Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to enable privileged for k8s + containerd + kata to access host devices ? #1986

Open
LiangZhou-CTY opened this issue Jun 10, 2021 · 3 comments
Open

How to enable privileged for k8s + containerd + kata to access host devices ? #1986

LiangZhou-CTY opened this issue Jun 10, 2021 · 3 comments
Labels
area/documentation Impacts the documentation bug Incorrect behaviour
Projects
Issue backlog

Comments

@LiangZhou-CTY
Copy link
Contributor

Hi there,

I followed the guide https://github.com/kata-containers/kata-containers/blob/main/docs/how-to/privileged.md#host-devices to enable privileged feature on kata but failed.

Here's my steps:

  1. set privileged to true on my pod yaml:
[root@localhost kata]# cat test-kata.yaml
apiVersion: v1
kind: Pod
metadata:
  name: test-kata
spec:
  runtimeClassName: kata
  containers:
  - name: test-kata-1
    securityContext:
      privileged: true
    image: ubuntu
  1. set related fields in /etc/containerd/config.toml :
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata]
            runtime_type = "io.containerd.kata.v2"
            privileged_without_host_devices = true
  1. run the pod, but cannot get the host devices under /dev:
[root@localhost kata]# kubectl exec test-kata -ti -- /bin/bash
root@test-kata:/#
root@test-kata:/# uname -a
Linux test-kata 5.4.71 #1 SMP Fri Apr 9 19:03:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
root@test-kata:/# ls /dev
fd  full  mqueue  null  ptmx  pts  random  shm  stderr  stdin  stdout  termination-log  tty  urandom  zero
root@test-kata:/#

we see that the host devices cannot pass through to kata container.

  1. I tried the same steps on runc, it works:
[root@localhost runc]# kubectl exec -ti liang -- /bin/sh
# uname -a
Linux liang 4.18.0-240.el8.x86_64 #1 SMP Fri Sep 25 19:48:47 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
# ls /dev
autofs           fb0      kmsg          mcelog  ppp     sda1      snd              tty0   tty16  tty23  tty30  tty38  tty45  tty52  tty6   ttyS0    usbmon1  vcs6   vfio
bsg              fd       kvm           mem     ptmx    sda2      sr0              tty1   tty17  tty24  tty31  tty39  tty46  tty53  tty60  ttyS1    usbmon2  vcsa   vga_arbiter
bus              full     loop-control  midi    pts     sda3      sr1              tty10  tty18  tty25  tty32  tty4   tty47  tty54  tty61  ttyS2    vcs      vcsa1  vhci
core             fuse     lp0           mqueue  random  sg0       stderr           tty11  tty19  tty26  tty33  tty40  tty48  tty55  tty62  ttyS3    vcs1     vcsa2  vhost-net
cpu              hidraw0  lp1           net     raw     sg1       stdin            tty12  tty2   tty27  tty34  tty41  tty49  tty56  tty63  uhid     vcs2     vcsa3  vhost-vsock
cpu_dma_latency  hpet     lp2           null    rfkill  sg2       stdout           tty13  tty20  tty28  tty35  tty42  tty5   tty57  tty7   uinput   vcs3     vcsa4  vmci
dmmidi           hwrng    lp3           nvram   rtc0    shm       termination-log  tty14  tty21  tty29  tty36  tty43  tty50  tty58  tty8   urandom  vcs4     vcsa5  vsock
dri              input    mapper        port    sda     snapshot  tty              tty15  tty22  tty3   tty37  tty44  tty51  tty59  tty9   usbmon0  vcs5     vcsa6  zero
#
  1. I searched this issue, seems there's a similar discussion but that discussion is not the same as my one. That one is about setting "privileged_without_host_devices = false" and got container startup failure.
    privileged securityContext is causing pod to fail on k8s #1342

Anything I missed ?

Thanks.
@LiangZhou-CTY LiangZhou-CTY added bug Incorrect behaviour needs-review Needs to be assessed by the team. labels Jun 10, 2021
@egernst
Copy link
Member

egernst commented Jun 10, 2021

You’ll want to explicitly add those devices if you need them. Containerd won’t add these devices if you have set: privileged_without_host_devices = true

@LiangZhou-CTY
Copy link
Contributor Author

You’ll want to explicitly add those devices if you need them. Containerd won’t add these devices if you have set: privileged_without_host_devices = true

Thanks @egernst for your quick response.
I'm not very familar with k8s, is there any example for kata to "explicitily add those devices" ?

@LiangZhou-CTY LiangZhou-CTY changed the title How to enable privileged feature to k8s + containerd + kata How to enable privileged for k8s + containerd + kata to access host devices ? Jun 10, 2021
@LiangZhou9527 LiangZhou9527 mentioned this issue Jun 16, 2021
Open
@ariel-adam ariel-adam added area/documentation Impacts the documentation and removed needs-review Needs to be assessed by the team. labels Jun 22, 2021
@c3d
Copy link
Member

c3d commented Jun 22, 2021

@egernst At present, the documentation does not give examples (not even a suggestion) that the /dev/ entries need to be manually passed in that case.

We provide a number of configuration files, but we should also provide a k8s yaml file showing what to do in that case, no?

cmaf added a commit to cmaf/kata-containers that referenced this issue Sep 8, 2021
@cmaf
vendor: update OpenTelemetry to v1.0.0-RC3
d77c0fd 
Upgrade from v0.20.0 to v1.0.0-RC3.

    Git log

    4bfa0034 Release prep v1.0.0-RC3 (kata-containers#2218)
    c7ae470a Refactor SDK span creation and implementation (kata-containers#2213)
    db317fce Verify and update OTLP trace exporter documentation (kata-containers#2053)
    04de34a2 Update the website getting started docs (kata-containers#2203)
    a7b9d021 Rename metric instruments to match feature-freeze API specification (kata-containers#2202)
    1f527a52 Update trace API config creation functions (kata-containers#2212)
    361a2096 Fix RC2 header in changelog (kata-containers#2215)
    e209ee75 chore(exporter/zipkin): improves logging on invalid collector. (kata-containers#2191)
    c0c5ef65 Fix typos in resource.go. (kata-containers#2201)
    abf6afe0 Update otel example guide (kata-containers#2210)
    3b05ba02 Bump actions/setup-go from 2.1.3 to 2.1.4 (kata-containers#2206)
    bcd7ff7b Bump codecov/codecov-action from 2.0.2 to 2.0.3 (kata-containers#2205)
    c912b179 Print JSON objects to stdout without a wrapping array (kata-containers#2196)
    add511c1 Make WithoutTimestamps work (kata-containers#2195)
    85c27e01 Bump github.com/golangci/golangci-lint from 1.41.1 to 1.42.0 in /internal/tools (kata-containers#2199)
    bf6500b3 Bump google.golang.org/grpc from 1.39.1 to 1.40.0 in /exporters/otlp/otlptrace (kata-containers#2184)
    9392af96 Bump google.golang.org/grpc in /exporters/otlp/otlptrace/otlptracegrpc (kata-containers#2185)
    c95694dc Bump google.golang.org/grpc from 1.39.1 to 1.40.0 in /example/otel-collector (kata-containers#2183)
    0528fa66 Bump google.golang.org/grpc from 1.39.1 to 1.40.0 in /exporters/otlp/otlpmetric (kata-containers#2186)
    3a26ed21 Deprecate the oteltest package (kata-containers#2188)
    c885435f Website: support GH page links to canonical src (kata-containers#2189)
    6da20a27 Add cross-module test coverage (kata-containers#2182)
    dfc866bd Support capturing stack trace  (kata-containers#2163)
    41588fea Deprecate the attribute.Any function (kata-containers#2181)
    4e8d667f Support a single Resource per MeterProvider in the SDK (kata-containers#2120)
    a8bb0bf8 Make the tracetest.SpanRecorder concurrent safe (kata-containers#2178)
    87d09df3 Deprecate Array attribute in favor of *Slice types (kata-containers#2162)
    df384a9a Move InstrumentKind into the new metric/sdkapi package (kata-containers#2091)
    1cb5cdca Unify the OTLP attribute transform (kata-containers#2170)
    a882ee37 Clarify the attribute package documentation and order/grouping (kata-containers#2168)
    5d25c4d2 Add support for int32 in attribute.Any (kata-containers#2169)
    2b0e139e Refactor attributes benchmark tests (kata-containers#2167)
    4c7470d9 Bump google.golang.org/grpc from 1.39.0 to 1.39.1 in /exporters/otlp/otlptrace (kata-containers#2176)
    990c534a Bump google.golang.org/grpc in /example/otel-collector (kata-containers#2172)
    b45c9d31 Bump google.golang.org/grpc from 1.39.0 to 1.39.1 in /exporters/otlp/otlpmetric (kata-containers#2174)
    a3d4ff5c Deprecated the bridge/opencensus/utils package (kata-containers#2166)
    b1d1d529 Move OC bridge integration tests to own mod (kata-containers#2165)
    89a9489c Add OC bridge internal unit tests (kata-containers#2164)
    56c743ba Allow global ErrorHandler to be set multiple times (kata-containers#2160)
    d18c135f Add OpenCensus bridge internal package (kata-containers#2146)
    fcf945a4 Just a little typo fix in code documentation. (kata-containers#2159)
    59a82eba Update version.go (kata-containers#2157)
    21d4686f Add ErrorHandlerFunc to simplify creating ErrorHandlers (kata-containers#2149)
    23cb9396 Remove `internal/semconv-gen` (kata-containers#2155)
    39acab32 Fix code sample in otel.GetTraceProvider (kata-containers#2147)
    2b1bb29e Update OpenCensus bridge docs with limitations (kata-containers#2145)
    fd7c327b Fix Jaeger exporter agent port default value and docs (kata-containers#2131)
    b8561785 fix(2138): add guard to constructOTResources to return an empty resource (kata-containers#2139)
    11f62640 Add a SpanRecorder to the sdk/trace/tracetest (kata-containers#2132)
    fd9de7ec rename assertsocketbuffersize.go to *_test (kata-containers#2136)
    a6b4d90c nit doc fix (kata-containers#2135)
    79398418 pre-release v1.0.0-RC2 (kata-containers#2133)
    2501e0fd Use semconv.SchemaURL in STDOUT exporter example (kata-containers#2134)
    ef03dbc9 Bump codecov/codecov-action from 1 to 2.0.2 (kata-containers#2129)
    bbe6ca40 Deprecate oteltest.Harness for removal (kata-containers#2123)
    7a624ac2 Deprecated the oteltest.TraceStateFromKeyValues function (kata-containers#2122)
    ece1879f Removed dropped link's attributes field from API package (kata-containers#2118)
    03902d98 Rename sdk/trace/tracetest test.go -> exporter.go (kata-containers#2128)
    cb607b0a Unify OTLP exporter retry logic (kata-containers#2095)
    abe22437 API: create new linked span from current context (kata-containers#2115)
    db81d4aa Update internal/global/trace testing (kata-containers#2111)
    7f10ef72 Remove propagation testing types from oteltest (kata-containers#2116)
    25d739b0 Remove resource.WithBuiltinDetectors() which has not been maintained (kata-containers#2097)
    d57c5a56  Remove several metrics test helpers (kata-containers#2105)
    49359495 Simplify trace_context tests (#2108)
    56d42011 Simplify trace context benchmark test (#2109)
    63dfe64a Correct status transform in OTLP exporter (kata-containers#2102)
    9b1a5f70 Performance improvement: avoid creating multiple same read-only objects (kata-containers#2104)
    ab78dbd0 Update release URL (kata-containers#2106)
    647af3a0 Pre release experimental metrics v0.22.0 (kata-containers#2101)
    0a562337 Fixed OS type value for DragonFly BSD (kata-containers#2092)
    62c21ffb Bump golang.org/x/tools from 0.1.4 to 0.1.5 in /internal/tools (kata-containers#2096)
    4a3da55a Ensure sample code in website_docs getting started page works (kata-containers#2094)
    d3063a3d Update otel.Meter to global.Meter in Getting Started Document.(kata-containers#2087) (kata-containers#2093)
    00a1ec5f Add documentation guidelines and improve Jaeger exporter readme (kata-containers#2082)
    12f737c7 oteltest: ensure valid SpanContext created for span started WithNewRoot (kata-containers#2073)
    484258eb OS description attribute detector (kata-containers#1840)
    d8c9a955 Bump google.golang.org/grpc from 1.38.0 to 1.39.0 in /example/otel-collector (kata-containers#2054)
    4ffdf034 Add @pellard as an Approver (kata-containers#2047)
    1a74b399 Bump google.golang.org/protobuf from 1.26.0 to 1.27.0 in /exporters/otlp/otlpmetric (kata-containers#2040)
    57c2e8fb Bump golang.org/x/tools from 0.1.3 to 0.1.4 in /internal/tools (kata-containers#2036)
    7cff31a9 Bump google.golang.org/protobuf from 1.26.0 to 1.27.0 in /exporters/otlp/otlptrace (kata-containers#2035)
    9e8f523d when using WithNewRoot, don't use the parent context for sampling (kata-containers#2032)
    62af6c70 semconv-gen: fix capitalization at word boundaries, add stability/deprecation indicators (kata-containers#2033)
    0bceed7e Fix docs on otel-collector example (kata-containers#2034)
    6428cd69 Update doc.go (kata-containers#2030)
    311a6396 fix documentation for trace.Status (kata-containers#2029)
    16f83ce6 export ToZipkinSpanModels for use outside this library (kata-containers#2027)
    d5d4c87f Add HTTP metrics exporter for OTLP (kata-containers#2022)
    d6e8f60f Bump github.com/golangci/golangci-lint from 1.40.1 to 1.41.1 in /internal/tools (kata-containers#2023)
    51dbe3cb Remove deprecated exporters (kata-containers#2020)
    257ef7fc Update project status in README (kata-containers#2017)
    ced177b7 Pre-release 1.0.0-RC1 (kata-containers#2013)
    694c9a41 Interface stability documentation (kata-containers#2012)
    39fe8092 Add span.TracerProvider() (kata-containers#2009)
    d020e1a2 Add more tests for go.opentelemetry.io/otel/trace package. (kata-containers#2004)
    6d4a38f1 replace WithSyncer with WithBatcher in opencensus example (kata-containers#2007)
    c30cd1d0 Split stdout exporter into stdouttrace and stdoutmetric (kata-containers#2005)
    80ca2b1e otlp: mark unix endpoints to work without transport security (kata-containers#2001)
    65140985 Update codecov ignore (kata-containers#2006)
    3be9813d Deprecate the exporters in the "trace" and "metric" sub-directories (kata-containers#1993)
    377f7ce4 remove WithTrace* options from otlptrace exporters (kata-containers#1997)
    b33edaa5 OTLP metrics gRPC exporter (kata-containers#1991)
    64b640cc Remove old OTLP exporter (kata-containers#1990)
    7728a521 Remove dependency on metrics packages (kata-containers#1988)
    135ac4b6 Moved internal/tools duplicated findRepoRoot function to common package (kata-containers#1978)
    cdf67ddf Update semantic conventions to v1.4.0, move to versioned package (kata-containers#1987)
    4883cb11 Refactor exporter creation functions (kata-containers#1985)
    87cc1e1f Test BatchSpanProcessor export timeout directly (kata-containers#1982)
    7ffe2845 Added inputPath validation to semconv-gen (kata-containers#1986)
    a113856a Add caveat about installing opencensus bridge (kata-containers#1983)
    741cb9a3 Fix generator.go call typo in RELEASING.md (kata-containers#1977)
    7a0cee7b Replaces golint by revive and fix newly reported linter issues (kata-containers#1946)
    46d9687a Add Schema URL support to Resource (kata-containers#1938)
    0827aa62 Use mock server as jaeger agent listener. (kata-containers#1930)
    20886012 Bugfix jaeger exporter test panic (kata-containers#1973)
    4bf6150f Add baggage implementation based on the W3C and OpenTelemetry specification (kata-containers#1967)
    bbe2b8a3 Bump github.com/itchyny/gojq from 0.12.3 to 0.12.4 in /internal/tools (kata-containers#1971)
    4949bf05 Bump github.com/cenkalti/backoff/v4 from 4.1.0 to 4.1.1 in /exporters/otlp/otlptrace (kata-containers#1972)
    015b4c17 Bump github.com/cenkalti/backoff/v4 from 4.1.0 to 4.1.1 in /exporters/otlp (kata-containers#1970)
    13eb12ac Bump github.com/prometheus/client_golang from 1.10.0 to 1.11.0 in /exporters/metric/prometheus (kata-containers#1974)
    2371bb0a add otlp trace http exporter (kata-containers#1963)
    a75ade4e sdk/resource: honor OTEL_SERVICE_NAME in fromEnv resource detector (kata-containers#1969)
    aed45802 Bump go.opentelemetry.io/proto/otlp from 0.8.0 to 0.9.0 in /exporters/otlp/otlptrace (kata-containers#1959)
    c4ebae6a Bump go.opentelemetry.io/proto/otlp (kata-containers#1960)
    b1d2be3b Bump google.golang.org/grpc from 1.37.1 to 1.38.0 in /exporters/otlp/otlptrace (kata-containers#1958)
    f6daea5e Generate semantic conventions according to specification latest tagged version (kata-containers#1933)
    435a63b3 Bump github.com/google/go-cmp from 0.5.5 to 0.5.6 (kata-containers#1954)
    6c46af66 Bump github.com/google/go-cmp from 0.5.5 to 0.5.6 in /exporters/trace/jaeger (kata-containers#1953)
    4d294853 Bump actions/cache from 2.1.5 to 2.1.6 (kata-containers#1952)
    dfe2b6f1 OTLP trace gRPC exporter (kata-containers#1922)
    5a8f7ff7 Bump go.opentelemetry.io/proto/otlp from 0.8.0 to 0.9.0 in /exporters/otlp (kata-containers#1943)
    bd935866 Add schema URL support to Tracer (kata-containers#1889)
    c1f460e0 Update API configs. (kata-containers#1921)
    270cc603 Small fixes on some Span method's documentation headers (kata-containers#1950)
    8603b902 Fix typo in doc (kata-containers#1949)
    acbb1882 Bump google.golang.org/grpc from 1.37.1 to 1.38.0 in /exporters/otlp (kata-containers#1942)
    b1621501 Add codecov badge (kata-containers#1940)
    ea1434c3 Fix some golint issues (kata-containers#1947)
    0eeb8f87 Refactor Tracestate (kata-containers#1931)
    d3b12808 Add Passthrough example (kata-containers#1912)
    f06cace6 Add @MadVikingGod as a project Approver (kata-containers#1923)
    ab5facb3 Bump github.com/golangci/golangci-lint in /internal/tools (kata-containers#1925)
    d23cc61b Refactor configs (kata-containers#1882)
    6324adaa Add tracer option argument to global Tracer function (kata-containers#1902)
    035fc650 Do not include authentication information in the http.url attribute (kata-containers#1919)
    d8ac212c Fix sporadic test failure in otlp exporter http driver (kata-containers#1906)
    a3df00f4 Create .gitattributes (kata-containers#1920)
    fb88e926 Bump google.golang.org/grpc from 1.37.0 to 1.37.1 in /exporters/otlp (kata-containers#1914)
    1982dc46 Bump google.golang.org/grpc in /example/prom-collector (kata-containers#1915)
    1759c630 Bump github.com/golangci/golangci-lint in /internal/tools (kata-containers#1916)
    7342aa47 Bump google.golang.org/grpc in /example/otel-collector (kata-containers#1913)
    21c16418 Add support for scheme in OTEL_EXPORTER_OTLP_ENDPOINT (kata-containers#1886)
    5cb62636 Semantic Convention generation tooling (kata-containers#1891)
    6219221f Move the unit package to the metric module (kata-containers#1903)
    63e0ecfc Implement global default non-recording span (kata-containers#1901)
    b6d5442f Remove the Tracer method from the Span API (kata-containers#1900)
    ae85fab3 Document functional options (kata-containers#1899)
    cabf0c07 Fix default Jaeger collector endpoint (kata-containers#1898)
    1e3fa3a3 Bump go.opentelemetry.io/proto/otlp from 0.7.0 to 0.8.0 in /exporters/otlp (kata-containers#1872)
    696af787 Bump github.com/benbjohnson/clock from 1.0.3 to 1.1.0 in /sdk/metric (kata-containers#1532)
    97eea6c3 Fix some golint issues (kata-containers#1894)
    79d9852e fix container port mismatch issue (kata-containers#1895)
    d20e7228 CI builds validate against last two versions of Go, dropping 1.14 and adding 1.16 (kata-containers#1865)
    cbcd4b1a Redefine ExportSpans of SpanExporter with ReadOnlySpan (kata-containers#1873)
    c99d5e99 Split large jaeger span batch to admire the udp packet size limit  (kata-containers#1853)
    42a84509 Unembed SpanContext (kata-containers#1877)
    b7d02db1 Add Status type to SDK (kata-containers#1874)
    f90d0d93 Update README (kata-containers#1876)
    a1349944 Update resource.go (kata-containers#1871)
    f40cad5e Add markdown link check configuration and action (kata-containers#1869)
    9bc28f6b Fix existing markdown lint issues (kata-containers#1866)
    08f4c270 Add documentation for tracer.Start() (kata-containers#1864)
    2bd4840c remove Set.Encoded(Encoder) enconding cache (kata-containers#1855)
    7674eebf Removed different types of Detectors for Resources. (kata-containers#1810)
    f92a6d83 Implement retry policy for the OTLP/gRPC  exporter (kata-containers#1832)
    ec75390f Fix BSP context done tests (kata-containers#1863)
    8e55f10a Move the Event type from the API to the SDK (kata-containers#1846)
    e399d355 drop failed to exporter batches and return error when forcing flush a span processor (kata-containers#1860)
    f6a9279a Honor context deadline or cancellation in SimpleSpanProcessor.Shutdown (kata-containers#1856)
    aeef8e00 Add markdown lint GitHub action (kata-containers#1849)
    d4c8ffad Replace spaces to tabs in Go code snippets (kata-containers#1854)
    cb097250 fixed typo (kata-containers#1857)
    392a44fa Refine configuration design docs (kata-containers#1841)
    62cd933d Handle Resource env error when non-nil (kata-containers#1851)
    24a91628 Document the SSP is not for production use (kata-containers#1844)
    ec26ac23 Update RELEASING.md (kata-containers#1843)
    8eb0bb99 Fix golint issue caused by typo (kata-containers#1847)
    ca130e54 Markdownlint (kata-containers#1842)
    1144a83d Small typo fixes to existing CHANGELOG entries (kata-containers#1839)
    e6086958 Update website_docs to v0.20.0 (kata-containers#1838)
    0f4e454c Change NewSplitDriver paramater and initialization (kata-containers#1798)

Fixes kata-containers#2591

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/documentation Impacts the documentation bug Incorrect behaviour
Projects
Issue backlog
  
To do
Milestone
No milestone
Development

No branches or pull requests
4 participants
@c3d @egernst @ariel-adam @LiangZhou-CTY