Skip to content
This repository has been archived by the owner on May 12, 2021. It is now read-only.

Agent fails with capability and mount errors #159

Closed
jodh-intel opened this issue Mar 2, 2018 · 9 comments
Closed

Agent fails with capability and mount errors #159

jodh-intel opened this issue Mar 2, 2018 · 9 comments
Assignees
@sboeuf
Labels
high-priority Very urgent issue (resolve quickly)

Comments

@jodh-intel
Copy link
Contributor 

$ sudo docker run -ti --runtime kata-runtime busybox sh            
docker: Error response from daemon: OCI runtime create failed: rpc error: code = Internal desc = Could not resolve symlink for source                                                          
"sh*APATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin*HOSTNAME=ac0fb89e4cce*  
TERM=xterm2/:�                                 
        CAP_CHOWN                              
CAP_DAC_OVERRIDE                               

CAP_FSETID                                     

CAP_FOWNER                                     
        CAP_MKNOD                              

CAP_NET_RAW                                    

CAP_SETGID                                     

CAP_SETUID                                     

CAP_SETFCAP                                    

CAP_SETPCAP                                    
CAP_NET_BIND_SERVICE                           
CAP_SYS_CHROOT                                 
CAP_KILL                                       
CAP_AUDIT_WRITE CAP_CHOWNCAP_DAC_OVERRIDE      
CAP_FSETID                                     
CAP_FOWNER      CAP_MKNOD                      
                         CAP_NET_RAW           
CAP_SETGID                                     
CAP_SETUID                                     
          CAP_SETFCAP                          
                     CAP_SETPCAPCAP_NET_BIND_SERVICECAP_SYS_CHROOCAP_KILLCAP_AUDIT_WRITE        CAP_CHOWNCAP_DAC_OVERRIDE                                                                      
CAP_FSETID                                     
CAP_FOWNER      CAP_MKNOD                      
                         CAP_NET_RAW           
CAP_SETGID                                     
CAP_SETUID                                     
          CAP_SETFCAP                          
                     CAP_SETPCAPCAP_NET_BIND_SERVICECAP_SYS_CHROOCAP_KILLCAP_AUDIT_WRITE"       CAP_CHOWN"CAP_DAC_OVERRIDE"                                                                    
CAP_FSETID"                                    
CAP_FOWNER"     CAP_MKNOD"                     
                          CAP_NET_RAW"         
CAP_SETGID"                                    
CAP_SETUID"                                    
           CAP_SETFCAP"                        
                       CAP_SETPCAP"CAP_NET_BIND_SERVICE"CAP_SYS_CHROOTCAP_KILL"CAP_AUDIT_WRITERdocker-default: unknown. 
$ ls -l /usr/share/kata-containers/kata-containers.img             
lrwxrwxrwx 1 root root 58 Mar  2 13:48 /usr/share/kata-containers/kata-containers.img -> kata-containers-2018-03-02-13:46:48.634266943+0000-ec738d4

It looks like #133 is the culprit.
@jodh-intel jodh-intel mentioned this issue Mar 2, 2018
Merged
@jodh-intel jodh-intel added the high-priority Very urgent issue (resolve quickly) label Mar 2, 2018
@jodh-intel
Copy link
Contributor Author

Hi @sboeuf - could you take a look please?

@sboeuf
Copy link

sboeuf commented Mar 2, 2018

@jodh-intel I think you need your runtime to integrate the latest virtcontainers PR containers/virtcontainers#626. Also, please modify your configuration.toml so that you define virtio-blk instead of virtio-scsi as the driver to handle your block devices.
I will raise a PR to revendor virtcontainers into the runtime.

@jodh-intel
Copy link
Contributor Author

Hi @sboeuf - thanks for the info. This is breaking the kata CI fwiw.

/cc @chavafg.

@jodh-intel jodh-intel mentioned this issue Mar 2, 2018
Closed
@jodh-intel
Copy link
Contributor Author

Related: clearcontainers/runtime#1044.

@jodh-intel
Copy link
Contributor Author

Still blocked on the following:

@egernst
Copy link
Member

egernst commented Mar 7, 2018

@jodh-intel - I think with the latest round of re-vendoring we should no longer see this issue. Can you confirm?

@egernst egernst added the backlog label Mar 7, 2018
@jodh-intel
Copy link
Contributor Author

Yep - we've just seen...

"OCI runtime create failed: rpc error: code = Internal desc = Could not resolve symlink for source 9p: unknown."

This was caused by an agent gRPC protocol change that modified the ordering of the gRPC
Storage message members. The problem being that the runtime (virtcontainers) version of the gRPC protocol didn't match the agents (master) version. Specifically, the error was caused by the agent attempting to mount a 9p FS with a blank mountpoint - in fact due to the change in ordering, the mountpoint was in the mount options.

I've raised #171 to give us a little more of a hint if we hit this again.

@devimc
Copy link

devimc commented May 8, 2019

@jodh-intel I think this issue was fixed, isn't it?

@jodh-intel
Copy link
Contributor Author

Yep - closing...

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@sboeuf sboeuf

Labels
high-priority Very urgent issue (resolve quickly)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@devimc @egernst @jodh-intel @sboeuf