Rootless mode doesn't work on Google Container-Optimized OS kernel (CONFIG_SECURITY_CHROMIUMOS_NO_UNPRIVILEGED_UNSAFE_MOUNTS?) #879
Comments
|
Note: the same step (w/
|
|
wondering this might be related to ChromiumOS LSM, but not sure https://chromium.googlesource.com/chromiumos/third_party/kernel/+/HEAD/security/chromiumos |
|
@AkihiroSuda just to be clear, it does not work without setting securityContext in GKE? |
|
No, even apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: buildkitd
name: buildkitd
spec:
selector:
matchLabels:
app: buildkitd
template:
metadata:
labels:
app: buildkitd
spec:
containers:
- image: moby/buildkit:v0.4.0-rootless@sha256:3877d091e65429f59919ed5591aaeb863b1889a5314bdfdba5ff9c0dfb2f3ed0
args:
- --addr
- tcp://0.0.0.0:1234
name: buildkitd
ports:
- containerPort: 1234
securityContext:
privileged: trueWith rootful image, it works. (tested both |
|
@AkihiroSuda So is this a regression in v0.4 ? |
|
No, even This is rather likely to be a regression in GKE, although I don't have any evidence that |
|
v0.4.0-rootless (both Seems an issue on Google COS. |
AkihiroSuda
changed the title
AkihiroSuda
changed the title
|
strace: buildkit (fails) (containerd/containerd#1373)
likely to be related to |
AkihiroSuda
changed the title
From moby/buildkit#879, it seems like GKE's container-optimized instances introduce trouble for running rootless containers - adding an ubuntu pool to test it out. Signed-off-by: Ciro S. Costa <cscosta@pivotal.io>
Continuing with the explorations on how the use of rootless containers might be affected by `gke`'s COS base images (see moby/buildkit#879), now we have a worker runs on top of ubuntu that can be targetted via the `ubuntu` tag. Signed-off-by: Ciro S. Costa <cscosta@pivotal.io>
|
I just tried with the COS nodes of |
|
Any updates on this issue? |
|
Needs help from Google |
|
So can anything be done? |
|
Maybe https://github.com/AkihiroSuda/containerd-fuse-overlayfs can be a solution, but blocked due to go mod hell |
|
Can I do anything to help? |
|
Another way is to replace the failing mount flags This needs more investigation and help is appreciated, thanks. |
|
So you want to change the error? (sorry I'm new) |
|
"unshare -rm mount" example doesn't produce any error, and we want to avoid BuildKit error by using the same mount flags |
|
I assumed fuse-overlayfs snapshotter may work, but seems not 😢 $ buildctl --addr=kube-pod://buildkitd build --frontend dockerfile.v0 --local dockerfile=. --local context=.
[+] Building 0.2s (2/2) FINISHED
=> [internal] load build definition from Dockerfile 0.2s
=> => transferring dockerfile: 109B 0.2s
=> [internal] load .dockerignore 0.2s
=> => transferring context: 2B 0.2s
error: failed to solve: rpc error: code = Unknown desc = failed to solve with frontend dockerfile.v0: failed to read dockerfile: failed to mount /home/user/.local/tmp/buildkit-mount998042514: [{Type:bind Source:/home/user/.local/share/buildkit/runc-fuse-overlayfs/snapshots/snapshots/1/fs Options:[rbind ro]}]: operation not permitted |
|
Not only the issue in snapshotter $ git diff
diff --git a/vendor/github.com/containerd/containerd/mount/mount_linux.go b/vendor/github.com/containerd/containerd/mount/mount_linux.go
index a7edd455..526640be 100644
--- a/vendor/github.com/containerd/containerd/mount/mount_linux.go
+++ b/vendor/github.com/containerd/containerd/mount/mount_linux.go
@@ -93,7 +93,10 @@ func (m *Mount) Mount(target string) error {
const broflags = unix.MS_BIND | unix.MS_RDONLY
if oflags&broflags == broflags {
// Remount the bind to apply read only.
- return unix.Mount("", target, "", uintptr(oflags|unix.MS_REMOUNT), "")
+ unix.Mount("", target, "", uintptr(oflags|unix.MS_REMOUNT), "")
+ // DO-NOT-MERGE:
+ // ignore err here to avoid hitting https://github.com/moby/buildkit/issues/879#issuecomment-473396544
+ // How can we ensure target to be read-only?
}
return nil
}
$ buildctl --addr=kube-pod://buildkitd build --frontend dockerfile.v0 --local dockerfile=. --local context=
.
[+] Building 6.1s (5/6)
=> [internal] load build definition from Dockerfile 0.2s
=> => transferring dockerfile: 109B 0.2s
=> [internal] load .dockerignore 0.2s
=> => transferring context: 2B 0.1s
=> [internal] load metadata for docker.io/library/alpine:latest 3.3s
=> [1/3] FROM docker.io/library/alpine@sha256:ab00606a42621fb68f2ed6ad3c88be54397f981a7b70a79db3d1172b11c4367d 2.1s
=> => resolve docker.io/library/alpine@sha256:ab00606a42621fb68f2ed6ad3c88be54397f981a7b70a79db3d1172b11c4367d 0.0s
=> => sha256:ab00606a42621fb68f2ed6ad3c88be54397f981a7b70a79db3d1172b11c4367d 1.64kB / 1.64kB 0.0s
=> => sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 528B / 528B 0.0s
=> => sha256:c9b1b535fdd91a9855fb7f82348177e5f019329a58c53c47272962dd60f71fc9 2.80MB / 2.80MB 1.2s
=> => sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a 1.51kB / 1.51kB 0.0s
=> => unpacking docker.io/library/alpine@sha256:ab00606a42621fb68f2ed6ad3c88be54397f981a7b70a79db3d1172b11c4367d 0.1s
=> ERROR [2/3] RUN apk add --no-cache figlet 0.1s
------
> [2/3] RUN apk add --no-cache figlet:
#5 0.084 container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.g
o:58: mounting \\\"/home/user/.local/share/buildkit/runc-native/executor/resolv.conf\\\" to rootfs \\\"/home/user/.local/share/b
uildkit/runc-native/executor/c9qbj5rmvwnjixos72ek7k7ko/rootfs\\\" at \\\"/home/user/.local/share/buildkit/runc-native/executor/c
9qbj5rmvwnjixos72ek7k7ko/rootfs/etc/resolv.conf\\\" caused \\\"operation not permitted\\\"\""
------
error: failed to solve: rpc error: code = Unknown desc = executor failed running [/bin/sh -c apk add --no-cache figlet]: buildki
t-runc did not terminate successfully |
From moby/buildkit#879, it seems like GKE's container-optimized instances introduce trouble for running rootless containers - adding an ubuntu pool to test it out. Signed-off-by: Ciro S. Costa <cscosta@pivotal.io>
|
Any updates on this? |
|
Using an idea from bottlerocket-os/bottlerocket#1934 I added an emptyDir volume to |
|
@ei-grad |
|
Isn't this Line 292 in c9a0f4d |
Yes, latest GKE with
Yes, and that's the problem - default volumes are mounted with |
Just to clarify - using the |
and others
But
unshare -rm mountworks 🤔The text was updated successfully, but these errors were encountered: