-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rootless mode doesn't work on Google Container-Optimized OS kernel (CONFIG_SECURITY_CHROMIUMOS_NO_UNPRIVILEGED_UNSAFE_MOUNTS?) #879
Comments
Note: the same step (w/
|
wondering this might be related to ChromiumOS LSM, but not sure https://chromium.googlesource.com/chromiumos/third_party/kernel/+/HEAD/security/chromiumos |
@AkihiroSuda just to be clear, it does not work without setting securityContext in GKE? |
No, even apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: buildkitd
name: buildkitd
spec:
selector:
matchLabels:
app: buildkitd
template:
metadata:
labels:
app: buildkitd
spec:
containers:
- image: moby/buildkit:v0.4.0-rootless@sha256:3877d091e65429f59919ed5591aaeb863b1889a5314bdfdba5ff9c0dfb2f3ed0
args:
- --addr
- tcp://0.0.0.0:1234
name: buildkitd
ports:
- containerPort: 1234
securityContext:
privileged: true With rootful image, it works. (tested both |
@AkihiroSuda So is this a regression in v0.4 ? |
No, even This is rather likely to be a regression in GKE, although I don't have any evidence that |
v0.4.0-rootless (both Seems an issue on Google COS. |
strace: buildkit (fails) (containerd/containerd#1373)
likely to be related to |
From moby/buildkit#879, it seems like GKE's container-optimized instances introduce trouble for running rootless containers - adding an ubuntu pool to test it out. Signed-off-by: Ciro S. Costa <cscosta@pivotal.io>
Continuing with the explorations on how the use of rootless containers might be affected by `gke`'s COS base images (see moby/buildkit#879), now we have a worker runs on top of ubuntu that can be targetted via the `ubuntu` tag. Signed-off-by: Ciro S. Costa <cscosta@pivotal.io>
I just tried with the COS nodes of |
Any updates on this issue? |
Needs help from Google |
So can anything be done? |
Maybe https://github.com/AkihiroSuda/containerd-fuse-overlayfs can be a solution, but blocked due to go mod hell |
Can I do anything to help? |
Another way is to replace the failing mount flags This needs more investigation and help is appreciated, thanks. |
So you want to change the error? (sorry I'm new) |
"unshare -rm mount" example doesn't produce any error, and we want to avoid BuildKit error by using the same mount flags |
I assumed fuse-overlayfs snapshotter may work, but seems not 😢 $ buildctl --addr=kube-pod://buildkitd build --frontend dockerfile.v0 --local dockerfile=. --local context=.
[+] Building 0.2s (2/2) FINISHED
=> [internal] load build definition from Dockerfile 0.2s
=> => transferring dockerfile: 109B 0.2s
=> [internal] load .dockerignore 0.2s
=> => transferring context: 2B 0.2s
error: failed to solve: rpc error: code = Unknown desc = failed to solve with frontend dockerfile.v0: failed to read dockerfile: failed to mount /home/user/.local/tmp/buildkit-mount998042514: [{Type:bind Source:/home/user/.local/share/buildkit/runc-fuse-overlayfs/snapshots/snapshots/1/fs Options:[rbind ro]}]: operation not permitted |
Not only the issue in snapshotter $ git diff
diff --git a/vendor/github.com/containerd/containerd/mount/mount_linux.go b/vendor/github.com/containerd/containerd/mount/mount_linux.go
index a7edd455..526640be 100644
--- a/vendor/github.com/containerd/containerd/mount/mount_linux.go
+++ b/vendor/github.com/containerd/containerd/mount/mount_linux.go
@@ -93,7 +93,10 @@ func (m *Mount) Mount(target string) error {
const broflags = unix.MS_BIND | unix.MS_RDONLY
if oflags&broflags == broflags {
// Remount the bind to apply read only.
- return unix.Mount("", target, "", uintptr(oflags|unix.MS_REMOUNT), "")
+ unix.Mount("", target, "", uintptr(oflags|unix.MS_REMOUNT), "")
+ // DO-NOT-MERGE:
+ // ignore err here to avoid hitting https://github.com/moby/buildkit/issues/879#issuecomment-473396544
+ // How can we ensure target to be read-only?
}
return nil
}
$ buildctl --addr=kube-pod://buildkitd build --frontend dockerfile.v0 --local dockerfile=. --local context=
.
[+] Building 6.1s (5/6)
=> [internal] load build definition from Dockerfile 0.2s
=> => transferring dockerfile: 109B 0.2s
=> [internal] load .dockerignore 0.2s
=> => transferring context: 2B 0.1s
=> [internal] load metadata for docker.io/library/alpine:latest 3.3s
=> [1/3] FROM docker.io/library/alpine@sha256:ab00606a42621fb68f2ed6ad3c88be54397f981a7b70a79db3d1172b11c4367d 2.1s
=> => resolve docker.io/library/alpine@sha256:ab00606a42621fb68f2ed6ad3c88be54397f981a7b70a79db3d1172b11c4367d 0.0s
=> => sha256:ab00606a42621fb68f2ed6ad3c88be54397f981a7b70a79db3d1172b11c4367d 1.64kB / 1.64kB 0.0s
=> => sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 528B / 528B 0.0s
=> => sha256:c9b1b535fdd91a9855fb7f82348177e5f019329a58c53c47272962dd60f71fc9 2.80MB / 2.80MB 1.2s
=> => sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a 1.51kB / 1.51kB 0.0s
=> => unpacking docker.io/library/alpine@sha256:ab00606a42621fb68f2ed6ad3c88be54397f981a7b70a79db3d1172b11c4367d 0.1s
=> ERROR [2/3] RUN apk add --no-cache figlet 0.1s
------
> [2/3] RUN apk add --no-cache figlet:
#5 0.084 container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.g
o:58: mounting \\\"/home/user/.local/share/buildkit/runc-native/executor/resolv.conf\\\" to rootfs \\\"/home/user/.local/share/b
uildkit/runc-native/executor/c9qbj5rmvwnjixos72ek7k7ko/rootfs\\\" at \\\"/home/user/.local/share/buildkit/runc-native/executor/c
9qbj5rmvwnjixos72ek7k7ko/rootfs/etc/resolv.conf\\\" caused \\\"operation not permitted\\\"\""
------
error: failed to solve: rpc error: code = Unknown desc = executor failed running [/bin/sh -c apk add --no-cache figlet]: buildki
t-runc did not terminate successfully |
From moby/buildkit#879, it seems like GKE's container-optimized instances introduce trouble for running rootless containers - adding an ubuntu pool to test it out. Signed-off-by: Ciro S. Costa <cscosta@pivotal.io>
Any updates on this? |
Using an idea from bottlerocket-os/bottlerocket#1934 I added an emptyDir volume to |
@ei-grad |
Isn't this Line 292 in c9a0f4d
|
Yes, latest GKE with
Yes, and that's the problem - default volumes are mounted with |
Just to clarify - using the |
But
unshare -rm mount
works 🤔The text was updated successfully, but these errors were encountered: