No runtime for contrast-cc-k3s-qemu-tdx is configured #1264
Comments
|
Hi @SelvamArul, Thanks for writing this bug report. What you're describing sounds like a problem in the nodeinstaller - if it encounters an issue, it can't update the containerd config and containerd won't see the new runtimeclass. Can you check whether the nodeinstaller is healthy? kubectl get pods -n kube-system -l app.kubernetes.io/name=contrast-cc-k3s-qemu-tdx-69c6b92c-nodeinstallerThen see if the containerd config contains the runtimeclass: kubectl debug node/cocoubuntu -it --image busybox -- cat /host/var/lib/rancher/k3s/agent/etc/containerd/config.toml |
grep -C5 contrast-cc-k3s-qemu-tdx-69c6b92c |
|
@burgerdev Thanks a lot for the reponse. Also, containerd config contains the runtime class: |
|
Ok, that's odd. You could check whether that config is loaded correctly with k3s crictl info | jq '.config.containerd.runtimes["contrast-cc-k3s-qemu-snp-69c6b92c"]'For completeness, which version of k3s are you using? Is k3s a systemd unit on your machine? |
|
Something strange with my k3s set up. I installed k3s using $ systemctl status k3s.service
● k3s.service - Lightweight Kubernetes
Loaded: loaded (/etc/systemd/system/k3s.service; enabled; preset: enabled)
Active: active (running) since Thu 2025-03-06 11:03:24 UTC; 2min 31s ago
Docs: https://k3s.io
Process: 80343 ExecStartPre=/bin/sh -xc ! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service 2>/dev/null (code=exited, status=0/SUCCESS)
Process: 80345 ExecStartPre=/sbin/modprobe br_netfilter (code=exited, status=0/SUCCESS)
Process: 80347 ExecStartPre=/sbin/modprobe overlay (code=exited, status=0/SUCCESS)
Main PID: 80350 (k3s-server)
Tasks: 518
Memory: 5.7G (peak: 5.8G)
CPU: 1min 12.965s
CGroup: /system.slice/k3s.service
├─ 3932 /var/lib/rancher/k3s/data/4532effb54c1f987f51a6b860588c2ae555bf73c3d00e4e28952188cd293484f/bin/containerd-shim-runc-v2 -namespace k8s.io -id 493ffdc0b62af5a8362ff75034351cfa14d1ac5a31c3ea5047d>
.....
.....
.....
"CreatePodSandbox for pod failed" err="rpc error: code = Unknown desc = unable to get OCI runtime for sandbox \"72a>
Mar 06 11:05:43 cocoubuntu k3s[80350]: E0306 11:05:43.812647 80350 pod_workers.go:1301] "Error syncing pod, skipping" err="failed to \"CreatePodSandbox\" for \"coordinator-0_default(781203cd-47d9-4404-adad-1d2ad>I am non-root user (although part of $ k3s crictl info
WARN[0000] Failed to stat /var/lib/rancher/k3s/agent/etc/crictl.yaml: permission denied
FATA[0000] load config file: stat /var/lib/rancher/k3s/data/4532effb54c1f987f51a6b860588c2ae555bf73c3d00e4e28952188cd293484f/bin/crictl.yaml: no such file or directoryThis lack of permission is confusing me. |
|
I think that's expected - the directory containing the crictl yaml is not world readable: $ ls -ld /var/lib/rancher/k3s/agent
drwx------ 5 root root 4096 Feb 6 14:11 /var/lib/rancher/k3s/agentIf the crictl --runtime-endpoint unix:///run/k3s/containerd/containerd.sock info |
|
Apparently, my user does not have permission to access $ crictl --runtime-endpoint unix:///run/k3s/containerd/containerd.sock info
FATA[0000] validate service connection: validate CRI v1 runtime API for endpoint "unix:///run/k3s/containerd/containerd.sock": rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial unix /run/k3s/containerd/containerd.sock: connect: permission denied" |
|
So, since you have sudo powers, could you just |
|
Sure, he is the output for |
|
The runtime class is not configured for this containerd, it seems. I don't quite understand how this is possible, given that it's clearly in the containerd Now that I wrote that, could you please verify that the runtimeclass is also present in |
|
In the k3s logs generated after the last reboot And, |
|
Ok, I may have found the issue. From last week's k3s release notes:
Let me try to verify this and fix our nodeinstaller. In the meantime, you could install an older k3s version as workaround: export INSTALL_K3S_VERSION=v1.30.5+k3s1
# export INSTALL_K3S_VERSION=v1.31.5+k3s1 should also work
curl -sfL https://get.k3s.io | sh - |
I am installing contrast on a bare metal machine with Intel TDX. After deploying the contrast runtime using
kubectl apply -f https://github.com/edgelesssys/contrast/releases/download/v1.5.1/runtime-k3s-qemu-tdx.ymland the contrast coordinatorhttps://github.com/edgelesssys/contrast/releases/download/v1.5.1/coordinator-k3s-qemu-tdx.yml, coordinator pod get stuck in theContainerCreatingstatus:Following lines in
kubectl describe pods coordinator-0seems suspicious:Warning FailedCreatePodSandBox 8s kubelet (combined from similar events): Failed to create pod sandbox: rpc error: code = Unknown desc = unable to get OCI runtime for sandbox "0c843a14d1958808e834c664fa4bc5e050570a618bc2760f83360c06d0ee602e": no runtime for "contrast-cc-k3s-qemu-tdx-69c6b92c" is configuredHere is the full output:
contrast-coordinator-describe.log
TDX seems to be installed correctly:
How can I debug this issue?
The text was updated successfully, but these errors were encountered: