to mount /tmp/containerd-mount369866465: read-only file system

Describe the results you expected:
success

Output of containerd --version:

$ ./bin/containerd -v
containerd github.com/containerd/containerd v1.3.0-540-gb1f51464 b1f514641f328ad20d0444ad3837947105c76434

Any other relevant information:
@yylt yylt added the kind/bug label May 7, 2020
@cpuguy83
Copy link
Member

Seems like you've mounted /run into the container, which means ctr will be trying to talk to containerd on the host.
This doesn't work without very careful setup.

In docker, the docker daemon is responsible for setting up the container.
With containerd, this responsibility is on the client (or ctr in this case).

@yylt
Copy link
Contributor Author

yylt commented May 19, 2020

In fact, failed in this function:

containerd/oci/spec_opts.go

Line 699 in d7c4bda

func WithAdditionalGIDs(userstr string) SpecOpts {

if containerd daemon check valid about user and group which writed in image, ctr run will succeed

@cpuguy83 should it be implemented in feature ?

@cpuguy83
Copy link
Member

@yylt The design of containerd is that clients should be local to the daemon. Running a client in a container is effectively non-local without some very specific configuration (which will vary depending on what you are trying to do).

Also, please note that ctr exists for debugging/trying things out, it is considered a non-stable interface.

@dmcgowan
Copy link
Member

The question here seems to be solved. Please feel free to follow up on Slack related running clients not directly on the host.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dmcgowan @cpuguy83 @yylt