-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot exec into container running in gVisor #3446
Comments
This doesn't seem consistent. If I run kubectl exec into a normal trusted container and then exec into the untrusted gvisor container then it works. i.e. after reproducing per above
|
@ianlewis yes, I saw this too (google/gvisor#120) - not sure which layer is throwing the error - but it seems that is related to the gvisor-containerd-shim or runsc, as it does not come up with trusted workloads. Still investigating. |
Thanks, It's very possible that it's the shim but I hadn't encountered it before in my testing on my own Kubernetes clusters. I'll also investigate a bit today to see if I can't find the root cause. |
@balopat see my other comment too but let's keep comments on the issue here for now since minikube is currently how we can repro and move to the shim or gvisor once we have a cause. |
This looks to be a race condition in the gvisor-containerd-shim where runsc hasn't yet created the pid file for the process executed by 'kubectl etc' but gvisor-containerd-shim tries to read it. Moving to the shim repo. |
Actually, I'll keep this open as it's proving a bit challenging to repro using strait containerd and crictl, will continue to try to reproduce outside of minikube though. |
We will also need to update minikube with a newer version of the shim and/or containerd so we can track that work on this issue. |
@balopat You can maybe just assign this issue to me. I'll provide the proper PR to update minikube once the shim is updated. |
@balopat This is a minikube issue. I investigated on google/gvisor-containerd-shim#4 and found that this is fixed in runsc by google/gvisor@4cd4b60 but minikube is using an old version of runsc. The version of runsc used by the gvisor addon's docker image doesn't match the version used by the current code at https://github.com/kubernetes/minikube/blob/master/pkg/minikube/constants/constants.go#L285. The code here is referencing the 2018-12-04 version of runsc but the gvisor addon binary in the docker image is using 2018-11-08.
Please rebuild and deploy the gcr.io/k8s-minikube/gvisor-addon docker image to use at least the 2018-12-04 version of gVisor. |
Thank you for the investigation! I pushed a new version of the image built from master and it works now. Closing. |
Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG
Please provide the following details:
Environment:
Minikube version (use
minikube version
): 0.31.0cat ~/.minikube/machines/minikube/config.json | grep DriverName
): kvm2cat ~/.minikube/machines/minikube/config.json | grep -i ISO
orminikube ssh cat /etc/VERSION
): 0.31.0What happened:
Run nginx in gvisor per the instructions for the gVisor addon: https://github.com/kubernetes/minikube/tree/master/deploy/addons/gvisor
What you expected to happen:
I can exec a terminal in the container
How to reproduce it (as minimally and precisely as possible):
The text was updated successfully, but these errors were encountered: