OCI image annotations are not propagated to OCI runtime (crun)

[jwhb]

What happened?

cri-o is configured to use crun with +WASM:wasmedge.

When a Kubernetes Pod with an OCI image with .wasm file and module.wasm.image/variant=compat-smart annotation is scheduled, cri-o does not propagate the image annotation to crun.

crun then fails to switch to wasmedge, leading to:

$ oc logs wasm-test
exec container process `/hello-rust.wasm`: Exec format error

config.json of container:

``` { "ociVersion": "1.0.2-dev", "process": { "user": { "uid": 0, "gid": 0 }, "args": [ "/usr/bin/pod" ], "env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "TERM=xterm" ], "cwd": "/", "capabilities": { "bounding": [ "CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_FSETID", "CAP_FOWNER", "CAP_SETGID", "CAP_SETUID", "CAP_SETPCAP", "CAP_NET_BIND_SERVICE", "CAP_KILL" ], "effective": [ "CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_FSETID", "CAP_FOWNER", "CAP_SETGID", "CAP_SETUID", "CAP_SETPCAP", "CAP_NET_BIND_SERVICE", "CAP_KILL" ], "permitted": [ "CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_FSETID", "CAP_FOWNER", "CAP_SETGID", "CAP_SETUID", "CAP_SETPCAP", "CAP_NET_BIND_SERVICE", "CAP_KILL" ] }, "oomScoreAdj": -998, "selinuxLabel": "system_u:system_r:container_t:s0:c411,c853" }, "root": { "path": "/var/lib/containers/storage/overlay/2e1632ee90f2c3959b7bb422dfb40395292fe7fcc93f63344e38cff8d254a349/merged", "readonly": true }, "hostname": "wasm-test", "mounts": [ { "destination": "/proc", "type": "proc", "source": "proc", "options": [ "nosuid", "noexec", "nodev" ] }, { "destination": "/dev", "type": "tmpfs", "source": "tmpfs", "options": [ "nosuid", "noexec", "strictatime", "mode=755", "size=65536k" ] }, { "destination": "/dev/pts", "type": "devpts", "source": "devpts", "options": [ "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5" ] }, { "destination": "/dev/mqueue", "type": "mqueue", "source": "mqueue", "options": [ "nosuid", "noexec", "nodev" ] }, { "destination": "/sys", "type": "sysfs", "source": "sysfs", "options": [ "nosuid", "noexec", "nodev", "ro" ] }, { "destination": "/etc/resolv.conf", "type": "bind", "source": "/run/containers/storage/overlay-containers/295df75b855572578e97bb7678251d6745188308d93a1b105bad2c329b53dd47/userdata/resolv.conf", "options": [ "ro", "bind", "nodev", "nosuid", "noexec" ] }, { "destination": "/dev/shm", "type": "bind", "source": "/run/containers/storage/overlay-containers/295df75b855572578e97bb7678251d6745188308d93a1b105bad2c329b53dd47/userdata/shm", "options": [ "rw", "bind" ] }, { "destination": "/etc/hostname", "type": "bind", "source": "/run/containers/storage/overlay-containers/295df75b855572578e97bb7678251d6745188308d93a1b105bad2c329b53dd47/userdata/hostname", "options": [ "ro", "bind", "nodev", "nosuid", "noexec" ] } ], "annotations": { "io.container.manager": "cri-o", "io.kubernetes.container.name": "POD", "io.kubernetes.cri-o.Annotations": "{\"kubernetes.io/config.seen\":\"2023-05-10T16:35:33.916202677Z\",\"kubernetes.io/config.source\":\"api\"}", "io.kubernetes.cri-o.CNIResult": "{\"cniVersion\":\"1.0.0\",\"interfaces\":[{\"name\":\"295df75b8555725\",\"mac\":\"46:78:39:8e:9b:55\"},{\"name\":\"eth0\",\"mac\":\"0a:58:0a:81:02:36\",\"sandbox\":\"/var/run/netns/a7329e34-8f21-4850-bcac-93787e5a286c\"}],\"ips\":[{\"interface\":1,\"address\":\"10.129.2.54/23\",\"gateway\":\"10.129.2.1\"}],\"dns\":{}}", "io.kubernetes.cri-o.CgroupParent": "kubepods-besteffort-podbe76f5b7_8151_4a31_98a6_e3a8313959f7.slice", "io.kubernetes.cri-o.ContainerID": "295df75b855572578e97bb7678251d6745188308d93a1b105bad2c329b53dd47", "io.kubernetes.cri-o.ContainerName": "k8s_POD_wasm-test_default_be76f5b7-8151-4a31-98a6-e3a8313959f7_0", "io.kubernetes.cri-o.ContainerType": "sandbox", "io.kubernetes.cri-o.Created": "2023-05-10T16:35:34.55369639Z", "io.kubernetes.cri-o.HostName": "wasm-test", "io.kubernetes.cri-o.HostNetwork": "false", "io.kubernetes.cri-o.HostnamePath": "/run/containers/storage/overlay-containers/295df75b855572578e97bb7678251d6745188308d93a1b105bad2c329b53dd47/userdata/hostname", "io.kubernetes.cri-o.Image": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:847027714e33fd897a4212811c881ec8c736e068c9a81b968346c3e5c90b3c8b", "io.kubernetes.cri-o.ImageName": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:847027714e33fd897a4212811c881ec8c736e068c9a81b968346c3e5c90b3c8b", "io.kubernetes.cri-o.KubeName": "wasm-test", "io.kubernetes.cri-o.Labels": "{\"run\":\"wasm-test\",\"io.kubernetes.pod.uid\":\"be76f5b7-8151-4a31-98a6-e3a8313959f7\",\"io.kubernetes.pod.namespace\":\"default\",\"io.kubernetes.pod.name\":\"wasm-test\",\"io.kubernetes.container.name\":\"POD\"}", "io.kubernetes.cri-o.LogPath": "/var/log/pods/default_wasm-test_be76f5b7-8151-4a31-98a6-e3a8313959f7/295df75b855572578e97bb7678251d6745188308d93a1b105bad2c329b53dd47.log", "io.kubernetes.cri-o.Metadata": "{\"name\":\"wasm-test\",\"uid\":\"be76f5b7-8151-4a31-98a6-e3a8313959f7\",\"namespace\":\"default\"}", "io.kubernetes.cri-o.MountPoint": "/var/lib/containers/storage/overlay/2e1632ee90f2c3959b7bb422dfb40395292fe7fcc93f63344e38cff8d254a349/merged", "io.kubernetes.cri-o.Name": "k8s_wasm-test_default_be76f5b7-8151-4a31-98a6-e3a8313959f7_0", "io.kubernetes.cri-o.Namespace": "default", "io.kubernetes.cri-o.NamespaceOptions": "{\"pid\":1}", "io.kubernetes.cri-o.PortMappings": "[]", "io.kubernetes.cri-o.PrivilegedRuntime": "false", "io.kubernetes.cri-o.ResolvPath": "/run/containers/storage/overlay-containers/295df75b855572578e97bb7678251d6745188308d93a1b105bad2c329b53dd47/userdata/resolv.conf", "io.kubernetes.cri-o.RuntimeHandler": "", "io.kubernetes.cri-o.SandboxID": "295df75b855572578e97bb7678251d6745188308d93a1b105bad2c329b53dd47", "io.kubernetes.cri-o.SandboxName": "k8s_wasm-test_default_be76f5b7-8151-4a31-98a6-e3a8313959f7_0", "io.kubernetes.cri-o.SeccompProfilePath": "runtime/default", "io.kubernetes.cri-o.ShmPath": "/run/containers/storage/overlay-containers/295df75b855572578e97bb7678251d6745188308d93a1b105bad2c329b53dd47/userdata/shm", "io.kubernetes.cri-o.Spoofed": "true", "io.kubernetes.pod.name": "wasm-test", "io.kubernetes.pod.namespace": "default", "io.kubernetes.pod.uid": "be76f5b7-8151-4a31-98a6-e3a8313959f7", "kubernetes.io/config.seen": "2023-05-10T16:35:33.916202677Z", "kubernetes.io/config.source": "api", "org.systemd.property.CollectMode": "'inactive-or-failed'", "run": "wasm-test" }, "linux": { "sysctl": { "net.ipv4.ping_group_range": "0 2147483647" }, "resources": { "devices": [ { "allow": false, "access": "rwm" } ], "cpu": { "shares": 2 } }, "cgroupsPath": "kubepods-besteffort-podbe76f5b7_8151_4a31_98a6_e3a8313959f7.slice:crio:295df75b855572578e97bb7678251d6745188308d93a1b105bad2c329b53dd47", "namespaces": [ { "type": "pid" }, { "type": "network", "path": "/var/run/netns/a7329e34-8f21-4850-bcac-93787e5a286c" }, { "type": "ipc", "path": "/var/run/ipcns/a7329e34-8f21-4850-bcac-93787e5a286c" }, { "type": "uts", "path": "/var/run/utsns/a7329e34-8f21-4850-bcac-93787e5a286c" }, { "type": "mount" } ], "seccomp": { "defaultAction": "SCMP_ACT_ERRNO", "defaultErrnoRet": 38, "architectures": [ "SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32" ], "syscalls": [ { "names": [ "bdflush", "io_pgetevents", "kexec_file_load", "kexec_load", "migrate_pages", "move_pages", "nfsservctl", "nice", "oldfstat", "oldlstat", "oldolduname", "oldstat", "olduname", "pciconfig_iobase", "pciconfig_read", "pciconfig_write", "sgetmask", "ssetmask", "swapcontext", "swapoff", "swapon", "sysfs", "uselib", "userfaultfd", "ustat", "vm86", "vm86old", "vmsplice" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "_llseek", "_newselect", "accept", "accept4", "access", "adjtimex", "alarm", "bind", "brk", "capget", "capset", "chdir", "chmod", "chown", "chown32", "clock_adjtime", "clock_adjtime64", "clock_getres", "clock_getres_time64", "clock_gettime", "clock_gettime64", "clock_nanosleep", "clock_nanosleep_time64", "clone", "clone3", "close", "close_range", "connect", "copy_file_range", "creat", "dup", "dup2", "dup3", "epoll_create", "epoll_create1", "epoll_ctl", "epoll_ctl_old", "epoll_pwait", "epoll_pwait2", "epoll_wait", "epoll_wait_old", "eventfd", "eventfd2", "execve", "execveat", "exit", "exit_group", "faccessat", "faccessat2", "fadvise64", "fadvise64_64", "fallocate", "fanotify_mark", "fchdir", "fchmod", "fchmodat", "fchown", "fchown32", "fchownat", "fcntl", "fcntl64", "fdatasync", "fgetxattr", "flistxattr", "flock", "fork", "fremovexattr", "fsconfig", "fsetxattr", "fsmount", "fsopen", "fspick", "fstat", "fstat64", "fstatat64", "fstatfs", "fstatfs64", "fsync", "ftruncate", "ftruncate64", "futex", "futex_time64", "futimesat", "get_mempolicy", "get_robust_list", "get_thread_area", "getcpu", "getcwd", "getdents", "getdents64", "getegid", "getegid32", "geteuid", "geteuid32", "getgid", "getgid32", "getgroups", "getgroups32", "getitimer", "getpeername", "getpgid", "getpgrp", "getpid", "getppid", "getpriority", "getrandom", "getresgid", "getresgid32", "getresuid", "getresuid32", "getrlimit", "getrusage", "getsid", "getsockname", "getsockopt", "gettid", "gettimeofday", "getuid", "getuid32", "getxattr", "inotify_add_watch", "inotify_init", "inotify_init1", "inotify_rm_watch", "io_cancel", "io_destroy", "io_getevents", "io_setup", "io_submit", "ioctl", "ioprio_get", "ioprio_set", "ipc", "keyctl", "kill", "landlock_add_rule", "landlock_create_ruleset", "landlock_restrict_self", "lchown", "lchown32", "lgetxattr", "link", "linkat", "listen", "listxattr", "llistxattr", "lremovexattr", "lseek", "lsetxattr", "lstat", "lstat64", "madvise", "mbind", "membarrier", "memfd_create", "memfd_secret", "mincore", "mkdir", "mkdirat", "mknod", "mknodat", "mlock", "mlock2", "mlockall", "mmap", "mmap2", "mount", "mount_setattr", "move_mount", "mprotect", "mq_getsetattr", "mq_notify", "mq_open", "mq_timedreceive", "mq_timedreceive_time64", "mq_timedsend", "mq_timedsend_time64", "mq_unlink", "mremap", "msgctl", "msgget", "msgrcv", "msgsnd", "msync", "munlock", "munlockall", "munmap", "name_to_handle_at", "nanosleep", "newfstatat", "open", "open_tree", "openat", "openat2", "pause", "pidfd_getfd", "pidfd_open", "pidfd_send_signal", "pipe", "pipe2", "pivot_root", "pkey_alloc", "pkey_free", "pkey_mprotect", "poll", "ppoll", "ppoll_time64", "prctl", "pread64", "preadv", "preadv2", "prlimit64", "process_mrelease", "process_vm_readv", "process_vm_writev", "pselect6", "pselect6_time64", "ptrace", "pwrite64", "pwritev", "pwritev2", "read", "readahead", "readdir", "readlink", "readlinkat", "readv", "reboot", "recv", "recvfrom", "recvmmsg", "recvmmsg_time64", "recvmsg", "remap_file_pages", "removexattr", "rename", "renameat", "renameat2", "restart_syscall", "rmdir", "rseq", "rt_sigaction", "rt_sigpending", "rt_sigprocmask", "rt_sigqueueinfo", "rt_sigreturn", "rt_sigsuspend", "rt_sigtimedwait", "rt_sigtimedwait_time64", "rt_tgsigqueueinfo", "sched_get_priority_max", "sched_get_priority_min", "sched_getaffinity", "sched_getattr", "sched_getparam", "sched_getscheduler", "sched_rr_get_interval", "sched_rr_get_interval_time64", "sched_setaffinity", "sched_setattr", "sched_setparam", "sched_setscheduler", "sched_yield", "seccomp", "select", "semctl", "semget", "semop", "semtimedop", "semtimedop_time64", "send", "sendfile", "sendfile64", "sendmmsg", "sendmsg", "sendto", "set_mempolicy", "set_robust_list", "set_thread_area", "set_tid_address", "setfsgid", "setfsgid32", "setfsuid", "setfsuid32", "setgid", "setgid32", "setgroups", "setgroups32", "setitimer", "setns", "setpgid", "setpriority", "setregid", "setregid32", "setresgid", "setresgid32", "setresuid", "setresuid32", "setreuid", "setreuid32", "setrlimit", "setsid", "setsockopt", "setuid", "setuid32", "setxattr", "shmat", "shmctl", "shmdt", "shmget", "shutdown", "sigaction", "sigaltstack", "signal", "signalfd", "signalfd4", "sigpending", "sigprocmask", "sigreturn", "sigsuspend", "socketcall", "socketpair", "splice", "stat", "stat64", "statfs", "statfs64", "statx", "symlink", "symlinkat", "sync", "sync_file_range", "syncfs", "syscall", "sysinfo", "syslog", "tee", "tgkill", "time", "timer_create", "timer_delete", "timer_getoverrun", "timer_gettime", "timer_gettime64", "timer_settime", "timer_settime64", "timerfd", "timerfd_create", "timerfd_gettime", "timerfd_gettime64", "timerfd_settime", "timerfd_settime64", "times", "tkill", "truncate", "truncate64", "ugetrlimit", "umask", "umount", "umount2", "uname", "unlink", "unlinkat", "writev", "utime", "utimensat", "utimensat_time64", "utimes", "vfork", "wait4", "waitid", "waitpid", "write", "writev" ], "action": "SCMP_ACT_ALLOW" }, { "names": [ "personality" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 0, "value": 0, "op": "SCMP_CMP_EQ" } ] }, { "names": [ "personality" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 0, "value": 8, "op": "SCMP_CMP_EQ" } ] }, { "names": [ "personality" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 0, "value": 131072, "op": "SCMP_CMP_EQ" } ] }, { "names": [ "personality" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 0, "value": 131080, "op": "SCMP_CMP_EQ" } ] }, { "names": [ "personality" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 0, "value": 4294967295, "op": "SCMP_CMP_EQ" } ] }, { "names": [ "arch_prctl" ], "action": "SCMP_ACT_ALLOW" }, { "names": [ "modify_ldt" ], "action": "SCMP_ACT_ALLOW" }, { "names": [ "open_by_handle_at" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "bpf", "fanotify_init", "lookup_dcookie", "perf_event_open", "quotactl", "setdomainname", "sethostname", "setns" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "chroot" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "delete_module", "finit_module", "init_module", "query_module" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "acct" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "kcmp", "process_madvise" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "ioperm", "iopl" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "clock_settime", "clock_settime64", "settimeofday", "stime" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "vhangup" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 1 }, { "names": [ "socket" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 22, "args": [ { "index": 0, "value": 16, "op": "SCMP_CMP_EQ" }, { "index": 2, "value": 9, "op": "SCMP_CMP_EQ" } ] }, { "names": [ "socket" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 2, "value": 9, "op": "SCMP_CMP_NE" } ] }, { "names": [ "socket" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 0, "value": 16, "op": "SCMP_CMP_NE" } ] }, { "names": [ "socket" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 2, "value": 9, "op": "SCMP_CMP_NE" } ] } ] }, "mountLabel": "system_u:object_r:container_file_t:s0:c411,c853" } } ```

What did you expect to happen?

cri-o propagates OCI image annotation module.wasm.image/variant=compat-smart to crun, so that crun knows that the OCI image needs a Wasm runtime.

How can we reproduce it (as minimally and precisely as possible)?

In OpenShift worker Node with cri-o:

+ cat /etc/containers/containers.conf
[engine]
runtime = "crun"
+ crun --version | grep SYSTEMD
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +WASM:wasmedge +YAJL

In OpenShift:

+ oc run wasm-test --image=docker.io/wiegratz/hello-rust:wasm
+ oc logs wasm-test
exec container process `/hello-rust.wasm`: Exec format error

I can not just create a pod/container (with crictl create) directly on CoreOS due to Multus.

Anything else we need to know?

On the same cri-o host it works with Podman (configured to use crun):

+ podman info -f json | jq '.host.ociRuntime'
{
  "name": "crun",
  "package": "crun-1.8-20230403120054.cfec5ce.el8.x86_64",
  "path": "/usr/bin/crun",
  "version": "crun version UNKNOWN\ncommit: c617ab6d95ed61ff766d97fa095ff1a07bcfc370\nrundir: /run/crun\nspec: 1.0.0\n+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +WASM:wasmedge +YAJL"
}

+ podman run docker.io/wiegratz/hello-rust:wasm
WARNING: image platform ({arm64 linux  [] }) does not match the expected platform ({amd64 linux  [] })
Hello World!

CRI-O and Kubernetes version

```console $ crio --version crio version 1.25.2-4.rhaos4.12.git66af2f6.el8 Version: 1.25.2-4.rhaos4.12.git66af2f6.el8 GitCommit: unknown GitCommitDate: unknown GitTreeState: clean GoVersion: go1.19.4 Compiler: gc Platform: linux/amd64 Linkmode: dynamic BuildTags: rpm_crashtraceback libtrust_openssl selinux seccomp exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_ostree_stub LDFlags: -compressdwarf=false -B 0x72561a21b490abd26d972e3cf83b2423cd3918e2 -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' SeccompEnabled: true AppArmorEnabled: false Dependencies: ``` ```console $ kubectl --version Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.1", GitCommit:"e4d4e1ab7cf1bf15273ef97303551b279f0920a9", GitTreeState:"clean", BuildDate:"2022-09-14T19:49:27Z", GoVersion:"go1.19.1", Compiler:"gc", Platform:"darwin/amd64"} Kustomize Version: v4.5.7 Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.4+a34b9e9", GitCommit:"b6d1f054747e9886f61dd85316deac3415e2726f", GitTreeState:"clean", BuildDate:"2023-01-10T15:55:28Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"linux/amd64"} ```

OS version

```console # On Linux: $ cat /etc/os-release NAME="Red Hat Enterprise Linux CoreOS" ID="rhcos" ID_LIKE="rhel fedora" VERSION="412.86.202301191053-0" VERSION_ID="4.12" PLATFORM_ID="platform:el8" PRETTY_NAME="Red Hat Enterprise Linux CoreOS 412.86.202301191053-0 (Ootpa)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:8::coreos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://docs.openshift.com/container-platform/4.12/" BUG_REPORT_URL="https://access.redhat.com/labs/rhir/" REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform" REDHAT_BUGZILLA_PRODUCT_VERSION="4.12" REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform" REDHAT_SUPPORT_PRODUCT_VERSION="4.12" OPENSHIFT_VERSION="4.12" RHEL_VERSION="8.6" OSTREE_VERSION="412.86.202301191053-0" $ uname -a Linux os-ppl9h-worker-0-czwr7 4.18.0-372.40.1.el8_6.x86_64 #1 SMP Tue Jan 3 09:45:26 EST 2023 x86_64 x86_64 x86_64 GNU/Linux ```

Additional environment details (AWS, VirtualBox, physical, etc.)

OpenShift 4.12 HA cluster on vSphere, private x86_64 Cloud

[mrunalp]

cc: @giuseppe

[giuseppe]

OCI image annotations MUST NOT be propagated to the runtime as it would open up security issues, an image could configure the runtime differently. This should be solved differently, in Podman we can register a different oci runtime when a different arch is specified, in this case should be wasi/wasm

[giuseppe]

@mheon isn't it a problem that Podman currently propagates the image annotations down to the OCI runtime?

[jwhb]

here is the config.json created by podman run docker.io/wiegratz/hello-rust:wasm (OCI image does have the compat annotation). Podman copied the image annotation into config.json .annotations

[giuseppe]

tagging @vrothberg as well

[vrothberg]

Agreed, this needs fixing.

[jwhb]

@giuseppe: Aside from the risks associated with propagation of OCI annotations; is this annotation (module.wasm.image/variant=compat-smart) unsafe?

If not, should it not be whitelisted or whitelistable for propagation in CRI-O, so that CRI-O behaves like Podman currently does with the Wasm use case?

[giuseppe]

we could allow only that annotation, since it is not a risk, but I think long term is better if CRI-O behaves like Podman and treats images with the wasi/wasm arch as wasm instead of relying on magic annotations

[haircommander]

yeah I'd like to move to use arch instead as well

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.

[haircommander]

FWIW @sohankunkerkar is going to make sure CRI-O properly sets up a arch: wasi image if crun-wasm is enabled

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.

[haircommander]

I believe we can close this as @sohankunkerkar managed to test and CRI-O is able to create wasm containers when the platform is set on the image and crun-wasm is chosen

[sohankunkerkar]

It's still not fixed yet.

[giuseppe]

this could potentially be a security issue, are you sure it is what you want to do anyway?

I'd leave the issue closed and not try to address it.

[sohankunkerkar]

We have decided not to support annotations and instead, we will enable running wasm containers by introducing an additional field named platform_runtime_paths within the RuntimeHandler configuration. https://github.com/cri-o/cri-o/pull/7180