search

kata-containers / kata-containers

Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/
Apache License 2.0
5.51k stars 1.06k forks source link

Failed to write to /etc/resolv.conf in kubernetes Pod running with kata #3896

Open lining2020x opened 2 years ago

lining2020x commented 2 years ago

Description of problem

Failed to write to /etc/resolv.conf in kata container.

root@ubuntu-r:~# kubectl  exec -ti   test-kata-vdnxl  -- sh -c "echo test >> /etc/resolv.conf"
sh: 1: cannot create /etc/resolv.conf: Read-only file system
command terminated with exit code 2

root@ubuntu-r:~# kubectl  exec -ti   test-kata-vdnxl  -- mount |grep kataShare
kataShared on / type virtiofs (rw,relatime)
kataShared on /etc/hosts type virtiofs (rw,relatime)
kataShared on /dev/termination-log type virtiofs (rw,relatime)
kataShared on /etc/hostname type virtiofs (rw,relatime)
kataShared on /etc/resolv.conf type virtiofs (rw,relatime)
kataShared on /run/secrets/kubernetes.io/serviceaccount type virtiofs (ro,relatime)

root@ubuntu-r:~# kubectl  exec -ti   test-kata-vdnxl  -- ls -al /etc/resolv.conf
-rw-r--r-- 1 root root 103 Mar 15 07:36 /etc/resolv.conf

Expected result

Succeed to write to /etc/resolv.conf

Actual result

Failed to write to /etc/resolv.conf

Further information

Versions:

lining2020x commented 2 years ago

Here is my test pod yaml

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: test-kata
spec:
  selector:
    matchLabels:
      name: test-kata
  template:
    metadata:
      labels:
        name: test-kata
    spec:
      runtimeClassName: kata-qemu
      containers:
      - name: kata-pod
        image: debian:buster
        command: ["tail", "-f", "/dev/null"]
        resources:
          limits:
            cpu: 200m
            memory: 200Mi
          requests:
            cpu: 200m
            memory: 200Mi
liubin commented 2 years ago

FYI: 9p is work.

runstrider commented 2 years ago

the command is stuck, when i delete kata container pod using kubectl delete pod . journal -t kata say "stop container failed" container=af19a4c5147e26e012ad60ce9ac4090041f06a52da859208a30ea972ea797d99 error="rpc error: code = Internal desc = failed to remove dir \"/run/kata-containers/shared/containers/af19a4c5147e26e012ad60ce9ac4090041f06a52da859208a30ea972ea797d99\"\n\nCaused by:\n Read-only file system (os error 30)" name=containerd-shim-v2

wangxiaoq commented 2 years ago

I also encountered this problem.

/etc/resolv.conf is a read-only file with privileged security context.