New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/dev/shm is mounted noexec by default #6034
Comments
A friendly reminder that this issue had no activity for 30 days. |
sorry for the late response, this fell through the cracks. I think such an annotation makes sense! I await your contribution :) |
I could provide support here if needed. |
@dgl were you planning on fixing this or shall @hasan4791 take it over? |
@dgl Did you check this doc? Its for 3.11 but it should work across any versions.
Here size defaults to the kernel behaviour, i.e. half of system memory, if not specified. |
A friendly reminder that this issue had no activity for 30 days. |
Closing this issue since it had no activity in the past 90 days. |
What happened?
I'm running user workloads within a container, including an unmodified Chrome (103.0.5060.53, using the official package).
Chrome uses shared memory in /dev/shm to store JIT'd code which it then runs. Through the
io.kubernetes.cri-o.ShmSize
annotation I can make this large enough, however Chrome tabs sometimes crash with an error about SIGILL, particularly on JavaScript heavy pages.I've tracked this down to /dev/shm being mounted
noexec
. If I mount it without that option things work (as this is using user namespaces I'm root in the container and can do that within the container, but it would be cleaner if cri-o did all this for me).What did you expect to happen?
Per the spec at https://github.com/opencontainers/runc/blob/main/libcontainer/SPEC.md#filesystem /dev/shm is expected to be mounted noexec, but there are workloads this breaks.
Similarly to the ShmSize annotation I can imagine providing a ShmExec annotation to allow this kind of workload. I'd be happy to contribute something along those lines.
How can we reproduce it (as minimally and precisely as possible)?
Notice
noexec
.Anything else we need to know?
Some other background on this:
CRI-O and Kubernetes version
OS version
Additional environment details (AWS, VirtualBox, physical, etc.)
The text was updated successfully, but these errors were encountered: