symlink Permission denied occurs when pull using the Crictl command

Question

symlink Permission denied occurs when pull using the Crictl command

byeong0 opened this issue a year ago · comments

What happened:

When using docker pull, the image is pulled normally, but when using Crictl to pull the image, the following symlink permission denied error occurs.

$sudo crictl pull  docker.io/calico/node:v3.25.1
DEBU[0000] get image connection
DEBU[0000] PullImageRequest: &PullImageRequest{Image:&ImageSpec{Image:docker.io/calico/node:v3.25.1,Annotations:map[string]string{},},Auth:nil,SandboxConfig:nil,}
E0917 23:55:07.345848   21476 remote_image.go:171] "PullImage from image service failed" err="rpc error: code = Unknown desc = failed to pull and unpack image \"docker.io/calico/node:v3.25.1\": failed to extract layer sha256:b1d7f02a32791d579abb161bccbf82ba1deaa7fb57805c93e84ddd30f0cb9560: mount callback failed on /var/lib/containerd/tmpmounts/containerd-mount3830924437: symlink /usr/lib/systemd/system/reboot.target /var/lib/containerd/tmpmounts/containerd-mount3830924437/etc/systemd/system/ctrl-alt-del.target: permission denied: unknown" image="docker.io/calico/node:v3.25.1"
FATA[0001] pulling image: rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/calico/node:v3.25.1": failed to extract layer sha256:b1d7f02a32791d579abb161bccbf82ba1deaa7fb57805c93e84ddd30f0cb9560: mount callback failed on /var/lib/containerd/tmpmounts/containerd-mount3830924437: symlink /usr/lib/systemd/system/reboot.target /var/lib/containerd/tmpmounts/containerd-mount3830924437/etc/systemd/system/ctrl-alt-del.target: permission denied: unknown

What you expected to happen:

The docker image should pull normally.

How to reproduce it (as minimally and precisely as possible):

$ sudo crictl pull docker.io/calico/node:v3.25.1

Anything else we need to know?:

Environment:

Container runtime or hardware configuration:
OS (e.g: cat /etc/os-release):
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
Kernel (e.g. uname -a):
Linux 3.10.0-1160.59.1.el7.x86_64 #1 SMP Wed Feb 23 16:47:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Others:
- Docker version 24.0.6, build ed223bc
- containerd containerd.io 1.6.22 8165feabfdfe38c65b599c4993d227328c231fca
- crictl version v1.26.0
- kubernetes-cni 1.2.0-0
- kubeadm 1.28.2-0
- kubectl 1.28.2-0
- kubelet 1.28.2-0

Sascha Grunert · Answer 1 · Mon Sep 18 2023 15:17:19 GMT+0800 (China Standard Time)

Hey @byeong0, thank you for the report! This looks like an issue with containerd rather than cri-tools.

Sergey Kanzhelev · Answer 2 · Tue Sep 19 2023 04:59:32 GMT+0800 (China Standard Time)

I checked on Containerd 1.6.18 and sudo crictl pull docker.io/calico/node:v3.25.1 worked. Can you check with ctr with verbose logging? Is there an issue with any other images?

Sergey Kanzhelev · Answer 3 · Thu Sep 21 2023 00:03:58 GMT+0800 (China Standard Time)

/close

to continue on this, please open the bug in Containerd repository or ask at Containerd slack for support.

Kubernetes Prow Robot · Answer 4 · Thu Sep 21 2023 00:04:03 GMT+0800 (China Standard Time)

@SergeyKanzhelev: Closing this issue.

In response to this:

/close

to continue on this, please open the bug in Containerd repository or ask at Containerd slack for support.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

byeong yeong · Answer 5 · Thu Sep 21 2023 16:50:09 GMT+0800 (China Standard Time)

Thanks for the answer
I don't think it's a crictl issue.
I have the same problem using the nerdctl tool.
I'm contacting containerd.