-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pods with user namespaces don't start #114011
Comments
@gnufied: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/sig node |
To sync this issue with the slack thread: https://kubernetes.slack.com/archives/C0BP8PW9G/p1668803413275189, posting what we discussed there: this seems CRIO specific, so I'd let @giuseppe handle it. It seems the fix was merged but not released in CRIO yet. |
Is there a distro/environment where this feature works out of box after enabling the alpha feature gate? If not - how are we going to e2e this thing? |
@gnufied I guess CRIO will work out of the box, there is just a bug fix pending. For containerd, we expect to merge the patches for the upcoming 1.7 release at the end of this year. For e2e tests, we have already wrote some of them (merged them in kubernetes too), but as with any change that requires changes in the container runtime and the kubelet, we will be careful and making sure we feel comfortable with what is tested on CI when migrating the feature. |
What is the CRIO bug you are referring to? Can we get a link. I was evaluating this from call we had in sig-storage meeting. I will keep this issue open and keep an eye on it, so as we can test the various point of integration. |
Lets unify the conversation here or in slack (I say let's do it on slack), but having it duplicated creates these issues :) @gnufied this issue @giuseppe mentioned you on slack: https://kubernetes.slack.com/archives/C0BP8PW9G/p1668803514789069?thread_ts=1668803413.275189&cid=C0BP8PW9G |
this is the issue, that is already fixed in containers/storage, and only needs to be vendored in CRI-O: containers/storage#1308 |
/close following the conversation it looks like the issue is not in kubernetes. So closing this bug here, please file a bug with CRI-O. |
@SergeyKanzhelev: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What happened?
I tried to create a simple pod with user namespace feature on Fedora 36 and running crio-1.25 from testing repos and got:
I could confirm that dropping
hostUsers: false
enabled pod to start correctly...What did you expect to happen?
Following Pod should have started:
How can we reproduce it (as minimally and precisely as possible)?
Create above pod in a k8s cluster
Anything else we need to know?
Log from kubelet:
Kubernetes version
latest master
Cloud provider
None
OS version
Fedora 36
Install tools
Container runtime (CRI) and version (if applicable)
Related plugins (CNI, CSI, ...) and versions (if applicable)
The text was updated successfully, but these errors were encountered: