Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run systemd service with full permissions required for cgroup v2 device controller. #4272

Closed
wants to merge 2 commits into from
Closed

Run systemd service with full permissions required for cgroup v2 device controller. #4272

wants to merge 2 commits into from

Conversation

r10r
Copy link

@r10r r10r commented Oct 15, 2020

Running cri-o on a cgroup v2 unified system systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all I noticed that
the runtime (lxc / crio-lxc) fails to create the BPF filter for the cgroup device controller (with EPERM).
After allowing the crio.service to run with full privileges the runtime can create the BPF filter.

@openshift-ci-robot
Copy link

@r10r: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added dco-signoff: no Indicates the PR's author has not DCO signed all their commits. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 15, 2020
@openshift-ci-robot
Copy link

Hi @r10r. Thanks for your PR.

I'm waiting for a cri-o member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@r10r
Run systemd service with full privileges.
8a19a63 
This is required for container runtimes using the
the cgroup2 device controller which is implemented as BPF filter.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
@openshift-ci-robot openshift-ci-robot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. and removed dco-signoff: no Indicates the PR's author has not DCO signed all their commits. labels Oct 15, 2020
@codecov
Copy link

codecov bot commented Oct 15, 2020
edited

Codecov Report

Merging #4272 (3125f89) into main (af6e36a) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #4272   +/-   ##
=======================================
  Coverage   38.57%   38.57%           
=======================================
  Files         111      111           
  Lines        8897     8897           
=======================================
  Hits         3432     3432           
  Misses       5081     5081           
  Partials      384      384

@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mrunalp, r10r

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 15, 2020
@mrunalp
Copy link
Member

mrunalp commented Oct 15, 2020

/ok-to-test

@openshift-ci-robot openshift-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 15, 2020
@r10r
Copy link
Author

r10r commented Oct 16, 2020

/retest

@r10r
Copy link
Author

r10r commented Oct 16, 2020

@mrunalp Why are the build jobs failing? Because I force-pushed to the branch referenced by the pull request ?

@haircommander
Copy link
Member

hm, we're getting this error:


TASK [enable and start CRI-O] **************************************************
task path: /go/src/github.com/cri-o/cri-o/contrib/test/integration/e2e-base.yml:25
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error loading unit file 'crio': org.freedesktop.DBus.Error.InvalidArgs \"Invalid argument\""}
	to retry, use: --limit @/go/src/github.com/cri-o/cri-o/contrib/test/integration/main.retry

on rhel 7

the others may be flakes.

/retest

(I expect the RHEL boxes to still fail, we'll need to get fancy with our installation script, I can get you a patch when we see it passes on fedora)

@r10r
Copy link
Author

r10r commented Oct 20, 2020

@haircommander Sorry for buggin - but I don't quite understand the failure - Is the systemd version on RHEL boxes to old to support the '+' permission flag ? I search in the systemd sources, but I can't really determine when the '+' flag was introduced. It's easier to look if a specific version supports the flag.

Can you tell me the systemd version used on the RHEL box ?

@haircommander
Copy link
Member

I think some of those failures were infra failures. I'm going to re-run to see what the state of the world actually is

/retest

@haircommander
Copy link
Member

/test e2e_fedora

@haircommander
Copy link
Member

/test e2e_crun

@r10r
Copy link
Author

r10r commented Nov 4, 2020

/retest

@r10r
Copy link
Author

r10r commented Nov 5, 2020

@haircommander this seems to be a long journey - the builds are still failing. Did you make some changes to the infrastructure ? Does the builds work without the change ?

@haircommander
Copy link
Member

I am sorry I have not had a chance to look at this. I will try later today

@haircommander
Copy link
Member

hey @r10r sorry again, this keeps falling off of my radar. what happens when you apply this patch:

diff --git a/contrib/test/integration/build/cri-o.yml b/contrib/test/integration/build/cri-o.yml
index 2aa23e465..b447d41cd 100644
--- a/contrib/test/integration/build/cri-o.yml
+++ b/contrib/test/integration/build/cri-o.yml
@@ -26,6 +26,13 @@
     regexp: '^Restart='
     line: 'Restart=no'
 
+- name: Remove prefix of ExecStart for older systemd
+  lineinfile:
+    path: "{{ ansible_env.GOPATH }}/src/github.com/cri-o/cri-o/contrib/systemd/crio.service"
+    regexp: '^ExecStart=+/usr/local/bin/crio'
+    line: 'ExecStart=/usr/local/bin/crio'
+  when: (ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 8)
+
 - name: install cri-o
   make:
     target: install

@openshift-ci-robot openshift-ci-robot added dco-signoff: no Indicates the PR's author has not DCO signed all their commits. and removed dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Nov 18, 2020
@r10r
Remove full privileges prefix '+' of ExecStart for older systemd.
3125f89 
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
@openshift-ci-robot openshift-ci-robot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. and removed dco-signoff: no Indicates the PR's author has not DCO signed all their commits. labels Nov 18, 2020
@openshift-merge-robot
Copy link
Contributor

@r10r: The following tests failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/openshift-jenkins/critest_rhel 3125f89 link /test critest_rhel
ci/openshift-jenkins/e2e_features_rhel 3125f89 link /test e2e_features_rhel
ci/openshift-jenkins/e2e_rhel 3125f89 link /test e2e_rhel
ci/openshift-jenkins/e2e_crun_cgroupv2 3125f89 link /test e2e_cgroupv2
ci/openshift-jenkins/e2e_fedora 3125f89 link /test e2e_fedora
ci/openshift-jenkins/e2e_crun 3125f89 link /test e2e_crun

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@github-actions
Copy link

A friendly reminder that this PR had no activity for 30 days.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 30, 2022
@r10r
Copy link
Author

r10r commented Nov 17, 2022

/retest

@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 24, 2023

@r10r: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/ci-critest 3125f89 link true /test ci-critest
ci/prow/ci-rhel-integration 3125f89 link true /test ci-rhel-integration
ci/prow/ci-rhel-e2e 3125f89 link true /test ci-rhel-e2e
ci/prow/ci-crun-e2e 3125f89 link true /test ci-crun-e2e
ci/prow/ci-cgroupv2-e2e 3125f89 link true /test ci-cgroupv2-e2e
ci/prow/ci-e2e-conmonrs 3125f89 link true /test ci-e2e-conmonrs
ci/prow/ci-e2e 3125f89 link true /test ci-e2e
ci/prow/ci-cgroupv2-e2e-crun 3125f89 link true /test ci-cgroupv2-e2e-crun
ci/prow/e2e-gcp-ovn 3125f89 link true /test e2e-gcp-ovn
ci/prow/ci-e2e-evented-pleg 3125f89 link true /test ci-e2e-evented-pleg

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@haircommander haircommander removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 24, 2023
@sohankunkerkar sohankunkerkar self-assigned this May 24, 2023
@sohankunkerkar
Copy link
Member

closing this in favor of #6970

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrunalp mrunalp mrunalp approved these changes

@runcom runcom Awaiting requested review from runcom

@haircommander haircommander Awaiting requested review from haircommander

@rhatdan rhatdan Awaiting requested review from rhatdan

Assignees

@sohankunkerkar sohankunkerkar

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. ok-to-test Indicates a non-member PR verified by an org member that is safe to test.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@r10r @openshift-ci-robot @mrunalp @haircommander @openshift-merge-robot @sohankunkerkar