Comments (7)
Rootfs mount propagation option (as specified in OCI spec in spec.Linux.RootfsPropagation
) should not be shared. As the error mentions, this option should specify private or slave (if specified at all). Shared propagation would break the sandbox's isolation, as documented here.
Related: opencontainers/runc#1755
from gvisor.
In other words, this is working as intended. Do you require the rootfs to have shared propagation? If not, please remove the RootfsPropagation
option from the container spec and it should work.
from gvisor.
@ayushr2 I was testing if the docker plugin can be enabled with gVisor, I think docker allows RootfsPropagation
( especially with capabilities with SYS_ADMIM
) for plugins and they are incompatible with gVisor sandbox. Thanks for the info
from gvisor.
Could you tell which plugin you are trying to use?
I was testing if the docker plugin can be enabled with gVisor
Is there a "docker" Docker plugin that you are trying to use? Or are you testing if docker plugins in general work or not?
I tried using a sample plugin from Docker documentation. It seemed to work fine with gVisor:
$ docker plugin install tiborvass/sample-volume-plugin
latest: Pulling from tiborvass/sample-volume-plugin
Digest: sha256:00b42de88f3a3e0342e7b35fa62394b0a9ceb54d37f4c50be5d3167899994639
eb9c16fbdc53: Complete
Installed plugin tiborvass/sample-volume-plugin
$ docker plugin ls
ID NAME DESCRIPTION ENABLED
089be7bfac20 tiborvass/sample-volume-plugin:latest A sample volume plugin for Docker true
$ docker volume create -d tiborvass/sample-volume-plugin samplevol
samplevol
$ docker run --runtime=runsc --rm -v samplevol:/tmp ubuntu echo hello
hello
from gvisor.
am trying to install a CSI-compatible plugin ollijanatuinen/swarm-csi-nfs:v4.1.0
or just vieux/sshfs
.
Plugin "ollijanatuinen/swarm-csi-nfs:v4.1.0" is requesting the following privileges:
- network: [host]
- mount: [/etc/hostname]
- capabilities: [CAP_SYS_ADMIN]
Do you grant the above permissions? [y/N] y
v4.1.0: Pulling from ollijanatuinen/swarm-csi-nfs
Digest: sha256:0ea452bf0c8e6b9280c79e23ea39274898d6eac86b93451cdc707d7674a304b9
0d607dafa59e: Complete
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: reading spec: root mount propagation option must specify private or slave: "rshared": unknown
It works if I use runc
but if its runsc
it will be downloaded but not enabled
In my daemon.json
I set default-runtime
to runsc
from gvisor.
In my daemon.json I set default-runtime to runsc
I see, that is a very relevant detail. I can now reproduce this too. So when using runsc as your default runtime, installing any docker plugin fails with the above error. The plugin is downloaded alright, but to enable it, Docker spawns a container with spec.Linux.RootfsPropagation = rshared
, which fails with gVisor.
from gvisor.
The sandbox's mount table is maintained in sentry memory. Mount operations in the container are not propagated to the host. So even if we allow this mount option (i.e. MS_SHARED|MS_REC
), the mount operations from the container will not appear on the host, as the application might expect. (For example, volume plugins won't work as expected.) So it will lead to wrong behavior. Hence we disallow this option.
from gvisor.
Related Issues (20)
- runsc --platform=systrap fails with "panic: seccomp failed: invalid argument" HOT 3
- Problem in building gvisor on ARM64 HOT 4
- [Feature] Asking for support for termux on android(with termux-glibc) HOT 3
- NV2080_CTRL_CMD_GRMGR_GET_GR_FS_INFO: Missing nvproxy ioctl used by NCCL HOT 2
- feed does not validate HOT 1
- Restoring a checkpointed container with a different OCI spec HOT 8
- Mark C ABI structs with `structs.HostLayout`
- segfault: buffer.View possibly released twice resulting in nil chunk HOT 8
- /proc/sys/net/core/rmem_default is visible in non-root network namespaces in recent Linux kernels HOT 1
- //test/syscalls/linux:prctl_test fails to build on x86_64 host because of aarch64 dependencies HOT 2
- runsc: Duplicate container creation deletes the existing container and causes resources leak
- File descriptors not being closed on write to mountpoint-s3 HOT 16
- runsc (in docker): fork/exec /proc/self/exe: read-only file system HOT 5
- gVisor CNI tutorial is not working as expected
- Support no-op `personality(2)` bits
- Regression in recent version? error: setsockopt(..., IP_MTU_DISCOVER, IP_PMTUDISC_OMIT...) failed: Not supported HOT 5
- No obvious way to checkpoint a container when TCP sockets have been recently closed and are in TIME_WAIT state in the kernel HOT 2
- sysctl options declared in config.json not applied to container HOT 3
- Poor performance when switching to multiple CPU Cores HOT 7
- Runtime fails to mount /sys when --tpuproxy is provided HOT 26
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gvisor.