Giters

coder / envbox

envbox is an image that enables creating non-privileged containers capable of running system-level software (e.g. dockerd, systemd, etc) in Kubernetes.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

add configuration option to disable idmapped mounts

johnstcn opened this issue · comments

commented

Problem: when you attempt to run envbox on a PV backed by XFS, you may run into this issue:

run: get image metadata: start container: Error response from daemon: failed to create shim task: OCI runtime create failed: container_linux.go:425: starting container process caused: process_linux.go:607: container init caused: process_linux.go:578: handleReqOp caused: rootfs_init_linux.go:322: ID-map mount on usr/lib/modules/5.14.0-162.23.1.el9_1.x86_64 caused: rootfs_init_linux.go:316: setting up ID-mapped mount on path /var/lib/docker/100000.100000/overlay2/8859ed84c3e61880d499a5c896f400b2ac557ac8b0c850c35c05979dc1b4ac90/merged/usr/lib/modules/5.14.0-162.23.1.el9_1.x86_64 (likely means idmapped mounts are not supported on the filesystem at this path (xfs)) caused: Failed to set mount attr: operation not permitted: unknown

In the above case, it was on a RockyLinux 9.1 host (kernel 5.14) running k3s (v1.26), with systemd.unified_cgroup_hierarchy=1.

I think we should be able to get around this by adding a configuration option to set the --disable-idmapped-mount argument of sysbox-mgr. This would probably mean that the host would need to have shiftfs or similar available instead, though.