Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/
Apache License 2.0
5.08k
stars
1k
forks
source link
runtime-rs: container start fails under cri-o #9847
When cri-o tries to launch a runtime-rs pod it fails with
ERROR: containerd-shim-kata-v2 failed: shim start
Caused by:
0: do start
1: failed to get bundle path
2: No such file or directory (os error 2): connect: invalid argument
This happens when the shim is launched with the "start" argument and container_type is ContainerType::PodContainer in ShimExecutor::do_start(). ShimExecutor::get_shim_info_from_sandbox() is then called which tries to derive the path to the sandbox bundle from the container bundle the shim is currently running in.
This fails since the bundle directory structure is different between containerd and cri-o (containerd stores the bundles in <container_root>/<sandbox_id> and <container_root>/<container_id> while cri-o in <container_root>/<sandbox_id>/userdata and <container_root>/<container_id>/userdata, respectively).
Having discussed this with @littlejawa we believe that the shim shouldn't try to access the sandbox bundle in the first place while starting a container. For a smoke test, I've removed the offending code locally and have been running with it for a bit, having observed no ill effects so far.
Do you folks agree that this is the right solution? Admittedly I'm not clear what the reason for the current shim behaviour was in the first place so I might be missing something.
When cri-o tries to launch a runtime-rs pod it fails with
This happens when the shim is launched with the "start" argument and
container_type
isContainerType::PodContainer
inShimExecutor::do_start()
.ShimExecutor::get_shim_info_from_sandbox()
is then called which tries to derive the path to the sandbox bundle from the container bundle the shim is currently running in.This fails since the bundle directory structure is different between containerd and cri-o (containerd stores the bundles in
<container_root>/<sandbox_id>
and<container_root>/<container_id>
while cri-o in<container_root>/<sandbox_id>/userdata
and<container_root>/<container_id>/userdata
, respectively).Having discussed this with @littlejawa we believe that the shim shouldn't try to access the sandbox bundle in the first place while starting a container. For a smoke test, I've removed the offending code locally and have been running with it for a bit, having observed no ill effects so far.
Do you folks agree that this is the right solution? Admittedly I'm not clear what the reason for the current shim behaviour was in the first place so I might be missing something.