Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No seccomp support #2259

Closed
samcv opened this issue Feb 26, 2020 · 4 comments
Closed

No seccomp support #2259

samcv opened this issue Feb 26, 2020 · 4 comments

Comments

@samcv
Copy link

samcv commented Feb 26, 2020

Component:

What happened:
When attempting to use Kubernetes dashboard, I get the error: feb 26 08:08:21 worker-3 kubelet[1500]: E0226 08:08:21.242021 1500 remote_runtime.go:105] RunPodSandbox from runtime service failed: rpc error: code = Unknown desc = failed to generate seccomp spec opts: seccomp is not supported which shows up in my journal

What was expected:
For the pod to start.
Steps to reproduce
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc5/aio/deploy/recommended.yaml
Resolution proposal (optional):
Support seccomp. I am not sure but I think containerd needs to be compiled with seccomp support (just guessing)
@NicolasT
Copy link
Contributor

Indeed, the containerd package as distributed in EPEL (which is the one we install) is not compiled with seccomp support. Adding this would require us to ship our own build of containerd, which would require quite a bit of work.

Meanwhile, you could remove the seccomp-related annotation from the dashboard Deployment PodSpec and get it to run.

@samcv
Copy link
Author

samcv commented Feb 28, 2020 via email

@NicolasT
Copy link
Contributor

Would it be appropriate to get them to include it? Or is there a reason you think it is not included?

I never tried, to be honest. One reason why it's not included could be if the version of libseccomp that ships with RHEL7 is too old.

Anyway, the version of containerd as shipped in EPEL is somewhat old as well, so building our own could make sense. We'll need to look into it: given the age of RHEL7, packaging Go applications is... not trivial.

@NicolasT
Copy link
Contributor

NicolasT commented Mar 3, 2020

I built a containerd 1.2.13 RPM with seccomp enabled, and after deploying it (manually) to one node in my test-cluster, I can deploy the upstream dashboard manifest (slightly changing the manifest to ensure the dashboard-metrics-server gets scheduled on this one node) and everything seems to work.

I'll spend some time to integrate this in the project.

@NicolasT NicolasT mentioned this issue Apr 6, 2020
Merged
NicolasT added a commit that referenced this issue Apr 6, 2020
@NicolasT
packages: enable seccomp in containerd
63fb6aa 
Fixes: #2259
See: #2259
NicolasT added a commit that referenced this issue Apr 6, 2020
@NicolasT
packages: enable seccomp in containerd
05ea261 
Fixes: #2259
See: #2259
@bert-e bert-e closed this as completed in f1df9b5 Apr 8, 2020
gdemonet pushed a commit that referenced this issue Oct 16, 2020
@NicolasT @gdemonet
packages: enable seccomp in containerd
95cc73b 
Fixes: #2259
See: #2259

Cherry-picked from f1df9b5
See: #2854
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NicolasT @samcv