-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Privileged containers cannot be restarted if host devices changed #13899
Labels
kind/bug
Categorizes issue or PR as related to a bug.
locked - please file new issue/PR
Assist humans wanting to comment on an old issue or PR with locked comments.
Comments
This is a known issue (#4900). I'm not really sure why we closed that one - it's definitely not fixed. |
A friendly reminder that this issue had no activity for 30 days. |
I wonder what privileged means here. Toolbx containers are also created with
|
It's imperfect, but one way to test might be: dev=/dev/testdev-$(random_string)
mknod $dev c [SOMETHING SOMETHING]
podman run -n foo ... ls -l $dev
rm -f $dev
podman start foo
podman logs foo
...confirm that the last output line is ENOENT |
jakecorrenti
pushed a commit
to jakecorrenti/podman
that referenced
this issue
Jun 6, 2022
If a privileged container is running, stops, and the devices on the host change, such as a USB device is unplugged, then a container would no longer start. Previously, the devices from the host were only being added to the container once: when the container was created. Now, this happens every time the container starts. I did this by adding a boolean to the container config that indicates whether to mount all of the devices or not, which can be set via an option. During spec generation, if the `MountAllDevices` option is set in the container config, all host devices are added to the container. Additionally, a couple of functions from `pkg/specgen/generate/config_linux.go` were moved into `pkg/util/utils_linux.go` as they were needed in multiple packages. Closes containers#13899 Signed-off-by: Jake Correnti <jcorrenti13@gmail.com>
github-actions
bot
added
the
locked - please file new issue/PR
Assist humans wanting to comment on an old issue or PR with locked comments.
label
Sep 20, 2023
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
kind/bug
Categorizes issue or PR as related to a bug.
locked - please file new issue/PR
Assist humans wanting to comment on an old issue or PR with locked comments.
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
If you create a privileged container, stop it, then change the set of devices attached to the machine (e.g. reboot and unplug a USB device), the container will fail to start with:
(the device file will change, and there can be many such devices)
This is particularly annoying because it affects k8s clusters created with
kind
on a laptop, because the container is privileged, it needs to be restarted, not recreated (otherwise all k8s configs are gone), devices obviously change often, and the machine is rebooted often.Steps to reproduce the issue:
Describe the results you received:
Container fails to start.
Describe the results you expected:
Container starts normally.
Additional information you deem important (e.g. issue happens only occasionally):
I found this code:
podman/pkg/specgen/generate/config_linux.go
Line 25 in 54f808e
It seems podman will walk through all devices visible to the current user, and add them to the OCI spec. The OCI spec is only created when the container is created, not when the container is started. This clearly breaks because the set of visible devices changes.
I see three solutions to this:
a. podman should recreate the OCI spec from its own container config when starting a container
b. podman should have a flag to not mount all devices in privileged containers, and kind should use that flag (or ideally it would be a flag in containers.conf so it can be set globally without changes to kind)
c. some flag should be set in the OCI spec so missing devices do not fail starting the container
Output of
podman version
:Output of
podman info --debug
:Package info (e.g. output of
rpm -q podman
orapt list podman
):Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)
Yes
The text was updated successfully, but these errors were encountered: