-
Notifications
You must be signed in to change notification settings - Fork 38.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix mount issues in containerized Kubelet #9976
Fix mount issues in containerized Kubelet #9976
Conversation
smarterclayton
commented
Jun 17, 2015
- nsenter was not located via path in the container
- nsenter needed '--' to separate command from args
- we need to search the parent FS at /rootfs in order to find mount/umount/findmnt
GCE e2e build/test passed for commit 4f6542529f7f12e5e3479a67f278a402b7747701. |
// 4. The Kubelet process must have CAP_SYS_ADMIN (required by nsenter); at | ||
// the present, this effectively means that the kubelet is running in a | ||
// privileged container. | ||
// 5. The volume path used by the Kubelet must be the same inside and outside | ||
// the container and be writable by the container (to initialize volume) | ||
// contents. TODO: remove this requirement. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we document the fact that the container image must contain mount, umount, and findmnt, or the rootfs you mount inside the container does?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should
On Jun 17, 2015, at 7:13 PM, Kelsey Hightower notifications@github.com wrote:
In pkg/util/mount/nsenter_mount.go:
// 4. The Kubelet process must have CAP_SYS_ADMIN (required by nsenter); at
// the present, this effectively means that the kubelet is running in a
// privileged container.
+// 5. The volume path used by the Kubelet must be the same inside and outside
+// the container and be writable by the container (to initialize volume)
+// contents. TODO: remove this requirement.
Should we document the fact that the container image must contain mount, umount, and findmnt, or the rootfs you mount inside the container does?—
Reply to this email directly or view it on GitHub.
Minor comments. |
nsenter needs '--' to separate calls
4f65425
to
93b14b9
Compare
Comments addressed - I search for each binary now in a list of paths, first path wins. If doesn't exist will default to |
GCE e2e build/test passed for commit 93b14b9. |
Code LGTM. @dchen1107 to evaluate for 1.0 & second LGTM. |
LGTM |
@smarterclayton Can we hold this one for a few weeks, right after 1.0 release? |
Sure. |
@dchen1107 should this have the 1.0-post label? |
Docker 1.7 is broken in a container (except on Red Hat distros) because mount propagation is PRIVATE, not SHARED. Mount-prop fix is being tracked in libcontainer, will probably require docker changes as well. The other option may be to start with the hosts mount namespace. |
@dchen1107 second review? |
My centos 6.5 + docker 1.7.1 + hyperkube + Kubernetes v1.0.1 is suffering this issue. Is it possible to at least merge "nsenter needed '--' to separate command from args" to release branch? Here is the log: |
I think we already got 1 LGTM, just needs a sign off from Dawn if she wants On Jul 31, 2015, at 5:42 AM, Lv Lv notifications@github.com wrote: My centos 6.5 + docker 1.7.1 + hyperkube + Kubernetes v1.0.1 is suffering Here is the log: — |
Sorry for delaying the review for this PR. LGTM |
Fix mount issues in containerized Kubelet
…#9976-upstream-release-1.0 Automated cherry pick of #9976