Comments (7)
Rootfs mount propagation option (as specified in OCI spec in spec.Linux.RootfsPropagation
) should not be shared. As the error mentions, this option should specify private or slave (if specified at all). Shared propagation would break the sandbox's isolation, as documented here.
Related: opencontainers/runc#1755
from gvisor.
In other words, this is working as intended. Do you require the rootfs to have shared propagation? If not, please remove the RootfsPropagation
option from the container spec and it should work.
from gvisor.
@ayushr2 I was testing if the docker plugin can be enabled with gVisor, I think docker allows RootfsPropagation
( especially with capabilities with SYS_ADMIM
) for plugins and they are incompatible with gVisor sandbox. Thanks for the info
from gvisor.
Could you tell which plugin you are trying to use?
I was testing if the docker plugin can be enabled with gVisor
Is there a "docker" Docker plugin that you are trying to use? Or are you testing if docker plugins in general work or not?
I tried using a sample plugin from Docker documentation. It seemed to work fine with gVisor:
$ docker plugin install tiborvass/sample-volume-plugin
latest: Pulling from tiborvass/sample-volume-plugin
Digest: sha256:00b42de88f3a3e0342e7b35fa62394b0a9ceb54d37f4c50be5d3167899994639
eb9c16fbdc53: Complete
Installed plugin tiborvass/sample-volume-plugin
$ docker plugin ls
ID NAME DESCRIPTION ENABLED
089be7bfac20 tiborvass/sample-volume-plugin:latest A sample volume plugin for Docker true
$ docker volume create -d tiborvass/sample-volume-plugin samplevol
samplevol
$ docker run --runtime=runsc --rm -v samplevol:/tmp ubuntu echo hello
hello
from gvisor.
am trying to install a CSI-compatible plugin ollijanatuinen/swarm-csi-nfs:v4.1.0
or just vieux/sshfs
.
Plugin "ollijanatuinen/swarm-csi-nfs:v4.1.0" is requesting the following privileges:
- network: [host]
- mount: [/etc/hostname]
- capabilities: [CAP_SYS_ADMIN]
Do you grant the above permissions? [y/N] y
v4.1.0: Pulling from ollijanatuinen/swarm-csi-nfs
Digest: sha256:0ea452bf0c8e6b9280c79e23ea39274898d6eac86b93451cdc707d7674a304b9
0d607dafa59e: Complete
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: reading spec: root mount propagation option must specify private or slave: "rshared": unknown
It works if I use runc
but if its runsc
it will be downloaded but not enabled
In my daemon.json
I set default-runtime
to runsc
from gvisor.
In my daemon.json I set default-runtime to runsc
I see, that is a very relevant detail. I can now reproduce this too. So when using runsc as your default runtime, installing any docker plugin fails with the above error. The plugin is downloaded alright, but to enable it, Docker spawns a container with spec.Linux.RootfsPropagation = rshared
, which fails with gVisor.
from gvisor.
The sandbox's mount table is maintained in sentry memory. Mount operations in the container are not propagated to the host. So even if we allow this mount option (i.e. MS_SHARED|MS_REC
), the mount operations from the container will not appear on the host, as the application might expect. (For example, volume plugins won't work as expected.) So it will lead to wrong behavior. Hence we disallow this option.
from gvisor.
Related Issues (20)
- text-embeddings-inference fails with error attempting to alloc NV_CONFIDENTIAL_COMPUTE object HOT 4
- gvisor panic: Invalid MmapLayout HOT 7
- gVisor start failed in Rasberry Pi 3b+ HOT 3
- not able to install any package using apt on Debian 12 container - Setting TIOCSCTTY for slave fd 23 failed! - ioctl HOT 3
- Unable to checkpoint container with `-nvproxy` after the introduction of `driverABI` HOT 3
- gVisor failed to use host network silently HOT 6
- OOM OCI Events Broken for Kubernetes + CgroupsV2
- `xxx | grep > /dev/null` randomly fails HOT 2
- runsc fails on GCP c3 and EC2 m7i instances with status code 137 (i.e. sigkill) HOT 13
- Unable to restore containers checkpointed with `-nvproxy` and `-nvproxy-docker` HOT 3
- netstack: performance w/TCP-RACK on Windows HOT 7
- Segmentation fault when using powershell with GKE sandboxed nodes HOT 5
- checklocksignore only seems to work as a postfix field comment HOT 1
- gVisor on GCP with gVNIC has long epoll_wait() delays when sending HTTP data HOT 16
- NV50_P2P allocation class unimplemented in nvproxy HOT 19
- Pods stuck in Terminating state due to process not being killed HOT 38
- Nvidia H100 nvproxy: unknown control command 0x20801230 HOT 8
- Unable to connect to sandbox-created Unix domain socket when waiting for connection using epoll_ctl HOT 5
- Istio 1.18 iptable rules fail due to inverted destination port match HOT 2
- deadlineTimer.setDeadline may not cancel pending IO HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gvisor.