You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have reworked the implementation of userns in Kubernetes and now we rely on idmap mounts even for stateless pods (stateful pods are not yet supported, but coming soon).
This means the kubelet will now send a mapping to use for the mounts and containerd needs to pass these mappings down to the OCI runtime.
I propose the following solution that seems straight forward:
Update the cri-api to vendor it from k8s 1.27, that has the new field for the mappings in the CRI api
Pass down the mappings we received in the CRI mounts to the config.json we pass to the OCI runtime
For that we need to modify just these functions: WithMounts() from pkg/cri/opts/spec_linux_opts.go; volumeMounts() from pkg/cri/server/container_create.go to do it also in volumes from the image (VOLUME keyword in the Dockerfile); containerMounts() from pkg/cri/server/container_create_linux.go
Update script/setup/runc-version to use runc 1.2 when that is released.
There is one tricky aspect and is that the runtime-spec mandates that unrecognized fields are ignored, but if we start a container with userns and the idmap mounts are ignored (this can happen with runc 1.1, for example) then the files created in the volumes will have garbage for their UID/GID, as it will be the hostUID/hostGID the userns is mapping.
Can we really trust distros will not update to containerd 1.8 without also updating runc to 1.2? Or shall we worry about that case and try to detect it in some way?
Additional context
No response
The text was updated successfully, but these errors were encountered:
What is the problem you're trying to solve
We have reworked the implementation of userns in Kubernetes and now we rely on idmap mounts even for stateless pods (stateful pods are not yet supported, but coming soon).
This means the kubelet will now send a mapping to use for the mounts and containerd needs to pass these mappings down to the OCI runtime.
idmap mounts was added to the runtime-spec here: opencontainers/runtime-spec#1143
runc support is expected for v1.2: opencontainers/runc#3717
crun supports this since v1.8.1.
Describe the solution you'd like
I propose the following solution that seems straight forward:
script/setup/runc-versionto use runc 1.2 when that is released.There is one tricky aspect and is that the runtime-spec mandates that unrecognized fields are ignored, but if we start a container with userns and the idmap mounts are ignored (this can happen with runc 1.1, for example) then the files created in the volumes will have garbage for their UID/GID, as it will be the hostUID/hostGID the userns is mapping.
Can we really trust distros will not update to containerd 1.8 without also updating runc to 1.2? Or shall we worry about that case and try to detect it in some way?
Additional context
No response
The text was updated successfully, but these errors were encountered: