Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

server, runtimeVM: Don't mount /sys and /sys/fs/cgroup using "rslave" #4896

Closed
wants to merge 1 commit into from
Closed

server, runtimeVM: Don't mount /sys and /sys/fs/cgroup using "rslave" #4896

wants to merge 1 commit into from

Conversation

fidencio
Copy link
Contributor

What type of PR is this?

/kind bug

What this PR does / why we need it:

Let's only mount "/sys" and "/sys/fs/cgroup" as "rslave" in the case of
"OCI" containers, as #4575 broke
privileged containers when used with kata-containers.

Which issue(s) this PR fixes:

Fixes #4765

Special notes for your reviewer:

I've discussed this with @giuseppe earlier Today and he mentioned that he's fine with this approach.
I really would like to get a feedback from both @mrunalp and @lifupan to be sure whether the right layer to solve this issue is here, on CRI-O, or whether a fix for this would be better on Kata Containers side (and @fupanli is debugging it there).

Does this PR introduce a user-facing change?

None

@fidencio
server, runtimeVM: Don't mount /sys and /sys/fs/cgroup using "rslave"
f579e1e 
Let's only mount "/sys" and "/sys/fs/cgroup" as "rslave" in the case of
"OCI" containers, as cri-o#4575 broke
privileged containers when used with kata-containers.

Fixes: cri-o#4765

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
@openshift-ci openshift-ci bot added release-note-none Denotes a PR that doesn't merit a release note. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/bug Categorizes issue or PR as related to a bug. labels May 13, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 13, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fidencio

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 13, 2021
@fidencio
Copy link
Contributor Author

/cc @mrunalp, @lifupan, @giuseppe, et al.

@fidencio fidencio mentioned this pull request May 13, 2021
Merged
haircommander
haircommander reviewed May 13, 2021
View reviewed changes
server/container_create_linux.go
Comment on lines +465 to +468
// A container is kernel separated if we're using shimv2, or we're using a kata v1 binary
podIsKernelSeparated := runtimeType == libconfig.RuntimeTypeVM ||
strings.Contains(strings.ToLower(runtimeHandler), "kata") ||
(runtimeHandler == "" && strings.Contains(strings.ToLower(s.config.DefaultRuntime), "kata"))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we add a method to the runtime class s.Runtime().IsKernelSeparated() instead of duplicating this check between here and sandbox_run_linux?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure thing!

@fidencio
Copy link
Contributor Author

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 13, 2021
@fidencio
Copy link
Contributor Author

We may go for a solution on the kata-containers side, which seems for future proof, as the change on CRI-O basically exposed an issue on the kata-containers side.

Let's hold it for now.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 13, 2021

@fidencio: The following tests failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/e2e-agnostic f579e1e link /test e2e-agnostic
ci/prow/e2e-gcp f579e1e link /test e2e-gcp
ci/openshift-jenkins/e2e_crun_cgroupv2 f579e1e link /test e2e_cgroupv2

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@fidencio
Copy link
Contributor Author

I think the solution on the kata-containers is more future proof than making a special case on the CRI-O side.
Thanks everyone for the reviews, we'll move forward with @lifupan's solution on the kata-containers side.

@fidencio fidencio closed this May 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haircommander haircommander haircommander left review comments

@mrunalp mrunalp Awaiting requested review from mrunalp

@runcom runcom Awaiting requested review from runcom

@kolyshkin kolyshkin Awaiting requested review from kolyshkin

@vrothberg vrothberg Awaiting requested review from vrothberg

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/bug Categorizes issue or PR as related to a bug. release-note-none Denotes a PR that doesn't merit a release note.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

cri-o cannot use "privileged: true" when using kata-containers
2 participants
@fidencio @haircommander