New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run systemd service with full permissions required for cgroup v2 device controller. #4272
Conversation
@r10r: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi @r10r. Thanks for your PR. I'm waiting for a cri-o member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This is required for container runtimes using the the cgroup2 device controller which is implemented as BPF filter. Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #4272 +/- ##
=======================================
Coverage 38.57% 38.57%
=======================================
Files 111 111
Lines 8897 8897
=======================================
Hits 3432 3432
Misses 5081 5081
Partials 384 384 |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mrunalp, r10r The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/ok-to-test |
/retest |
@mrunalp Why are the build jobs failing? Because I force-pushed to the branch referenced by the pull request ? |
hm, we're getting this error:
the others may be flakes. /retest (I expect the RHEL boxes to still fail, we'll need to get fancy with our installation script, I can get you a patch when we see it passes on fedora) |
@haircommander Sorry for buggin - but I don't quite understand the failure - Is the systemd version on RHEL boxes to old to support the '+' permission flag ? I search in the systemd sources, but I can't really determine when the '+' flag was introduced. It's easier to look if a specific version supports the flag. Can you tell me the systemd version used on the RHEL box ? |
I think some of those failures were infra failures. I'm going to re-run to see what the state of the world actually is /retest |
/test e2e_fedora |
/test e2e_crun |
/retest |
@haircommander this seems to be a long journey - the builds are still failing. Did you make some changes to the infrastructure ? Does the builds work without the change ? |
I am sorry I have not had a chance to look at this. I will try later today |
hey @r10r sorry again, this keeps falling off of my radar. what happens when you apply this patch:
|
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
@r10r: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
A friendly reminder that this PR had no activity for 30 days. |
/retest |
@r10r: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
closing this in favor of #6970 |
Running cri-o on a cgroup v2 unified system
systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all
I noticed thatthe runtime (lxc / crio-lxc) fails to create the BPF filter for the cgroup device controller (with EPERM).
After allowing the
crio.service
to run with full privileges the runtime can create the BPF filter.