virtiofs: xattrs: Error with while performing an update in Fedora:30

[GabyCT]

While using kata-runtime, we have seen failures in trying to perform an update in Fedora 31

$ docker run -ti --runtime kata-runtime fedora sh
Unable to find image 'fedora:latest' locally
latest: Pulling from library/fedora
5c1b9e8d7bf7: Pull complete
Digest: sha256:c97879f8bebe49744307ea5c77ffc76c7cc97f3ddec72fb9a394bd4e4519b388
Status: Downloaded newer image for fedora:latest
sh-5.0# dnf -y update
Fedora Modular 31 - x86_64                                                                                                                                   4.1 MB/s | 5.2 MB     00:01
Fedora Modular 31 - x86_64 - Updates                                                                                                                         1.9 MB/s | 4.0 MB     00:02
Fedora 31 - x86_64 - Updates                                                                                                                                 6.3 MB/s |  23 MB     00:03
Fedora 31 - x86_64                                                                                                                                           5.2 MB/s |  71 MB     00:13
Last metadata expiration check: 0:00:01 ago on Thu Apr  2 20:39:23 2020.
Dependencies resolved.
=============================================================================================================================================================================================
 Package                                                Architecture                          Version                                           Repository                              Size
=============================================================================================================================================================================================
Upgrading:
 coreutils                                              x86_64                                8.31-9.fc31                                       updates                                1.1 M
 coreutils-common                                       x86_64                                8.31-9.fc31                                       updates                                1.9 M
 glib2                                                  x86_64                                2.62.6-1.fc31                                     updates                                2.6 M
 gnutls                                                 x86_64                                3.6.12-2.fc31                                     updates                                975 k
 libarchive                                             x86_64                                3.4.2-1.fc31                                      updates                                384 k
 libdnf                                                 x86_64                                0.43.1-5.fc31                                     updates                                633 k
 libgcc                                                 x86_64                                9.3.1-1.fc31                                      updates                                101 k
 libgomp                                                x86_64                                9.3.1-1.fc31                                      updates                                237 k
 libpcap                                                x86_64                                14:1.9.1-2.fc31                                   updates                                168 k
 libsss_idmap                                           x86_64                                2.2.3-13.fc31                                     updates                                 46 k
 libsss_nss_idmap                                       x86_64                                2.2.3-13.fc31                                     updates                                 53 k
 libstdc++                                              x86_64                                9.3.1-1.fc31                                      updates                                633 k
 libtirpc                                               x86_64                                1.2.5-1.rc2.fc31                                  updates                                 98 k
 libxcrypt                                              x86_64                                4.4.15-1.fc31                                     updates                                126 k
 pcre                                                   x86_64                                8.44-1.fc31                                       updates                                192 k
 pcre2                                                  x86_64                                10.34-8.fc31                                      updates                                222 k
 python-setuptools-wheel                                noarch                                41.6.0-1.fc31                                     updates                                281 k
 python3-hawkey                                         x86_64                                0.43.1-5.fc31                                     updates                                101 k
 python3-libdnf                                         x86_64                                0.43.1-5.fc31                                     updates                                702 k
 shadow-utils                                           x86_64                                2:4.6-17.fc31                                     updates                                1.2 M
 sssd-client                                            x86_64                                2.2.3-13.fc31                                     updates                                110 k
 sudo                                                   x86_64                                1.9.0-0.1.b1.fc31                                 updates                                1.0 M
 systemd                                                x86_64                                243.8-1.fc31                                      updates                                3.8 M
 systemd-libs                                           x86_64                                243.8-1.fc31                                      updates                                523 k
 systemd-pam                                            x86_64                                243.8-1.fc31                                      updates                                165 k
 systemd-rpm-macros                                     noarch                                243.8-1.fc31                                      updates                                 20 k
 vim-minimal                                            x86_64                                2:8.2.348-1.fc31                                  updates                                645 k
Installing dependencies:
 pcre2-syntax                                           noarch                                10.34-8.fc31                                      updates                                140 k
 trousers-lib                                           x86_64                                0.3.13-13.fc31                                    fedora                                 171 k
 whois-nls                                              noarch                                5.5.6-1.fc31                                      updates                                 34 k
 xkeyboard-config                                       noarch                                2.28-1.fc31                                       updates                                753 k
Installing weak dependencies:
 diffutils                                              x86_64                                3.7-3.fc31                                        fedora                                 401 k
 libxkbcommon                                           x86_64                                0.9.1-3.fc31                                      updates                                120 k
 mkpasswd                                               x86_64                                5.5.6-1.fc31                                      updates                                 41 k
 shared-mime-info                                       x86_64                                1.15-1.fc31                                       updates                                303 k
 trousers                                               x86_64                                0.3.13-13.fc31                                    fedora                                 150 k

Transaction Summary
=============================================================================================================================================================================================
Install   9 Packages
Upgrade  27 Packages

Total download size: 20 M
Downloading Packages:
(1/36): mkpasswd-5.5.6-1.fc31.x86_64.rpm                                                                                                                     245 kB/s |  41 kB     00:00
(2/36): libxkbcommon-0.9.1-3.fc31.x86_64.rpm                                                                                                                 570 kB/s | 120 kB     00:00
(3/36): pcre2-syntax-10.34-8.fc31.noarch.rpm                                                                                                                 639 kB/s | 140 kB     00:00
(4/36): whois-nls-5.5.6-1.fc31.noarch.rpm                                                                                                                    1.6 MB/s |  34 kB     00:00
(5/36): shared-mime-info-1.15-1.fc31.x86_64.rpm                                                                                                              3.5 MB/s | 303 kB     00:00
(6/36): xkeyboard-config-2.28-1.fc31.noarch.rpm                                                                                                              7.8 MB/s | 753 kB     00:00
(7/36): trousers-0.3.13-13.fc31.x86_64.rpm                                                                                                                   1.5 MB/s | 150 kB     00:00
(8/36): diffutils-3.7-3.fc31.x86_64.rpm                                                                                                                      2.3 MB/s | 401 kB     00:00
(9/36): coreutils-8.31-9.fc31.x86_64.rpm                                                                                                                      10 MB/s | 1.1 MB     00:00
(10/36): coreutils-common-8.31-9.fc31.x86_64.rpm                                                                                                              11 MB/s | 1.9 MB     00:00
(11/36): glib2-2.62.6-1.fc31.x86_64.rpm                                                                                                                       13 MB/s | 2.6 MB     00:00
(12/36): gnutls-3.6.12-2.fc31.x86_64.rpm                                                                                                                     8.2 MB/s | 975 kB     00:00
(13/36): libarchive-3.4.2-1.fc31.x86_64.rpm                                                                                                                  8.3 MB/s | 384 kB     00:00
(14/36): libdnf-0.43.1-5.fc31.x86_64.rpm                                                                                                                      13 MB/s | 633 kB     00:00
(15/36): libgcc-9.3.1-1.fc31.x86_64.rpm                                                                                                                      2.5 MB/s | 101 kB     00:00
(16/36): libgomp-9.3.1-1.fc31.x86_64.rpm                                                                                                                     6.8 MB/s | 237 kB     00:00
(17/36): libpcap-1.9.1-2.fc31.x86_64.rpm                                                                                                                     4.4 MB/s | 168 kB     00:00
(18/36): libsss_idmap-2.2.3-13.fc31.x86_64.rpm                                                                                                               2.0 MB/s |  46 kB     00:00
(19/36): libsss_nss_idmap-2.2.3-13.fc31.x86_64.rpm                                                                                                           2.4 MB/s |  53 kB     00:00
(20/36): libtirpc-1.2.5-1.rc2.fc31.x86_64.rpm                                                                                                                3.4 MB/s |  98 kB     00:00
(21/36): libstdc++-9.3.1-1.fc31.x86_64.rpm                                                                                                                   9.9 MB/s | 633 kB     00:00
(22/36): libxcrypt-4.4.15-1.fc31.x86_64.rpm                                                                                                                  3.8 MB/s | 126 kB     00:00
(23/36): pcre-8.44-1.fc31.x86_64.rpm                                                                                                                         5.9 MB/s | 192 kB     00:00
(24/36): pcre2-10.34-8.fc31.x86_64.rpm                                                                                                                       5.7 MB/s | 222 kB     00:00
(25/36): python-setuptools-wheel-41.6.0-1.fc31.noarch.rpm                                                                                                    9.2 MB/s | 281 kB     00:00
(26/36): python3-hawkey-0.43.1-5.fc31.x86_64.rpm                                                                                                             3.7 MB/s | 101 kB     00:00
(27/36): python3-libdnf-0.43.1-5.fc31.x86_64.rpm                                                                                                              14 MB/s | 702 kB     00:00
(28/36): shadow-utils-4.6-17.fc31.x86_64.rpm                                                                                                                  14 MB/s | 1.2 MB     00:00
(29/36): sssd-client-2.2.3-13.fc31.x86_64.rpm                                                                                                                1.8 MB/s | 110 kB     00:00
(30/36): trousers-lib-0.3.13-13.fc31.x86_64.rpm                                                                                                              225 kB/s | 171 kB     00:00
(31/36): sudo-1.9.0-0.1.b1.fc31.x86_64.rpm                                                                                                                    14 MB/s | 1.0 MB     00:00
(32/36): systemd-libs-243.8-1.fc31.x86_64.rpm                                                                                                                6.6 MB/s | 523 kB     00:00
(33/36): systemd-pam-243.8-1.fc31.x86_64.rpm                                                                                                                 4.7 MB/s | 165 kB     00:00
(34/36): systemd-rpm-macros-243.8-1.fc31.noarch.rpm                                                                                                          855 kB/s |  20 kB     00:00
(35/36): vim-minimal-8.2.348-1.fc31.x86_64.rpm                                                                                                                13 MB/s | 645 kB     00:00
(36/36): systemd-243.8-1.fc31.x86_64.rpm                                                                                                                      15 MB/s | 3.8 MB     00:00
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                         12 MB/s |  20 MB     00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                     1/1
  Running scriptlet: libgcc-9.3.1-1.fc31.x86_64                                                                                                                                          1/1
  Upgrading        : libgcc-9.3.1-1.fc31.x86_64                                                                                                                                         1/63
  Running scriptlet: libgcc-9.3.1-1.fc31.x86_64                                                                                                                                         1/63
  Upgrading        : libstdc++-9.3.1-1.fc31.x86_64                                                                                                                                      2/63
  Upgrading        : vim-minimal-2:8.2.348-1.fc31.x86_64                                                                                                                                3/63
  Upgrading        : systemd-rpm-macros-243.8-1.fc31.noarch                                                                                                                             4/63
  Upgrading        : pcre-8.44-1.fc31.x86_64                                                                                                                                            5/63
  Upgrading        : glib2-2.62.6-1.fc31.x86_64                                                                                                                                         6/63
  Installing       : shared-mime-info-1.15-1.fc31.x86_64                                                                                                                                7/63
  Running scriptlet: shared-mime-info-1.15-1.fc31.x86_64                                                                                                                                7/63
  Upgrading        : libdnf-0.43.1-5.fc31.x86_64                                                                                                                                        8/63
  Upgrading        : python3-libdnf-0.43.1-5.fc31.x86_64                                                                                                                                9/63
  Upgrading        : libsss_nss_idmap-2.2.3-13.fc31.x86_64                                                                                                                             10/63
  Upgrading        : libsss_idmap-2.2.3-13.fc31.x86_64                                                                                                                                 11/63
  Upgrading        : coreutils-common-8.31-9.fc31.x86_64                                                                                                                               12/63
  Upgrading        : coreutils-8.31-9.fc31.x86_64                                                                                                                                      13/63
  Upgrading        : systemd-libs-243.8-1.fc31.x86_64                                                                                                                                  14/63
  Running scriptlet: systemd-libs-243.8-1.fc31.x86_64                                                                                                                                  14/63
  Installing       : trousers-lib-0.3.13-13.fc31.x86_64                                                                                                                                15/63
  Installing       : diffutils-3.7-3.fc31.x86_64                                                                                                                                       16/63
  Installing       : xkeyboard-config-2.28-1.fc31.noarch                                                                                                                               17/63
  Installing       : libxkbcommon-0.9.1-3.fc31.x86_64                                                                                                                                  18/63
  Installing       : whois-nls-5.5.6-1.fc31.noarch                                                                                                                                     19/63
  Upgrading        : libxcrypt-4.4.15-1.fc31.x86_64                                                                                                                                    20/63
  Installing       : mkpasswd-5.5.6-1.fc31.x86_64                                                                                                                                      21/63
  Upgrading        : shadow-utils-2:4.6-17.fc31.x86_64                                                                                                                                 22/63
Error unpacking rpm package shadow-utils-2:4.6-17.fc31.x86_64
  Installing       : pcre2-syntax-10.34-8.fc31.noarch                                                                                                                                  23/63
error: unpacking of archive failed on file /usr/bin/newgidmap;5e864da7: cpio: cap_set_file
error: shadow-utils-2:4.6-17.fc31.x86_64: install failed

  Upgrading        : pcre2-10.34-8.fc31.x86_64                                                                                                                                         24/63
  Upgrading        : gnutls-3.6.12-2.fc31.x86_64                                                                                                                                       25/63
  Upgrading        : systemd-pam-243.8-1.fc31.x86_64                                                                                                                                   26/63
  Running scriptlet: systemd-243.8-1.fc31.x86_64                                                                                                                                       27/63
  Upgrading        : systemd-243.8-1.fc31.x86_64                                                                                                                                       27/63
  Running scriptlet: systemd-243.8-1.fc31.x86_64                                                                                                                                       27/63
  Running scriptlet: trousers-0.3.13-13.fc31.x86_64                                                                                                                                    28/63
  Installing       : trousers-0.3.13-13.fc31.x86_64                                                                                                                                    28/63
  Running scriptlet: trousers-0.3.13-13.fc31.x86_64                                                                                                                                    28/63
  Upgrading        : sudo-1.9.0-0.1.b1.fc31.x86_64                                                                                                                                     29/63
  Running scriptlet: sudo-1.9.0-0.1.b1.fc31.x86_64                                                                                                                                     29/63
  Upgrading        : sssd-client-2.2.3-13.fc31.x86_64                                                                                                                                  30/63
  Running scriptlet: sssd-client-2.2.3-13.fc31.x86_64                                                                                                                                  30/63
  Upgrading        : python3-hawkey-0.43.1-5.fc31.x86_64                                                                                                                               31/63
  Upgrading        : python-setuptools-wheel-41.6.0-1.fc31.noarch                                                                                                                      32/63
  Upgrading        : libtirpc-1.2.5-1.rc2.fc31.x86_64                                                                                                                                  33/63
  Upgrading        : libpcap-14:1.9.1-2.fc31.x86_64                                                                                                                                    34/63
  Upgrading        : libgomp-9.3.1-1.fc31.x86_64                                                                                                                                       35/63
  Upgrading        : libarchive-3.4.2-1.fc31.x86_64                                                                                                                                    36/63
  Cleanup          : python-setuptools-wheel-41.2.0-1.fc31.noarch                                                                                                                      37/63
  Running scriptlet: systemd-243.7-1.fc31.x86_64                                                                                                                                       38/63
  Cleanup          : systemd-243.7-1.fc31.x86_64                                                                                                                                       38/63
  Cleanup          : python3-hawkey-0.43.1-2.fc31.x86_64                                                                                                                               39/63
  Cleanup          : python3-libdnf-0.43.1-2.fc31.x86_64                                                                                                                               40/63
  Cleanup          : libdnf-0.43.1-2.fc31.x86_64                                                                                                                                       41/63
  Cleanup          : libstdc++-9.2.1-1.fc31.x86_64                                                                                                                                     42/63
  Running scriptlet: sssd-client-2.2.2-3.fc31.x86_64                                                                                                                                   43/63
  Cleanup          : sssd-client-2.2.2-3.fc31.x86_64                                                                                                                                   43/63
  Cleanup          : systemd-libs-243.7-1.fc31.x86_64                                                                                                                                  44/63
  Cleanup          : systemd-pam-243.7-1.fc31.x86_64                                                                                                                                   45/63
  Cleanup          : sudo-1.8.29-1.fc31.x86_64                                                                                                                                         46/63
error: shadow-utils-2:4.6-16.fc31.x86_64: erase skipped

  Cleanup          : systemd-rpm-macros-243.7-1.fc31.noarch                                                                                                                            47/63
  Cleanup          : coreutils-8.31-6.fc31.x86_64                                                                                                                                      48/63
  Cleanup          : glib2-2.62.4-2.fc31.x86_64                                                                                                                                        49/63
  Cleanup          : coreutils-common-8.31-6.fc31.x86_64                                                                                                                               50/63
  Cleanup          : pcre-8.43-2.fc31.1.x86_64                                                                                                                                         51/63
  Cleanup          : vim-minimal-2:8.2.236-1.fc31.x86_64                                                                                                                               52/63
  Cleanup          : libxcrypt-4.4.12-1.fc31.x86_64                                                                                                                                    53/63
  Cleanup          : libgcc-9.2.1-1.fc31.x86_64                                                                                                                                        54/63
  Running scriptlet: libgcc-9.2.1-1.fc31.x86_64                                                                                                                                        54/63
  Cleanup          : libsss_idmap-2.2.2-3.fc31.x86_64                                                                                                                                  55/63
  Cleanup          : libsss_nss_idmap-2.2.2-3.fc31.x86_64                                                                                                                              56/63
  Cleanup          : gnutls-3.6.11-1.fc31.x86_64                                                                                                                                       57/63
  Cleanup          : pcre2-10.34-5.fc31.x86_64                                                                                                                                         58/63
  Cleanup          : libtirpc-1.2.5-0.fc31.x86_64                                                                                                                                      59/63
  Cleanup          : libpcap-14:1.9.1-1.fc31.x86_64                                                                                                                                    60/63
  Cleanup          : libgomp-9.2.1-1.fc31.x86_64                                                                                                                                       61/63
  Cleanup          : libarchive-3.4.0-1.fc31.x86_64                                                                                                                                    62/63
  Running scriptlet: libarchive-3.4.0-1.fc31.x86_64                                                                                                                                    62/63
  Verifying        : libxkbcommon-0.9.1-3.fc31.x86_64                                                                                                                                   1/63
  Verifying        : mkpasswd-5.5.6-1.fc31.x86_64                                                                                                                                       2/63
  Verifying        : pcre2-syntax-10.34-8.fc31.noarch                                                                                                                                   3/63
  Verifying        : shared-mime-info-1.15-1.fc31.x86_64                                                                                                                                4/63
  Verifying        : whois-nls-5.5.6-1.fc31.noarch                                                                                                                                      5/63
  Verifying        : xkeyboard-config-2.28-1.fc31.noarch                                                                                                                                6/63
  Verifying        : diffutils-3.7-3.fc31.x86_64                                                                                                                                        7/63
  Verifying        : trousers-0.3.13-13.fc31.x86_64                                                                                                                                     8/63
  Verifying        : trousers-lib-0.3.13-13.fc31.x86_64                                                                                                                                 9/63
  Verifying        : coreutils-8.31-9.fc31.x86_64                                                                                                                                      10/63
  Verifying        : coreutils-8.31-6.fc31.x86_64                                                                                                                                      11/63
  Verifying        : coreutils-common-8.31-9.fc31.x86_64                                                                                                                               12/63
  Verifying        : coreutils-common-8.31-6.fc31.x86_64                                                                                                                               13/63
  Verifying        : glib2-2.62.6-1.fc31.x86_64                                                                                                                                        14/63
  Verifying        : glib2-2.62.4-2.fc31.x86_64                                                                                                                                        15/63
  Verifying        : gnutls-3.6.12-2.fc31.x86_64                                                                                                                                       16/63
  Verifying        : gnutls-3.6.11-1.fc31.x86_64                                                                                                                                       17/63
  Verifying        : libarchive-3.4.2-1.fc31.x86_64                                                                                                                                    18/63
  Verifying        : libarchive-3.4.0-1.fc31.x86_64                                                                                                                                    19/63
  Verifying        : libdnf-0.43.1-5.fc31.x86_64                                                                                                                                       20/63
  Verifying        : libdnf-0.43.1-2.fc31.x86_64                                                                                                                                       21/63
  Verifying        : libgcc-9.3.1-1.fc31.x86_64                                                                                                                                        22/63
  Verifying        : libgcc-9.2.1-1.fc31.x86_64                                                                                                                                        23/63
  Verifying        : libgomp-9.3.1-1.fc31.x86_64                                                                                                                                       24/63
  Verifying        : libgomp-9.2.1-1.fc31.x86_64                                                                                                                                       25/63
  Verifying        : libpcap-14:1.9.1-2.fc31.x86_64                                                                                                                                    26/63
  Verifying        : libpcap-14:1.9.1-1.fc31.x86_64                                                                                                                                    27/63
  Verifying        : libsss_idmap-2.2.3-13.fc31.x86_64                                                                                                                                 28/63
  Verifying        : libsss_idmap-2.2.2-3.fc31.x86_64                                                                                                                                  29/63
  Verifying        : libsss_nss_idmap-2.2.3-13.fc31.x86_64                                                                                                                             30/63
  Verifying        : libsss_nss_idmap-2.2.2-3.fc31.x86_64                                                                                                                              31/63
  Verifying        : libstdc++-9.3.1-1.fc31.x86_64                                                                                                                                     32/63
  Verifying        : libstdc++-9.2.1-1.fc31.x86_64                                                                                                                                     33/63
  Verifying        : libtirpc-1.2.5-1.rc2.fc31.x86_64                                                                                                                                  34/63
  Verifying        : libtirpc-1.2.5-0.fc31.x86_64                                                                                                                                      35/63
  Verifying        : libxcrypt-4.4.15-1.fc31.x86_64                                                                                                                                    36/63
  Verifying        : libxcrypt-4.4.12-1.fc31.x86_64                                                                                                                                    37/63
  Verifying        : pcre-8.44-1.fc31.x86_64                                                                                                                                           38/63
  Verifying        : pcre-8.43-2.fc31.1.x86_64                                                                                                                                         39/63
  Verifying        : pcre2-10.34-8.fc31.x86_64                                                                                                                                         40/63
  Verifying        : pcre2-10.34-5.fc31.x86_64                                                                                                                                         41/63
  Verifying        : python-setuptools-wheel-41.6.0-1.fc31.noarch                                                                                                                      42/63
  Verifying        : python-setuptools-wheel-41.2.0-1.fc31.noarch                                                                                                                      43/63
  Verifying        : python3-hawkey-0.43.1-5.fc31.x86_64                                                                                                                               44/63
  Verifying        : python3-hawkey-0.43.1-2.fc31.x86_64                                                                                                                               45/63
  Verifying        : python3-libdnf-0.43.1-5.fc31.x86_64                                                                                                                               46/63
  Verifying        : python3-libdnf-0.43.1-2.fc31.x86_64                                                                                                                               47/63
  Verifying        : shadow-utils-2:4.6-17.fc31.x86_64                                                                                                                                 48/63
  Verifying        : shadow-utils-2:4.6-16.fc31.x86_64                                                                                                                                 49/63
  Verifying        : sssd-client-2.2.3-13.fc31.x86_64                                                                                                                                  50/63
  Verifying        : sssd-client-2.2.2-3.fc31.x86_64                                                                                                                                   51/63
  Verifying        : sudo-1.9.0-0.1.b1.fc31.x86_64                                                                                                                                     52/63
  Verifying        : sudo-1.8.29-1.fc31.x86_64                                                                                                                                         53/63
  Verifying        : systemd-243.8-1.fc31.x86_64                                                                                                                                       54/63
  Verifying        : systemd-243.7-1.fc31.x86_64                                                                                                                                       55/63
  Verifying        : systemd-libs-243.8-1.fc31.x86_64                                                                                                                                  56/63
  Verifying        : systemd-libs-243.7-1.fc31.x86_64                                                                                                                                  57/63
  Verifying        : systemd-pam-243.8-1.fc31.x86_64                                                                                                                                   58/63
  Verifying        : systemd-pam-243.7-1.fc31.x86_64                                                                                                                                   59/63
  Verifying        : systemd-rpm-macros-243.8-1.fc31.noarch                                                                                                                            60/63
  Verifying        : systemd-rpm-macros-243.7-1.fc31.noarch                                                                                                                            61/63
  Verifying        : vim-minimal-2:8.2.348-1.fc31.x86_64                                                                                                                               62/63
  Verifying        : vim-minimal-2:8.2.236-1.fc31.x86_64                                                                                                                               63/63

Upgraded:
  coreutils-8.31-9.fc31.x86_64                          coreutils-common-8.31-9.fc31.x86_64          glib2-2.62.6-1.fc31.x86_64                     gnutls-3.6.12-2.fc31.x86_64
  libarchive-3.4.2-1.fc31.x86_64                        libdnf-0.43.1-5.fc31.x86_64                  libgcc-9.3.1-1.fc31.x86_64                     libgomp-9.3.1-1.fc31.x86_64
  libpcap-14:1.9.1-2.fc31.x86_64                        libsss_idmap-2.2.3-13.fc31.x86_64            libsss_nss_idmap-2.2.3-13.fc31.x86_64          libstdc++-9.3.1-1.fc31.x86_64
  libtirpc-1.2.5-1.rc2.fc31.x86_64                      libxcrypt-4.4.15-1.fc31.x86_64               pcre-8.44-1.fc31.x86_64                        pcre2-10.34-8.fc31.x86_64
  python-setuptools-wheel-41.6.0-1.fc31.noarch          python3-hawkey-0.43.1-5.fc31.x86_64          python3-libdnf-0.43.1-5.fc31.x86_64            sssd-client-2.2.3-13.fc31.x86_64
  sudo-1.9.0-0.1.b1.fc31.x86_64                         systemd-243.8-1.fc31.x86_64                  systemd-libs-243.8-1.fc31.x86_64               systemd-pam-243.8-1.fc31.x86_64
  systemd-rpm-macros-243.8-1.fc31.noarch                vim-minimal-2:8.2.348-1.fc31.x86_64

Installed:
  diffutils-3.7-3.fc31.x86_64        libxkbcommon-0.9.1-3.fc31.x86_64       mkpasswd-5.5.6-1.fc31.x86_64      pcre2-syntax-10.34-8.fc31.noarch        shared-mime-info-1.15-1.fc31.x86_64
  trousers-0.3.13-13.fc31.x86_64     trousers-lib-0.3.13-13.fc31.x86_64     whois-nls-5.5.6-1.fc31.noarch     xkeyboard-config-2.28-1.fc31.noarch

Failed:
  shadow-utils-2:4.6-16.fc31.x86_64                                                             shadow-utils-2:4.6-17.fc31.x86_64

Error: Transaction failed

The same error is happening if we choose Fedora 30. Now this is independent of the host where we run the container as this is reproducible in Ubuntu, openSUSE, debian, etc.

Now I believe this is a kata-runtime error related as I ran the same test with runc and no issues where present (the update was completed succesfully).

[fidencio]

Error unpacking rpm package shadow-utils-2:4.6-17.fc31.x86_64
error: unpacking of archive failed on file /usr/bin/newgidmap;5e864da7: cpio: cap_set_file
error: shadow-utils-2:4.6-17.fc31.x86_64: install failed

So, same root cause as https://github.com/kata-containers/tests/issues/2358. Maybe it's better to re-open that one as we already have some debug info there.

As @alicefr mentioned, this may be a guest kernel issue. We need to investigate.

[GabyCT]

Here are the logs

Show kata-collect-data.sh details

# Meta details Running `kata-collect-data.sh` version `1.11.0-alpha1 (commit 705713b4f9bc4d1e754871d5ef1ab5e99ea71aff)` at `2020-04-02.21:18:51.379913370+0000`. --- Runtime is `/usr/local/bin/kata-runtime`. # `kata-env` Output of "`/usr/local/bin/kata-runtime kata-env`": ```toml [Meta] Version = "1.0.24" [Runtime] Debug = true Trace = false DisableGuestSeccomp = true DisableNewNetNs = false SandboxCgroupOnly = false Path = "/usr/local/bin/kata-runtime" [Runtime.Version] OCI = "1.0.1-dev" [Runtime.Version.Version] Semver = "1.11.0-alpha1" Major = 1 Minor = 11 Patch = 0 Commit = "705713b4f9bc4d1e754871d5ef1ab5e99ea71aff" [Runtime.Config] Path = "/usr/share/defaults/kata-containers/configuration.toml" [Runtime.Version.Version] Semver = "1.11.0-alpha1" Major = 1 Minor = 11 Patch = 0 Commit = "705713b4f9bc4d1e754871d5ef1ab5e99ea71aff" [Runtime.Config] Path = "/usr/share/defaults/kata-containers/configuration.toml" [Hypervisor] MachineType = "pc" Version = "QEMU emulator version 4.1.1 (kata-static)\nCopyright (c) 2003-2019 Fabrice Bellard and the QEMU Project developers" Path = "/usr/bin/qemu-system-x86_64" BlockDeviceDriver = "virtio-scsi" EntropySource = "/dev/urandom" SharedFS = "virtio-9p" VirtioFSDaemon = "/usr/bin/virtiofsd" Msize9p = 8192 MemorySlots = 10 PCIeRootPort = 0 HotplugVFIOOnRootBus = false Debug = true UseVSock = false [Image] Path = "/usr/share/kata-containers/kata-containers-clearlinux-32740-osbuilder-891b61c-agent-73afd1a.img" [Kernel] Path = "/usr/share/kata-containers/vmlinuz-5.4.15-71" Parameters = "systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket agent.log=debug agent.log=debug" [Initrd] Path = "" [Proxy] Type = "kataProxy" Path = "/usr/libexec/kata-containers/kata-proxy" Debug = true [Proxy.Version] Semver = "1.11.0-alpha1-e7d2214f303fe9dfc433f9045659218e75f4d779" Major = 1 Minor = 11 Patch = 0 Commit = "e7d2214f303fe9dfc433f9045659218e75f4d779" [Shim] Type = "kataShim" Path = "/usr/libexec/kata-containers/kata-shim" Debug = true [Shim.Version] Semver = "1.11.0-alpha1-6a828a430c3d35e6ee22ee50a4fd2ed61280ad42" Major = 1 Minor = 11 Patch = 0 Commit = "6a828a430c3d35e6ee22ee50a4fd2ed61280ad42" [Agent] Type = "kata" Debug = true Trace = false TraceMode = "" TraceType = "" [Host] Kernel = "5.0.0-1035-azure" Architecture = "amd64" VMContainerCapable = true SupportVSocks = true [Host.Distro] Name = "Ubuntu" Version = "18.04" [Host.CPU] Vendor = "GenuineIntel" Model = "Intel(R) Xeon(R) CPU E5-2673 v4 @ 2.30GHz" [Netmon] Path = "/usr/libexec/kata-containers/kata-netmon" Debug = true Enable = false [Netmon.Version] Semver = "1.11.0-alpha1" Major = 1 Minor = 11 Patch = 0 Commit = "<>" ``` --- # Runtime config files ## Runtime default config files ``` /etc/kata-containers/configuration.toml /usr/share/defaults/kata-containers/configuration.toml ``` ## Runtime config file contents Config file `/etc/kata-containers/configuration.toml` not found Output of "`cat "/usr/share/defaults/kata-containers/configuration.toml"`": ```toml # Copyright (c) 2017-2019 Intel Corporation # # SPDX-License-Identifier: Apache-2.0 # # XXX: WARNING: this file is auto-generated. # XXX: # XXX: Source file: "cli/config/configuration-qemu.toml.in" # XXX: Project: # XXX: Name: Kata Containers # XXX: Type: kata [hypervisor.qemu] path = "/usr/bin/qemu-system-x86_64" kernel = "/usr/share/kata-containers/vmlinuz.container" image = "/usr/share/kata-containers/kata-containers.img" machine_type = "pc" # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having # trouble running pre-2.15 glibc. # # WARNING: - any parameter specified here will take priority over the default # parameter value of the same name used to start the virtual machine. # Do not set values here unless you understand the impact of doing so as you # may stop the virtual machine from booting. # To see the list of default parameters, enable hypervisor debug, create a # container and look for 'default-kernel-parameters' log entries. kernel_params = " agent.log=debug" # Path to the firmware. # If you want that qemu uses the default firmware leave this option empty firmware = "" # Machine accelerators # comma-separated list of machine accelerators to pass to the hypervisor. # For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"` machine_accelerators="" # Default number of vCPUs per SB/VM: # unspecified or 0 --> will be set to 1 # < 0 --> will be set to the actual number of physical cores # > 0 <= number of physical cores --> will be set to the specified number # > number of physical cores --> will be set to the actual number of physical cores default_vcpus = 1 # Default maximum number of vCPUs per SB/VM: # unspecified or == 0 --> will be set to the actual number of physical cores or to the maximum number # of vCPUs supported by KVM if that number is exceeded # > 0 <= number of physical cores --> will be set to the specified number # > number of physical cores --> will be set to the actual number of physical cores or to the maximum number # of vCPUs supported by KVM if that number is exceeded # WARNING: Depending of the architecture, the maximum number of vCPUs supported by KVM is used when # the actual number of physical cores is greater than it. # WARNING: Be aware that this value impacts the virtual machine's memory footprint and CPU # the hotplug functionality. For example, `default_maxvcpus = 240` specifies that until 240 vCPUs # can be added to a SB/VM, but the memory footprint will be big. Another example, with # `default_maxvcpus = 8` the memory footprint will be small, but 8 will be the maximum number of # vCPUs supported by the SB/VM. In general, we recommend that you do not edit this variable, # unless you know what are you doing. default_maxvcpus = 0 # Bridges can be used to hot plug devices. # Limitations: # * Currently only pci bridges are supported # * Until 30 devices per bridge can be hot plugged. # * Until 5 PCI bridges can be cold plugged per VM. # This limitation could be a bug in qemu or in the kernel # Default number of bridges per SB/VM: # unspecified or 0 --> will be set to 1 # > 1 <= 5 --> will be set to the specified number # > 5 --> will be set to 5 default_bridges = 1 # Default memory size in MiB for SB/VM. # If unspecified then it will be set 2048 MiB. default_memory = 2048 # # Default memory slots per SB/VM. # If unspecified then it will be set 10. # This is will determine the times that memory will be hotadded to sandbox/VM. #memory_slots = 10 # The size in MiB will be plused to max memory of hypervisor. # It is the memory address space for the NVDIMM devie. # If set block storage driver (block_device_driver) to "nvdimm", # should set memory_offset to the size of block device. # Default 0 #memory_offset = 0 # Specifies virtio-mem will be enabled or not. # Please note that this option should be used with the command # "echo 1 > /proc/sys/vm/overcommit_memory". # Default false #enable_virtio_mem = true # Disable block device from being used for a container's rootfs. # In case of a storage driver like devicemapper where a container's # root file system is backed by a block device, the block device is passed # directly to the hypervisor for performance reasons. # This flag prevents the block device from being passed to the hypervisor, # 9pfs is used instead to pass the rootfs. disable_block_device_use = false # Shared file system type: # - virtio-9p (default) # - virtio-fs shared_fs = "virtio-9p" # Path to vhost-user-fs daemon. virtio_fs_daemon = "/usr/bin/virtiofsd" # Default size of DAX cache in MiB virtio_fs_cache_size = 1024 # Extra args for virtiofsd daemon # # Format example: # ["-o", "arg1=xxx,arg2", "-o", "hello world", "--arg3=yyy"] # # see `virtiofsd -h` for possible options. virtio_fs_extra_args = [] # Cache mode: # # - none # Metadata, data, and pathname lookup are not cached in guest. They are # always fetched from host and any changes are immediately pushed to host. # # - auto # Metadata and pathname lookup cache expires after a configured amount of # time (default is 1 second). Data is cached while the file is open (close # to open consistency). # # - always # Metadata, data, and pathname lookup are cached in guest and never expire. virtio_fs_cache = "always" # Block storage driver to be used for the hypervisor in case the container # rootfs is backed by a block device. This is virtio-scsi, virtio-blk # or nvdimm. block_device_driver = "virtio-scsi" # Specifies cache-related options will be set to block devices or not. # Default false #block_device_cache_set = true # Specifies cache-related options for block devices. # Denotes whether use of O_DIRECT (bypass the host page cache) is enabled. # Default false #block_device_cache_direct = true # Specifies cache-related options for block devices. # Denotes whether flush requests for the device are ignored. # Default false #block_device_cache_noflush = true # Enable iothreads (data-plane) to be used. This causes IO to be # handled in a separate IO thread. This is currently only implemented # for SCSI. # enable_iothreads = false # Enable pre allocation of VM RAM, default false # Enabling this will result in lower container density # as all of the memory will be allocated and locked # This is useful when you want to reserve all the memory # upfront or in the cases where you want memory latencies # to be very predictable # Default false #enable_mem_prealloc = true # Enable huge pages for VM RAM, default false # Enabling this will result in the VM memory # being allocated using huge pages. # This is useful when you want to use vhost-user network # stacks within the container. This will automatically # result in memory pre allocation #enable_hugepages = true # Enable vhost-user storage device, default false # Enabling this will result in some Linux reserved block type # major range 240-254 being chosen to represent vhost-user devices. enable_vhost_user_store = false # The base directory specifically used for vhost-user devices. # Its sub-path "block" is used for block devices; "block/sockets" is # where we expect vhost-user sockets to live; "block/devices" is where # simulated block device nodes for vhost-user devices to live. vhost_user_store_path = "/var/run/kata-containers/vhost-user" # Enable file based guest memory support. The default is an empty string which # will disable this feature. In the case of virtio-fs, this is enabled # automatically and '/dev/shm' is used as the backing folder. # This option will be ignored if VM templating is enabled. #file_mem_backend = "" # Enable swap of vm memory. Default false. # The behaviour is undefined if mem_prealloc is also set to true #enable_swap = true # This option changes the default hypervisor and kernel parameters # to enable debug output where available. This extra output is added # to the proxy logs, but only when proxy debug is also enabled. # # Default false enable_debug = true # Disable the customizations done in the runtime when it detects # that it is running on top a VMM. This will result in the runtime # behaving as it would when running on bare metal. # #disable_nesting_checks = true # This is the msize used for 9p shares. It is the number of bytes # used for 9p packet payload. #msize_9p = 8192 # If true and vsocks are supported, use vsocks to communicate directly # with the agent and no proxy is started, otherwise use unix # sockets and start a proxy to communicate with the agent. # Default false #use_vsock = true # If false and nvdimm is supported, use nvdimm device to plug guest image. # Otherwise virtio-block device is used. # Default is false #disable_image_nvdimm = true # VFIO devices are hotplugged on a bridge by default. # Enable hotplugging on root bus. This may be required for devices with # a large PCI bar, as this is a current limitation with hotplugging on # a bridge. This value is valid for "pc" machine type. # Default false #hotplug_vfio_on_root_bus = true # Before hot plugging a PCIe device, you need to add a pcie_root_port device. # Use this parameter when using some large PCI bar devices, such as Nvidia GPU # The value means the number of pcie_root_port # This value is valid when hotplug_vfio_on_root_bus is true and machine_type is "q35" # Default 0 #pcie_root_port = 2 # If vhost-net backend for virtio-net is not desired, set to true. Default is false, which trades off # security (vhost-net runs ring0) for network I/O performance. #disable_vhost_net = true # # Default entropy source. # The path to a host source of entropy (including a real hardware RNG) # /dev/urandom and /dev/random are two main options. # Be aware that /dev/random is a blocking source of entropy. If the host # runs out of entropy, the VMs boot time will increase leading to get startup # timeouts. # The source of entropy /dev/urandom is non-blocking and provides a # generally acceptable source of entropy. It should work well for pretty much # all practical purposes. #entropy_source= "/dev/urandom" # Path to OCI hook binaries in the *guest rootfs*. # This does not affect host-side hooks which must instead be added to # the OCI spec passed to the runtime. # # You can create a rootfs with hooks by customizing the osbuilder scripts: # https://github.com/kata-containers/osbuilder # # Hooks must be stored in a subdirectory of guest_hook_path according to their # hook type, i.e. "guest_hook_path/{prestart,postart,poststop}". # The agent will scan these directories for executable files and add them, in # lexicographical order, to the lifecycle of the guest container. # Hooks are executed in the runtime namespace of the guest. See the official documentation: # https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks # Warnings will be logged if any error is encountered will scanning for hooks, # but it will not abort container execution. #guest_hook_path = "/usr/share/oci/hooks" [factory] # VM templating support. Once enabled, new VMs are created from template # using vm cloning. They will share the same initial kernel, initramfs and # agent memory by mapping it readonly. It helps speeding up new container # creation and saves a lot of memory if there are many kata containers running # on the same host. # # When disabled, new VMs are created from scratch. # # Note: Requires "initrd=" to be set ("image=" is not supported). # # Default false #enable_template = true # Specifies the path of template. # # Default "/run/vc/vm/template" #template_path = "/run/vc/vm/template" # The number of caches of VMCache: # unspecified or == 0 --> VMCache is disabled # > 0 --> will be set to the specified number # # VMCache is a function that creates VMs as caches before using it. # It helps speed up new container creation. # The function consists of a server and some clients communicating # through Unix socket. The protocol is gRPC in protocols/cache/cache.proto. # The VMCache server will create some VMs and cache them by factory cache. # It will convert the VM to gRPC format and transport it when gets # requestion from clients. # Factory grpccache is the VMCache client. It will request gRPC format # VM and convert it back to a VM. If VMCache function is enabled, # kata-runtime will request VM from factory grpccache when it creates # a new sandbox. # # Default 0 #vm_cache_number = 0 # Specify the address of the Unix socket that is used by VMCache. # # Default /var/run/kata-containers/cache.sock #vm_cache_endpoint = "/var/run/kata-containers/cache.sock" [proxy.kata] path = "/usr/libexec/kata-containers/kata-proxy" # If enabled, proxy messages will be sent to the system log # (default: disabled) enable_debug = true [shim.kata] path = "/usr/libexec/kata-containers/kata-shim" # If enabled, shim messages will be sent to the system log # (default: disabled) enable_debug = true # If enabled, the shim will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # # Note: By default, the shim runs in a separate network namespace. Therefore, # to allow it to send trace details to the Jaeger agent running on the host, # it is necessary to set 'disable_new_netns=true' so that it runs in the host # network namespace. # # (default: disabled) #enable_tracing = true [agent.kata] # If enabled, make the agent display debug-level messages. # (default: disabled) enable_debug = true # Enable agent tracing. # # If enabled, the default trace mode is "dynamic" and the # default trace type is "isolated". The trace mode and type are set # explicity with the `trace_type=` and `trace_mode=` options. # # Notes: # # - Tracing is ONLY enabled when `enable_tracing` is set: explicitly # setting `trace_mode=` and/or `trace_type=` without setting `enable_tracing` # will NOT activate agent tracing. # # - See https://github.com/kata-containers/agent/blob/master/TRACING.md for # full details. # # (default: disabled) #enable_tracing = true # #trace_mode = "dynamic" #trace_type = "isolated" # Comma separated list of kernel modules and their parameters. # These modules will be loaded in the guest kernel using modprobe(8). # The following example can be used to load two kernel modules with parameters # - kernel_modules=["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1", "i915 enable_ppgtt=0"] # The first word is considered as the module name and the rest as its parameters. # Container will not be started when: # * A kernel module is specified and the modprobe command is not installed in the guest # or it fails loading the module. # * The module is not available in the guest or it doesn't met the guest kernel # requirements, like architecture and version. # kernel_modules=[] [netmon] # If enabled, the network monitoring process gets started when the # sandbox is created. This allows for the detection of some additional # network being added to the existing network namespace, after the # sandbox has been created. # (default: disabled) #enable_netmon = true # Specify the path to the netmon binary. path = "/usr/libexec/kata-containers/kata-netmon" # If enabled, netmon messages will be sent to the system log # (default: disabled) enable_debug = true [runtime] # If enabled, the runtime will log additional debug messages to the # system log # (default: disabled) enable_debug = true # # Internetworking model # Determines how the VM should be connected to the # the container network interface # Options: # # - macvtap # Used when the Container network interface can be bridged using # macvtap. # # - none # Used when customize network. Only creates a tap device. No veth pair. # # - tcfilter # Uses tc filter rules to redirect traffic from the network interface # provided by plugin to a tap interface connected to the VM. # internetworking_model="tcfilter" # disable guest seccomp # Determines whether container seccomp profiles are passed to the virtual # machine and applied by the kata agent. If set to true, seccomp is not applied # within the guest # (default: true) disable_guest_seccomp=true # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) #enable_tracing = true # If enabled, the runtime will not create a network namespace for shim and hypervisor processes. # This option may have some potential impacts to your host. It should only be used when you know what you're doing. # `disable_new_netns` conflicts with `enable_netmon` # `disable_new_netns` conflicts with `internetworking_model=tcfilter` and `internetworking_model=macvtap`. It works only # with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge # (like OVS) directly. # If you are using docker, `disable_new_netns` only works with `docker run --net=none` # (default: false) #disable_new_netns = true # if enabled, the runtime will add all the kata processes inside one dedicated cgroup. # The container cgroups in the host are not created, just one single cgroup per sandbox. # The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox. # The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation. # The sandbox cgroup is constrained if there is no container type annotation. # See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType sandbox_cgroup_only=false # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: # (default: []) experimental=[] ``` --- # KSM throttler ## version Output of "` --version`": ``` ./kata-collect-data.sh: line 178: --version: command not found ``` ## systemd service # Image details ```yaml --- osbuilder: url: "https://github.com/kata-containers/osbuilder" version: "unknown" rootfs-creation-time: "2020-04-02T01:12:32.041214610+0000Z" description: "osbuilder rootfs" file-format-version: "0.0.2" architecture: "x86_64" base-distro: name: "Clear" version: "32740" packages: default: - "chrony" - "iptables-bin" - "kmod-bin" - "libudev0-shim" - "systemd" - "util-linux-bin" extra: agent: url: "https://github.com/kata-containers/agent" name: "kata-agent" version: "1.11.0-alpha1-73afd1a31736490e5fda4c4b779d84f945acb187" agent-is-init-daemon: "no" ``` --- # Initrd details No initrd --- # Logfiles ## Runtime logs Recent runtime problems found in system journal: ``` time="2020-04-02T20:43:58.447620401Z" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-02T20:43:58.449569905Z" level=error msg="Could not read qemu pid file" arch=amd64 command=kill container=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 error="open /run/vc/vm/ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445/pid: no such file or directory" name=kata-runtime pid=97897 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=virtcontainers subsystem=qemu time="2020-04-02T20:43:58.475619163Z" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445/config.json: no such file or directory" arch=amd64 command=delete container=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 name=kata-runtime pid=97907 source=virtcontainers time="2020-04-02T20:43:58.476885266Z" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-02T20:43:58.478226869Z" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445/config.json: no such file or directory" arch=amd64 command=delete container=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 name=kata-runtime pid=97907 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=virtcontainers time="2020-04-02T20:43:58.47879587Z" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-02T20:43:58.479827373Z" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445/config.json: no such file or directory" arch=amd64 command=delete container=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 name=kata-runtime pid=97907 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=virtcontainers time="2020-04-02T20:43:58.480418274Z" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-02T20:43:58.484369683Z" level=error msg="Could not read qemu pid file" arch=amd64 command=delete container=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 error="open /run/vc/vm/ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445/pid: no such file or directory" name=kata-runtime pid=97907 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=virtcontainers subsystem=qemu time="2020-04-02T20:43:58.484779484Z" level=warning msg="sandbox cgroups path is empty" arch=amd64 command=delete container=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 name=kata-runtime pid=97907 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=virtcontainers subsystem=sandbox time="2020-04-02T20:44:06.672626501Z" level=debug msg="restore sandbox failed" arch=amd64 command=create container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f error="open /run/vc/sbs/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/persist.json: no such file or directory" name=kata-runtime pid=98007 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=virtcontainers subsystem=sandbox time="2020-04-02T20:44:06.723557516Z" level=debug arch=amd64 command=create container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f default-kernel-parameters="tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k console=hvc0 console=hvc1 iommu=off cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/pmem0p1 rootflags=dax,data=ordered,errors=remount-ro ro rootfstype=ext4 debug systemd.show_status=true systemd.log_level=debug" name=kata-runtime pid=98007 source=virtcontainers subsystem=qemu time="2020-04-02T20:44:06.772183027Z" level=info msg="sanner return error: read unix @->/run/vc/vm/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/qmp.sock: use of closed network connection" arch=amd64 command=create container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-runtime pid=98007 source=virtcontainers subsystem=qmp time="2020-04-02T20:44:07.487752654Z" level=debug msg="sending request" arch=amd64 command=create container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=grpc.CreateSandboxRequest pid=98007 req="hostname:\"9468e1f7b034\" dns:\"# This file is managed by man:systemd-resolved(8). Do not edit.\" dns:\"#\" dns:\"# This is a dynamic resolv.conf file for connecting local clients to the\" dns:\"# internal DNS stub resolver of systemd-resolved. This file lists all\" dns:\"# configured search domains.\" dns:\"#\" dns:\"# Run \\\"systemd-resolve --status\\\" to see details about the uplink DNS servers\" dns:\"# currently in use.\" dns:\"#\" dns:\"# Third party programs must not access this file directly, but only through the\" dns:\"# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,\" dns:\"# replace this symlink by a static file or a different symlink.\" dns:\"#\" dns:\"# See man:systemd-resolved.service(8) for details about the supported modes of\" dns:\"# operation for /etc/resolv.conf.\" dns:\"\" dns:\"options edns0\" dns:\"search dzdrpdjko3euzimuqfg5iztnpa.cx.internal.cloudapp.net\" dns:\"\" dns:\"nameserver 8.8.8.8\" dns:\"nameserver 8.8.4.4\" dns:\"\" storages: storages: sandbox_id:\"9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f\" " source=virtcontainers subsystem=kata_agent time="2020-04-02T20:44:07.497121674Z" level=debug msg="no loop device" arch=amd64 command=create container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f error="open /sys/dev/block/8:1/loop/backing_file: no such file or directory" mount-source=/var/lib/docker/containers/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/resolv.conf name=kata-runtime pid=98007 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=virtcontainers subsystem=container time="2020-04-02T20:44:07.497491574Z" level=debug msg="no loop device" arch=amd64 command=create container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f error="open /sys/dev/block/8:1/loop/backing_file: no such file or directory" mount-source=/var/lib/docker/containers/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/hostname name=kata-runtime pid=98007 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=virtcontainers subsystem=container time="2020-04-02T20:44:07.497725675Z" level=debug msg="no loop device" arch=amd64 command=create container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f error="open /sys/dev/block/8:1/loop/backing_file: no such file or directory" mount-source=/var/lib/docker/containers/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/hosts name=kata-runtime pid=98007 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=virtcontainers subsystem=container time="2020-04-02T20:44:07.497819275Z" level=debug msg="no loop device" arch=amd64 command=create container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f error="open /sys/dev/block/0:53/loop/backing_file: no such file or directory" mount-source=/var/lib/docker/containers/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/mounts/shm name=kata-runtime pid=98007 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=virtcontainers subsystem=container time="2020-04-02T20:44:07.601946291Z" level=warning msg="sandbox's cgroup won't be updated: cgroup path is empty" arch=amd64 command=create container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-runtime pid=98007 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=virtcontainers subsystem=sandbox time="2020-04-02T20:44:07.603529794Z" level=info msg="sanner return error: read unix @->/run/vc/vm/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/qmp.sock: use of closed network connection" arch=amd64 command=create container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-runtime pid=98007 source=virtcontainers subsystem=qmp time="2020-04-02T20:44:07.640596171Z" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/config.json: no such file or directory" arch=amd64 command=state container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-runtime pid=98086 source=virtcontainers time="2020-04-02T20:44:07.641879373Z" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-02T20:44:07.67389174Z" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/config.json: no such file or directory" arch=amd64 command=start container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-runtime pid=98095 source=virtcontainers time="2020-04-02T20:44:07.675430743Z" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-02T20:44:07.677155746Z" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/config.json: no such file or directory" arch=amd64 command=start container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-runtime pid=98095 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=virtcontainers time="2020-04-02T20:44:07.677761648Z" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-02T20:44:07.728589253Z" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/config.json: no such file or directory" arch=amd64 command=state container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-runtime pid=98108 source=virtcontainers time="2020-04-02T20:44:07.730409056Z" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-02T20:59:23.378722698Z" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/config.json: no such file or directory" arch=amd64 command=kill container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-runtime pid=101612 source=virtcontainers time="2020-04-02T20:59:23.380589502Z" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-02T20:59:23.397627346Z" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/config.json: no such file or directory" arch=amd64 command=kill container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-runtime pid=101612 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=virtcontainers time="2020-04-02T20:59:23.39894305Z" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-02T20:59:23.459404205Z" level=info msg="sanner return error: " arch=amd64 command=kill container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-runtime pid=101612 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=virtcontainers subsystem=qmp time="2020-04-02T20:59:23.48472707Z" level=error msg="Could not read qemu pid file" arch=amd64 command=kill container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f error="open /run/vc/vm/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/pid: no such file or directory" name=kata-runtime pid=101612 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=virtcontainers subsystem=qemu time="2020-04-02T20:59:23.485211871Z" level=error msg="Could not read qemu pid file" arch=amd64 command=kill container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f error="open /run/vc/vm/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/pid: no such file or directory" name=kata-runtime pid=101612 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=virtcontainers subsystem=qemu time="2020-04-02T20:59:23.548966135Z" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/config.json: no such file or directory" arch=amd64 command=state container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-runtime pid=101639 source=virtcontainers time="2020-04-02T20:59:23.55087304Z" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-02T20:59:23.595359554Z" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/config.json: no such file or directory" arch=amd64 command=kill container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-runtime pid=101649 source=virtcontainers time="2020-04-02T20:59:23.596978558Z" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-02T20:59:23.598902463Z" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/config.json: no such file or directory" arch=amd64 command=kill container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-runtime pid=101649 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=virtcontainers time="2020-04-02T20:59:23.599624265Z" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-02T20:59:23.60158337Z" level=error msg="Could not read qemu pid file" arch=amd64 command=kill container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f error="open /run/vc/vm/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/pid: no such file or directory" name=kata-runtime pid=101649 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=virtcontainers subsystem=qemu time="2020-04-02T20:59:23.643164477Z" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/config.json: no such file or directory" arch=amd64 command=delete container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-runtime pid=101659 source=virtcontainers time="2020-04-02T20:59:23.645120682Z" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-02T20:59:23.646998687Z" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/config.json: no such file or directory" arch=amd64 command=delete container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-runtime pid=101659 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=virtcontainers time="2020-04-02T20:59:23.647738589Z" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-02T20:59:23.648991992Z" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/config.json: no such file or directory" arch=amd64 command=delete container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-runtime pid=101659 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=virtcontainers time="2020-04-02T20:59:23.649700994Z" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-02T20:59:23.654719107Z" level=error msg="Could not read qemu pid file" arch=amd64 command=delete container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f error="open /run/vc/vm/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/pid: no such file or directory" name=kata-runtime pid=101659 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=virtcontainers subsystem=qemu time="2020-04-02T20:59:23.655184308Z" level=warning msg="sandbox cgroups path is empty" arch=amd64 command=delete container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-runtime pid=101659 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=virtcontainers subsystem=sandbox ``` ## Proxy logs Recent proxy problems found in system journal: ``` time="2020-04-02T20:38:47.598782524Z" level=info msg="[ 0.280100] intel_pstate: CPU model not supported\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:38:47.608709635Z" level=info msg="[ 0.289990] EXT4-fs (pmem0p1): DAX enabled. Warning: EXPERIMENTAL, use at your own risk\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:38:47.61233524Z" level=info msg="[ 0.293531] EXT4-fs (pmem0p1): mounted filesystem with ordered data mode. Opts: dax,data=ordered,errors=remount-ro\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:38:47.826257191Z" level=info msg="[ 0.507523] systemd[1]: Failed to stat /etc/localtime, ignoring: No such file or directory\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:38:47.855911126Z" level=info msg="[ 0.537126] systemd[1]: unit_file_build_name_map: normal unit file: /usr/lib/systemd/system/systemd-boot-check-no-failures.service\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:38:47.939984425Z" level=info msg="[ 0.621234] systemd-sysctl[40]: Couldn't write '16' to 'kernel/sysrq', ignoring: No such file or directory\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:38:48.237011975Z" level=debug msg="Copy stream error" error="write unix /run/vc/sbs/ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445/proxy.sock->@: use of closed network connection" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=proxy time="2020-04-02T20:38:48.249510489Z" level=info msg="time=\"2020-04-02T20:38:48.239064721Z\" level=debug msg=\"new request\" debug_console=false name=kata-agent pid=41 req=\"hostname:\\\"ea6559c7953c\\\" dns:\\\"# This file is managed by man:systemd-resolved(8). Do not edit.\\\" dns:\\\"#\\\" dns:\\\"# This is a dynamic resolv.conf file for connecting local clients to the\\\" dns:\\\"# internal DNS stub resolver of systemd-resolved. This file lists all\\\" dns:\\\"# configured search domains.\\\" dns:\\\"#\\\" dns:\\\"# Run \\\\\\\"systemd-resolve --status\\\\\\\" to see details about the uplink DNS servers\\\" dns:\\\"# currently in use.\\\" dns:\\\"#\\\" dns:\\\"# Third party programs must not access this file directly, but only through the\\\" dns:\\\"# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,\\\" dns:\\\"# replace this symlink by a static file or a different symlink.\\\" dns:\\\"#\\\" dns:\\\"# See man:systemd-resolved.service(8) for details about the supported modes of\\\" dns:\\\"# operation for /etc/resolv.conf.\\\" dns:\\\"\\\" dns:\\\"options edns0\\\" dns:\\\"search dzdrpdjko3euzimuqfg5iztnpa.cx.internal.cloudapp.net\\\" dns:\\\"\\\" dns:\\\"nameserver 8.8.8.8\\\" dns:\\\"nameserver 8.8.4.4\\\" dns:\\\"\\\" storages: storages: sandbox_id:\\\"ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445\\\" \" request=/grpc.AgentService/CreateSandbox source=agent\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:38:48.255746797Z" level=info msg="time=\"2020-04-02T20:38:48.245307832Z\" level=debug msg=\"request end\" debug_console=false duration=6.100714ms name=kata-agent pid=41 request=/grpc.AgentService/CreateSandbox resp=\"&Empty{XXX_unrecognized:[],}\" sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:38:48.328494783Z" level=info msg="time=\"2020-04-02T20:38:48.318075295Z\" level=debug msg=\"request end\" debug_console=false duration=60.259108ms name=kata-agent pid=41 request=/grpc.AgentService/CreateContainer resp=\"&Empty{XXX_unrecognized:[],}\" sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:38:48.328761083Z" level=info msg="time=\"2020-04-02T20:38:48.318319724Z\" level=info msg=\"ignoring unexpected signal\" debug_console=false name=kata-agent pid=41 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 signal=\"child exited\" source=agent\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:38:48.329287783Z" level=info msg="time=\"2020-04-02T20:38:48.318485662Z\" level=info msg=\"ignoring unexpected signal\" debug_console=false name=kata-agent pid=41 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 signal=\"child exited\" source=agent\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:38:48.340719097Z" level=info msg="time=\"2020-04-02T20:38:48.330278152Z\" level=debug msg=\"request end\" debug_console=false duration=\"3.066µs\" name=kata-agent pid=41 request=/grpc.AgentService/OnlineCPUMem resp=\"&Empty{XXX_unrecognized:[],}\" sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:38:48.43677591Z" level=info msg="time=\"2020-04-02T20:38:48.424496037Z\" level=debug msg=\"request end\" debug_console=false duration=8.26238ms name=kata-agent pid=41 request=/grpc.AgentService/StartContainer resp=\"&Empty{XXX_unrecognized:[],}\" sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:38:48.545911539Z" level=info msg="time=\"2020-04-02T20:38:48.535527252Z\" level=debug msg=\"request end\" debug_console=false duration=\"17.579µs\" name=kata-agent pid=41 request=/grpc.AgentService/TtyWinResize resp=\"&Empty{XXX_unrecognized:[],}\" sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:40:17.270842338Z" level=info msg="time=\"2020-04-02T20:40:17.260219531Z\" level=debug msg=\"request end\" debug_console=false duration=\"18.166µs\" name=kata-agent pid=41 request=/grpc.AgentService/ReadStdout resp=\"data:\\\"Error unpacking rpm package shadow-utils-2:4.6-17.fc31.x86_64\\\\r\\\\n\\\" \" sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:40:17.303339403Z" level=info msg="time=\"2020-04-02T20:40:17.292750371Z\" level=debug msg=\"request end\" debug_console=false duration=\"31.312µs\" name=kata-agent pid=41 request=/grpc.AgentService/ReadStdout resp=\"data:\\\"error: unpacking of archive failed on file /usr/bin/newgidmap;5e864da7: cpio: cap_set_file\\\\r\\\\nerror: shadow-utils-2:4.6-17.fc31.x86_64: install failed\\\\r\\\\n\\\\r\\\\n\\\" \" sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:40:26.36448893Z" level=info msg="time=\"2020-04-02T20:40:26.353934092Z\" level=debug msg=\"request end\" debug_console=false duration=\"345.604µs\" name=kata-agent pid=41 request=/grpc.AgentService/ReadStdout resp=\"data:\\\"error: shadow-utils-2:4.6-16.fc31.x86_64: erase skipped\\\\r\\\\n\\\\r\\\\n\\\" \" sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:40:41.536426567Z" level=info msg="time=\"2020-04-02T20:40:41.525776889Z\" level=debug msg=\"request end\" debug_console=false duration=211.452282ms name=kata-agent pid=41 request=/grpc.AgentService/ReadStdout resp=\"data:\\\"Error: Transaction failed\\\\r\\\\n\\\" \" sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:43:58.216989186Z" level=info msg="time=\"2020-04-02T20:43:58.206063073Z\" level=info msg=\"ignoring unexpected signal\" debug_console=false name=kata-agent pid=41 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 signal=\"child exited\" source=agent\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:43:58.255889773Z" level=info msg="time=\"2020-04-02T20:43:58.244821885Z\" level=debug msg=\"request end\" debug_console=false duration=\"297.272µs\" name=kata-agent pid=41 request=/grpc.AgentService/SignalProcess resp=\"&Empty{XXX_unrecognized:[],}\" sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:43:58.266265596Z" level=info msg="time=\"2020-04-02T20:43:58.255283656Z\" level=debug msg=\"request end\" debug_console=false duration=\"622.876µs\" name=kata-agent pid=41 request=/grpc.AgentService/RemoveContainer resp=\"&Empty{XXX_unrecognized:[],}\" sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:43:58.283204334Z" level=info msg="time=\"2020-04-02T20:43:58.272268818Z\" level=debug msg=\"request end\" debug_console=false duration=8.463697ms name=kata-agent pid=41 request=/grpc.AgentService/DestroySandbox resp=\"&Empty{XXX_unrecognized:[],}\" sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent\n" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=agent time="2020-04-02T20:43:58.283824535Z" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445/kata.sock: use of closed network connection" name=kata-proxy pid=96572 sandbox=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 source=proxy time="2020-04-02T20:44:07.278514521Z" level=info msg="[ 0.291164] intel_pstate: CPU model not supported\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:44:07.28747044Z" level=info msg="[ 0.300023] EXT4-fs (pmem0p1): DAX enabled. Warning: EXPERIMENTAL, use at your own risk\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:44:07.288481242Z" level=info msg="[ 0.300974] EXT4-fs (pmem0p1): mounted filesystem with ordered data mode. Opts: dax,data=ordered,errors=remount-ro\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:44:07.333678236Z" level=info msg="[ 0.346239] systemd[1]: Failed to stat /etc/localtime, ignoring: No such file or directory\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:44:07.354490379Z" level=info msg="[ 0.367033] systemd[1]: unit_file_build_name_map: normal unit file: /usr/lib/systemd/system/systemd-boot-check-no-failures.service\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:44:07.429295833Z" level=info msg="[ 0.441717] systemd-sysctl[40]: Couldn't write '16' to 'kernel/sysrq', ignoring: No such file or directory\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:44:07.489132257Z" level=info msg="time=\"2020-04-02T20:44:07.475650772Z\" level=debug msg=\"new request\" debug_console=false name=kata-agent pid=41 req=\"hostname:\\\"9468e1f7b034\\\" dns:\\\"# This file is managed by man:systemd-resolved(8). Do not edit.\\\" dns:\\\"#\\\" dns:\\\"# This is a dynamic resolv.conf file for connecting local clients to the\\\" dns:\\\"# internal DNS stub resolver of systemd-resolved. This file lists all\\\" dns:\\\"# configured search domains.\\\" dns:\\\"#\\\" dns:\\\"# Run \\\\\\\"systemd-resolve --status\\\\\\\" to see details about the uplink DNS servers\\\" dns:\\\"# currently in use.\\\" dns:\\\"#\\\" dns:\\\"# Third party programs must not access this file directly, but only through the\\\" dns:\\\"# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,\\\" dns:\\\"# replace this symlink by a static file or a different symlink.\\\" dns:\\\"#\\\" dns:\\\"# See man:systemd-resolved.service(8) for details about the supported modes of\\\" dns:\\\"# operation for /etc/resolv.conf.\\\" dns:\\\"\\\" dns:\\\"options edns0\\\" dns:\\\"search dzdrpdjko3euzimuqfg5iztnpa.cx.internal.cloudapp.net\\\" dns:\\\"\\\" dns:\\\"nameserver 8.8.8.8\\\" dns:\\\"nameserver 8.8.4.4\\\" dns:\\\"\\\" storages: storages: sandbox_id:\\\"9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f\\\" \" request=/grpc.AgentService/CreateSandbox source=agent\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:44:07.493299066Z" level=info msg="time=\"2020-04-02T20:44:07.479896028Z\" level=debug msg=\"request end\" debug_console=false duration=4.078795ms name=kata-agent pid=41 request=/grpc.AgentService/CreateSandbox resp=\"&Empty{XXX_unrecognized:[],}\" sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:44:07.586652559Z" level=info msg="time=\"2020-04-02T20:44:07.573211045Z\" level=debug msg=\"request end\" debug_console=false duration=80.245336ms name=kata-agent pid=41 request=/grpc.AgentService/CreateContainer resp=\"&Empty{XXX_unrecognized:[],}\" sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:44:07.58718916Z" level=info msg="time=\"2020-04-02T20:44:07.573459953Z\" level=info msg=\"ignoring unexpected signal\" debug_console=false name=kata-agent pid=41 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f signal=\"child exited\" source=agent\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:44:07.58735216Z" level=info msg="time=\"2020-04-02T20:44:07.573888885Z\" level=info msg=\"ignoring unexpected signal\" debug_console=false name=kata-agent pid=41 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f signal=\"child exited\" source=agent\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:44:07.60146049Z" level=info msg="time=\"2020-04-02T20:44:07.587920736Z\" level=debug msg=\"request end\" debug_console=false duration=\"2.929µs\" name=kata-agent pid=41 request=/grpc.AgentService/OnlineCPUMem resp=\"&Empty{XXX_unrecognized:[],}\" sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:44:07.686567866Z" level=info msg="time=\"2020-04-02T20:44:07.673134964Z\" level=debug msg=\"request end\" debug_console=false duration=4.566693ms name=kata-agent pid=41 request=/grpc.AgentService/StartContainer resp=\"&Empty{XXX_unrecognized:[],}\" sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:44:07.762154522Z" level=info msg="time=\"2020-04-02T20:44:07.74859888Z\" level=debug msg=\"request end\" debug_console=false duration=\"10.509µs\" name=kata-agent pid=41 request=/grpc.AgentService/TtyWinResize resp=\"&Empty{XXX_unrecognized:[],}\" sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:45:37.077442042Z" level=info msg="time=\"2020-04-02T20:45:37.063808989Z\" level=debug msg=\"request end\" debug_console=false duration=\"848.712µs\" name=kata-agent pid=41 request=/grpc.AgentService/ReadStdout resp=\"data:\\\"Error unpacking rpm package shadow-utils-2:4.6-9.fc30.x86_64\\\\r\\\\n\\\" \" sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:45:37.090106368Z" level=info msg="time=\"2020-04-02T20:45:37.076439277Z\" level=debug msg=\"request end\" debug_console=false duration=\"40.819µs\" name=kata-agent pid=41 request=/grpc.AgentService/ReadStdout resp=\"data:\\\"error: unpacking of archive failed on file /usr/bin/newgidmap;5e864eee: cpio: cap_set_file\\\\r\\\\nerror: shadow-utils-2:4.6-9.fc30.x86_64: install failed\\\\r\\\\n\\\\r\\\\n\\\" \" sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:46:09.262072484Z" level=info msg="time=\"2020-04-02T20:46:09.24844517Z\" level=debug msg=\"request end\" debug_console=false duration=187.325825ms name=kata-agent pid=41 request=/grpc.AgentService/ReadStdout resp=\"data:\\\"Error: Transaction failed\\\\r\\\\n\\\" \" sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:59:16.002597252Z" level=info msg="time=\"2020-04-02T20:59:15.98723055Z\" level=debug msg=\"request end\" debug_console=false duration=1.337536ms name=kata-agent pid=41 request=/grpc.AgentService/TtyWinResize resp=\"&Empty{XXX_unrecognized:[],}\" sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:59:23.331710877Z" level=info msg="time=\"2020-04-02T20:59:23.31630737Z\" level=info msg=\"ignoring unexpected signal\" debug_console=false name=kata-agent pid=41 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f signal=\"child exited\" source=agent\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:59:23.386166417Z" level=info msg="time=\"2020-04-02T20:59:23.370801626Z\" level=debug msg=\"request end\" debug_console=false duration=\"612.538µs\" name=kata-agent pid=41 request=/grpc.AgentService/SignalProcess resp=\"&Empty{XXX_unrecognized:[],}\" sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:59:23.39515354Z" level=info msg="time=\"2020-04-02T20:59:23.379784551Z\" level=debug msg=\"request end\" debug_console=false duration=\"989.402µs\" name=kata-agent pid=41 request=/grpc.AgentService/RemoveContainer resp=\"&Empty{XXX_unrecognized:[],}\" sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:59:23.413510187Z" level=info msg="[ 916.424015] systemd[1]: Failed to read pids.max attribute of cgroup root, ignoring: No such file or directory\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:59:23.417069096Z" level=info msg="time=\"2020-04-02T20:59:23.401679235Z\" level=debug msg=\"request end\" debug_console=false duration=13.568539ms name=kata-agent pid=41 request=/grpc.AgentService/DestroySandbox resp=\"&Empty{XXX_unrecognized:[],}\" sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent\n" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=agent time="2020-04-02T20:59:23.417772498Z" level=fatal msg="channel error" error="accept unix /run/vc/sbs/9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f/proxy.sock: use of closed network connection" name=kata-proxy pid=98049 sandbox=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f source=proxy ``` ## Shim logs Recent shim problems found in system journal: ``` time="2020-04-02T20:43:58.214704781Z" level=info msg="copy stdout failed" container=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 error="rpc error: code = Unknown desc = read /dev/ptmx: input/output error" exec-id=ea6559c7953c07960e6a741170dcfb3da2f2dbb2d35a6f9e8658cebdba55a445 name=kata-shim pid=1 source=shim time="2020-04-02T20:59:23.328149468Z" level=info msg="copy stdout failed" container=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f error="rpc error: code = Unknown desc = read /dev/ptmx: input/output error" exec-id=9468e1f7b034ad6788775073f91fa56cc70922da6d0910b2999480f60683578f name=kata-shim pid=1 source=shim ``` ## Throttler logs No recent throttler problems found in system journal. --- # Container manager details Have `docker` ## Docker Output of "`docker version`": ``` Client: Version: 18.06.3-ce API version: 1.38 Go version: go1.10.3 Git commit: d7080c1 Built: Wed Feb 20 02:28:10 2019 OS/Arch: linux/amd64 Experimental: false Server: Engine: Version: 18.06.3-ce API version: 1.38 (minimum version 1.12) Go version: go1.10.3 Git commit: d7080c1 Built: Wed Feb 20 02:26:34 2019 OS/Arch: linux/amd64 Experimental: false ``` Output of "`docker info`": ``` Containers: 3 Running: 0 Paused: 0 Stopped: 3 Images: 8 Server Version: 18.06.3-ce Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Native Overlay Diff: false Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog Swarm: inactive Runtimes: kata-runtime runc Default Runtime: runc Init Binary: docker-init containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e runc version: a592beb5bc4c4092b1b1bac971afed27687340c5 init version: fec3683 Security Options: apparmor seccomp Profile: default Kernel Version: 5.0.0-1035-azure Operating System: Ubuntu 18.04.4 LTS OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 15.64GiB Name: gabyubuntu ID: PVO4:JEF5:AGVV:KG7E:23TB:VT3O:IHBP:VSZL:SBJZ:EXLN:HSBA:AD4S Docker Root Dir: /var/lib/docker Debug Mode (client): false Debug Mode (server): true File Descriptors: 23 Goroutines: 44 System Time: 2020-04-02T21:16:12.357896713Z EventsListeners: 0 Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false WARNING: No swap limit support ``` Output of "`systemctl show docker`": ``` Type=notify Restart=on-failure NotifyAccess=main RestartUSec=100ms TimeoutStartUSec=infinity TimeoutStopUSec=1min 30s RuntimeMaxUSec=infinity WatchdogUSec=0 WatchdogTimestamp=Thu 2020-04-02 17:48:57 UTC WatchdogTimestampMonotonic=774969047 PermissionsStartOnly=no RootDirectoryStartOnly=no RemainAfterExit=no GuessMainPID=yes MainPID=23001 ControlPID=0 FileDescriptorStoreMax=0 NFileDescriptorStore=0 StatusErrno=0 Result=success UID=[not set] GID=[not set] NRestarts=0 ExecMainStartTimestamp=Thu 2020-04-02 17:48:49 UTC ExecMainStartTimestampMonotonic=767089547 ExecMainExitTimestampMonotonic=0 ExecMainPID=23001 ExecMainCode=0 ExecMainStatus=0 ExecStart={ path=/usr/bin/dockerd ; argv[]=/usr/bin/dockerd -D --add-runtime kata-runtime=/usr/local/bin/kata-runtime --default-runtime=runc --storage-driver=overlay2 ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 } ExecReload={ path=/bin/kill ; argv[]=/bin/kill -s HUP $MAINPID ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 } Slice=system.slice ControlGroup=/system.slice/docker.service MemoryCurrent=[not set] CPUUsageNSec=[not set] TasksCurrent=36 IPIngressBytes=18446744073709551615 IPIngressPackets=18446744073709551615 IPEgressBytes=18446744073709551615 IPEgressPackets=18446744073709551615 Delegate=yes DelegateControllers=cpu cpuacct io blkio memory devices pids CPUAccounting=no CPUWeight=[not set] StartupCPUWeight=[not set] CPUShares=[not set] StartupCPUShares=[not set] CPUQuotaPerSecUSec=infinity IOAccounting=no IOWeight=[not set] StartupIOWeight=[not set] BlockIOAccounting=no BlockIOWeight=[not set] StartupBlockIOWeight=[not set] MemoryAccounting=no MemoryLow=0 MemoryHigh=infinity MemoryMax=infinity MemorySwapMax=infinity MemoryLimit=infinity DevicePolicy=auto TasksAccounting=yes TasksMax=infinity IPAccounting=no UMask=0022 LimitCPU=infinity LimitCPUSoft=infinity LimitFSIZE=infinity LimitFSIZESoft=infinity LimitDATA=infinity LimitDATASoft=infinity LimitSTACK=infinity LimitSTACKSoft=8388608 LimitCORE=infinity LimitCORESoft=infinity LimitRSS=infinity LimitRSSSoft=infinity LimitNOFILE=1048576 LimitNOFILESoft=1048576 LimitAS=infinity LimitASSoft=infinity LimitNPROC=infinity LimitNPROCSoft=infinity LimitMEMLOCK=16777216 LimitMEMLOCKSoft=16777216 LimitLOCKS=infinity LimitLOCKSSoft=infinity LimitSIGPENDING=63967 LimitSIGPENDINGSoft=63967 LimitMSGQUEUE=819200 LimitMSGQUEUESoft=819200 LimitNICE=0 LimitNICESoft=0 LimitRTPRIO=0 LimitRTPRIOSoft=0 LimitRTTIME=infinity LimitRTTIMESoft=infinity OOMScoreAdjust=0 Nice=0 IOSchedulingClass=0 IOSchedulingPriority=0 CPUSchedulingPolicy=0 CPUSchedulingPriority=0 TimerSlackNSec=50000 CPUSchedulingResetOnFork=no NonBlocking=no StandardInput=null StandardInputData= StandardOutput=journal StandardError=inherit TTYReset=no TTYVHangup=no TTYVTDisallocate=no SyslogPriority=30 SyslogLevelPrefix=yes SyslogLevel=6 SyslogFacility=3 LogLevelMax=-1 SecureBits=0 CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend AmbientCapabilities= DynamicUser=no RemoveIPC=no MountFlags= PrivateTmp=no PrivateDevices=no ProtectKernelTunables=no ProtectKernelModules=no ProtectControlGroups=no PrivateNetwork=no PrivateUsers=no ProtectHome=no ProtectSystem=no SameProcessGroup=no UtmpMode=init IgnoreSIGPIPE=yes NoNewPrivileges=no SystemCallErrorNumber=0 LockPersonality=no RuntimeDirectoryPreserve=no RuntimeDirectoryMode=0755 StateDirectoryMode=0755 CacheDirectoryMode=0755 LogsDirectoryMode=0755 ConfigurationDirectoryMode=0755 MemoryDenyWriteExecute=no RestrictRealtime=no RestrictSUIDSGID=no RestrictNamespaces=no MountAPIVFS=no KeyringMode=private KillMode=process KillSignal=15 SendSIGKILL=yes SendSIGHUP=no Id=docker.service Names=docker.service Requires=system.slice docker.socket sysinit.target Wants=network-online.target WantedBy=multi-user.target ConsistsOf=docker.socket Conflicts=shutdown.target Before=shutdown.target multi-user.target After=systemd-journald.socket basic.target sysinit.target docker.socket network-online.target firewalld.service system.slice TriggeredBy=docker.socket Documentation=https://docs.docker.com Description=Docker Application Container Engine LoadState=loaded ActiveState=active SubState=running FragmentPath=/lib/systemd/system/docker.service DropInPaths=/etc/systemd/system/docker.service.d/kata-containers.conf UnitFileState=enabled UnitFilePreset=enabled StateChangeTimestamp=Thu 2020-04-02 17:48:57 UTC StateChangeTimestampMonotonic=774969050 InactiveExitTimestamp=Thu 2020-04-02 17:48:49 UTC InactiveExitTimestampMonotonic=767089575 ActiveEnterTimestamp=Thu 2020-04-02 17:48:57 UTC ActiveEnterTimestampMonotonic=774969050 ActiveExitTimestamp=Thu 2020-04-02 17:48:48 UTC ActiveExitTimestampMonotonic=765907302 InactiveEnterTimestamp=Thu 2020-04-02 17:48:49 UTC InactiveEnterTimestampMonotonic=766911659 CanStart=yes CanStop=yes CanReload=yes CanIsolate=no StopWhenUnneeded=no RefuseManualStart=no RefuseManualStop=no AllowIsolate=no DefaultDependencies=yes OnFailureJobMode=replace IgnoreOnIsolate=no NeedDaemonReload=no JobTimeoutUSec=infinity JobRunningTimeoutUSec=infinity JobTimeoutAction=none ConditionResult=yes AssertResult=yes ConditionTimestamp=Thu 2020-04-02 17:48:49 UTC ConditionTimestampMonotonic=767088441 AssertTimestamp=Thu 2020-04-02 17:48:49 UTC AssertTimestampMonotonic=767088443 Transient=no Perpetual=no StartLimitIntervalUSec=1min StartLimitBurst=3 StartLimitAction=none FailureAction=none SuccessAction=none InvocationID=cce518a6047249ed803761a0480e09d3 CollectMode=inactive ``` Have `kubectl` ## Kubernetes Output of "`kubectl version`": ``` Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.3", GitCommit:"06ad960bfd03b39c8310aaf92d1e7c12ce618213", GitTreeState:"clean", BuildDate:"2020-02-11T18:14:22Z", GoVersion:"go1.13.6", Compiler:"gc", Platform:"linux/amd64"} The connection to the server localhost:8080 was refused - did you specify the right host or port? ``` Output of "`kubectl config view`": ``` apiVersion: v1 clusters: null contexts: null current-context: "" kind: Config preferences: {} users: null ``` Output of "`systemctl show kubelet`": ``` Type=simple Restart=always NotifyAccess=none RestartUSec=10s TimeoutStartUSec=1min 30s TimeoutStopUSec=1min 30s RuntimeMaxUSec=infinity WatchdogUSec=0 WatchdogTimestampMonotonic=0 PermissionsStartOnly=no RootDirectoryStartOnly=no RemainAfterExit=no GuessMainPID=yes MainPID=0 ControlPID=0 FileDescriptorStoreMax=0 NFileDescriptorStore=0 StatusErrno=0 Result=exit-code UID=[not set] GID=[not set] NRestarts=1199 ExecMainStartTimestamp=Thu 2020-04-02 21:16:08 UTC ExecMainStartTimestampMonotonic=13205899812 ExecMainExitTimestamp=Thu 2020-04-02 21:16:08 UTC ExecMainExitTimestampMonotonic=13205969291 ExecMainPID=114675 ExecMainCode=1 ExecMainStatus=255 ExecStart={ path=/usr/bin/kubelet ; argv[]=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS ; ignore_errors=no ; start_time=[Thu 2020-04-02 21:16:08 UTC] ; stop_time=[Thu 2020-04-02 21:16:08 UTC] ; pid=114675 ; code=exited ; status=255 } Slice=system.slice MemoryCurrent=[not set] CPUUsageNSec=[not set] TasksCurrent=[not set] IPIngressBytes=18446744073709551615 IPIngressPackets=18446744073709551615 IPEgressBytes=18446744073709551615 IPEgressPackets=18446744073709551615 Delegate=no CPUAccounting=no CPUWeight=[not set] StartupCPUWeight=[not set] CPUShares=[not set] StartupCPUShares=[not set] CPUQuotaPerSecUSec=infinity IOAccounting=no IOWeight=[not set] StartupIOWeight=[not set] BlockIOAccounting=no BlockIOWeight=[not set] StartupBlockIOWeight=[not set] MemoryAccounting=no MemoryLow=0 MemoryHigh=infinity MemoryMax=infinity MemorySwapMax=infinity MemoryLimit=infinity DevicePolicy=auto TasksAccounting=yes TasksMax=19190 IPAccounting=no Environment=[unprintable] [unprintable] KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml EnvironmentFile=/var/lib/kubelet/kubeadm-flags.env (ignore_errors=yes) EnvironmentFile=/etc/default/kubelet (ignore_errors=yes) UMask=0022 LimitCPU=infinity LimitCPUSoft=infinity LimitFSIZE=infinity LimitFSIZESoft=infinity LimitDATA=infinity LimitDATASoft=infinity LimitSTACK=infinity LimitSTACKSoft=8388608 LimitCORE=infinity LimitCORESoft=0 LimitRSS=infinity LimitRSSSoft=infinity LimitNOFILE=4096 LimitNOFILESoft=1024 LimitAS=infinity LimitASSoft=infinity LimitNPROC=63967 LimitNPROCSoft=63967 LimitMEMLOCK=16777216 LimitMEMLOCKSoft=16777216 LimitLOCKS=infinity LimitLOCKSSoft=infinity LimitSIGPENDING=63967 LimitSIGPENDINGSoft=63967 LimitMSGQUEUE=819200 LimitMSGQUEUESoft=819200 LimitNICE=0 LimitNICESoft=0 LimitRTPRIO=0 LimitRTPRIOSoft=0 LimitRTTIME=infinity LimitRTTIMESoft=infinity OOMScoreAdjust=0 Nice=0 IOSchedulingClass=0 IOSchedulingPriority=0 CPUSchedulingPolicy=0 CPUSchedulingPriority=0 TimerSlackNSec=50000 CPUSchedulingResetOnFork=no NonBlocking=no StandardInput=null StandardInputData= StandardOutput=journal StandardError=inherit TTYReset=no TTYVHangup=no TTYVTDisallocate=no SyslogPriority=30 SyslogLevelPrefix=yes SyslogLevel=6 SyslogFacility=3 LogLevelMax=-1 SecureBits=0 CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend AmbientCapabilities= DynamicUser=no RemoveIPC=no MountFlags= PrivateTmp=no PrivateDevices=no ProtectKernelTunables=no ProtectKernelModules=no ProtectControlGroups=no PrivateNetwork=no PrivateUsers=no ProtectHome=no ProtectSystem=no SameProcessGroup=no UtmpMode=init IgnoreSIGPIPE=yes NoNewPrivileges=no SystemCallErrorNumber=0 LockPersonality=no RuntimeDirectoryPreserve=no RuntimeDirectoryMode=0755 StateDirectoryMode=0755 CacheDirectoryMode=0755 LogsDirectoryMode=0755 ConfigurationDirectoryMode=0755 MemoryDenyWriteExecute=no RestrictRealtime=no RestrictSUIDSGID=no RestrictNamespaces=no MountAPIVFS=no KeyringMode=private KillMode=control-group KillSignal=15 SendSIGKILL=yes SendSIGHUP=no Id=kubelet.service Names=kubelet.service Requires=system.slice sysinit.target WantedBy=multi-user.target Conflicts=shutdown.target Before=shutdown.target multi-user.target After=systemd-journald.socket system.slice basic.target sysinit.target Documentation=https://kubernetes.io/docs/home/ Description=kubelet: The Kubernetes Node Agent LoadState=loaded ActiveState=activating SubState=auto-restart FragmentPath=/lib/systemd/system/kubelet.service DropInPaths=/etc/systemd/system/kubelet.service.d/0-crio.conf /etc/systemd/system/kubelet.service.d/10-kubeadm.conf UnitFileState=enabled UnitFilePreset=enabled StateChangeTimestamp=Thu 2020-04-02 21:16:08 UTC StateChangeTimestampMonotonic=13205970103 InactiveExitTimestamp=Thu 2020-04-02 21:16:08 UTC InactiveExitTimestampMonotonic=13205970103 ActiveEnterTimestamp=Thu 2020-04-02 21:16:08 UTC ActiveEnterTimestampMonotonic=13205899856 ActiveExitTimestamp=Thu 2020-04-02 21:16:08 UTC ActiveExitTimestampMonotonic=13205969407 InactiveEnterTimestamp=Thu 2020-04-02 21:16:08 UTC InactiveEnterTimestampMonotonic=13205969407 CanStart=yes CanStop=yes CanReload=no CanIsolate=no StopWhenUnneeded=no RefuseManualStart=no RefuseManualStop=no AllowIsolate=no DefaultDependencies=yes OnFailureJobMode=replace IgnoreOnIsolate=no NeedDaemonReload=no JobTimeoutUSec=infinity JobRunningTimeoutUSec=infinity JobTimeoutAction=none ConditionResult=yes AssertResult=yes ConditionTimestamp=Thu 2020-04-02 21:16:08 UTC ConditionTimestampMonotonic=13205897685 AssertTimestamp=Thu 2020-04-02 21:16:08 UTC AssertTimestampMonotonic=13205897685 Transient=no Perpetual=no StartLimitIntervalUSec=0 StartLimitBurst=5 StartLimitAction=none FailureAction=none SuccessAction=none InvocationID=3c8a366b97f84969a94349ec92618a78 CollectMode=inactive ``` Have `crio` ## crio Output of "`crio --version`": ``` crio version 1.17.0-dev commit: 0eec454168e381e460b3d6de07bf50bfd9b0d082 ``` Output of "`systemctl show crio`": ``` Type=simple Restart=on-failure NotifyAccess=none RestartUSec=5s TimeoutStartUSec=1min 30s TimeoutStopUSec=1min 30s RuntimeMaxUSec=infinity WatchdogUSec=0 WatchdogTimestampMonotonic=0 PermissionsStartOnly=no RootDirectoryStartOnly=no RemainAfterExit=no GuessMainPID=yes MainPID=0 ControlPID=0 FileDescriptorStoreMax=0 NFileDescriptorStore=0 StatusErrno=0 Result=success UID=[not set] GID=[not set] NRestarts=0 ExecMainStartTimestampMonotonic=0 ExecMainExitTimestampMonotonic=0 ExecMainPID=0 ExecMainCode=0 ExecMainStatus=0 ExecStart={ path=/usr/local/bin/crio ; argv[]=/usr/local/bin/crio --log-level debug ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 } Slice=system.slice MemoryCurrent=[not set] CPUUsageNSec=[not set] TasksCurrent=[not set] IPIngressBytes=18446744073709551615 IPIngressPackets=18446744073709551615 IPEgressBytes=18446744073709551615 IPEgressPackets=18446744073709551615 Delegate=no CPUAccounting=no CPUWeight=[not set] StartupCPUWeight=[not set] CPUShares=[not set] StartupCPUShares=[not set] CPUQuotaPerSecUSec=infinity IOAccounting=no IOWeight=[not set] StartupIOWeight=[not set] BlockIOAccounting=no BlockIOWeight=[not set] StartupBlockIOWeight=[not set] MemoryAccounting=no MemoryLow=0 MemoryHigh=infinity MemoryMax=infinity MemorySwapMax=infinity MemoryLimit=infinity DevicePolicy=auto TasksAccounting=yes TasksMax=19190 IPAccounting=no UMask=0022 LimitCPU=infinity LimitCPUSoft=infinity LimitFSIZE=infinity LimitFSIZESoft=infinity LimitDATA=infinity LimitDATASoft=infinity LimitSTACK=infinity LimitSTACKSoft=8388608 LimitCORE=infinity LimitCORESoft=0 LimitRSS=infinity LimitRSSSoft=infinity LimitNOFILE=4096 LimitNOFILESoft=1024 LimitAS=infinity LimitASSoft=infinity LimitNPROC=63967 LimitNPROCSoft=63967 LimitMEMLOCK=16777216 LimitMEMLOCKSoft=16777216 LimitLOCKS=infinity LimitLOCKSSoft=infinity LimitSIGPENDING=63967 LimitSIGPENDINGSoft=63967 LimitMSGQUEUE=819200 LimitMSGQUEUESoft=819200 LimitNICE=0 LimitNICESoft=0 LimitRTPRIO=0 LimitRTPRIOSoft=0 LimitRTTIME=infinity LimitRTTIMESoft=infinity OOMScoreAdjust=0 Nice=0 IOSchedulingClass=0 IOSchedulingPriority=0 CPUSchedulingPolicy=0 CPUSchedulingPriority=0 TimerSlackNSec=50000 CPUSchedulingResetOnFork=no NonBlocking=no StandardInput=null StandardInputData= StandardOutput=journal StandardError=inherit TTYReset=no TTYVHangup=no TTYVTDisallocate=no SyslogPriority=30 SyslogLevelPrefix=yes SyslogLevel=6 SyslogFacility=3 LogLevelMax=-1 SecureBits=0 CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend AmbientCapabilities= DynamicUser=no RemoveIPC=no MountFlags= PrivateTmp=no PrivateDevices=no ProtectKernelTunables=no ProtectKernelModules=no ProtectControlGroups=no PrivateNetwork=no PrivateUsers=no ProtectHome=no ProtectSystem=no SameProcessGroup=no UtmpMode=init IgnoreSIGPIPE=yes NoNewPrivileges=no SystemCallErrorNumber=0 LockPersonality=no RuntimeDirectoryPreserve=no RuntimeDirectoryMode=0755 StateDirectoryMode=0755 CacheDirectoryMode=0755 LogsDirectoryMode=0755 ConfigurationDirectoryMode=0755 MemoryDenyWriteExecute=no RestrictRealtime=no RestrictSUIDSGID=no RestrictNamespaces=no MountAPIVFS=no KeyringMode=private KillMode=control-group KillSignal=15 SendSIGKILL=yes SendSIGHUP=no Id=crio.service Names=crio.service Requires=system.slice sysinit.target Conflicts=shutdown.target Before=shutdown.target After=sysinit.target basic.target systemd-journald.socket system.slice Documentation=https://github.com/cri-o/cri-o Description=CRI-O daemon LoadState=loaded ActiveState=inactive SubState=dead FragmentPath=/etc/systemd/system/crio.service UnitFileState=disabled UnitFilePreset=enabled StateChangeTimestampMonotonic=0 InactiveExitTimestampMonotonic=0 ActiveEnterTimestampMonotonic=0 ActiveExitTimestampMonotonic=0 InactiveEnterTimestampMonotonic=0 CanStart=yes CanStop=yes CanReload=no CanIsolate=no StopWhenUnneeded=no RefuseManualStart=no RefuseManualStop=no AllowIsolate=no DefaultDependencies=yes OnFailureJobMode=replace IgnoreOnIsolate=no NeedDaemonReload=no JobTimeoutUSec=infinity JobRunningTimeoutUSec=infinity JobTimeoutAction=none ConditionResult=no AssertResult=no ConditionTimestampMonotonic=0 AssertTimestampMonotonic=0 Transient=no Perpetual=no StartLimitIntervalUSec=10s StartLimitBurst=5 StartLimitAction=none FailureAction=none SuccessAction=none CollectMode=inactive ``` Output of "`cat /etc/crio/crio.conf`": ``` # The CRI-O configuration file specifies all of the available configuration # options and command-line flags for the crio(8) OCI Kubernetes Container Runtime # daemon, but in a TOML format that can be more easily modified and versioned. # # Please refer to crio.conf(5) for details of all configuration options. # CRI-O supports partial configuration reload during runtime, which can be # done by sending SIGHUP to the running process. Currently supported options # are explicitly mentioned with: 'This option supports live configuration # reload'. # CRI-O reads its storage defaults from the containers-storage.conf(5) file # located at /etc/containers/storage.conf. Modify this storage configuration if # you want to change the system's defaults. If you want to modify storage just # for CRI-O, you can change the storage configuration options here. [crio] # Path to the "root directory". CRI-O stores all of its data, including # containers images, in this directory. #root = "/home/gabyubuntu/.local/share/containers/storage" # Path to the "run directory". CRI-O stores all of its state in this directory. #runroot = "/run/user/1000/containers" # Storage driver used to manage the storage of images and containers. Please # refer to containers-storage.conf(5) to see all available storage drivers. #storage_driver = "vfs" # List to pass options to the storage driver. Please refer to # containers-storage.conf(5) to see all available storage options. #storage_option = [ #] # The default log directory where all logs will go unless directly specified by # the kubelet. The log directory specified must be an absolute directory. log_dir = "/var/log/crio/pods" # Location for CRI-O to lay down the version file version_file = "/var/run/crio/version" # The crio.api table contains settings for the kubelet/gRPC interface. [crio.api] # Path to AF_LOCAL socket on which CRI-O will listen. listen = "/var/run/crio/crio.sock" # IP address on which the stream server will listen. stream_address = "127.0.0.1" # The port on which the stream server will listen. If the port is set to "0", then # CRI-O will allocate a random free port number. stream_port = "0" # Enable encrypted TLS transport of the stream server. stream_enable_tls = false # Path to the x509 certificate file used to serve the encrypted stream. This # file can change, and CRI-O will automatically pick up the changes within 5 # minutes. stream_tls_cert = "" # Path to the key file used to serve the encrypted stream. This file can # change and CRI-O will automatically pick up the changes within 5 minutes. stream_tls_key = "" # Path to the x509 CA(s) file used to verify and authenticate client # communication with the encrypted stream. This file can change and CRI-O will # automatically pick up the changes within 5 minutes. stream_tls_ca = "" # Maximum grpc send message size in bytes. If not set or <=0, then CRI-O will default to 16 * 1024 * 1024. grpc_max_send_msg_size = 16777216 # Maximum grpc receive message size. If not set or <= 0, then CRI-O will default to 16 * 1024 * 1024. grpc_max_recv_msg_size = 16777216 # The crio.runtime table contains settings pertaining to the OCI runtime used # and options for how to set up and manage the OCI runtime. [crio.runtime] manage_network_ns_lifecycle = true # A list of ulimits to be set in containers by default, specified as # "=:", for example: # "nofile=1024:2048" # If nothing is set here, settings will be inherited from the CRI-O daemon #default_ulimits = [ #] # default_runtime is the _name_ of the OCI runtime to be used as the default. # The name is matched against the runtimes map below. default_runtime = "runc" # If true, the runtime will not use pivot_root, but instead use MS_MOVE. no_pivot = false # decryption_keys_path is the path where the keys required for # image decryption are stored. decryption_keys_path = "/etc/crio/keys/" # Path to the conmon binary, used for monitoring the OCI runtime. # Will be searched for using $PATH if empty. conmon = "" # Cgroup setting for conmon conmon_cgroup = "system.slice" # Environment variable list for the conmon process, used for passing necessary # environment variables to conmon or the runtime. conmon_env = [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ] # If true, SELinux will be used for pod separation on the host. selinux = false # Path to the seccomp.json profile which is used as the default seccomp profile # for the runtime. If not specified, then the internal default seccomp profile # will be used. seccomp_profile = "" # Used to change the name of the default AppArmor profile of CRI-O. The default # profile name is "crio-default-" followed by the version string of CRI-O. This # profile only takes effect if the user does not specify a profile via the # Kubernetes Pod's metadata annotation. apparmor_profile = "crio-default-1.17.0-dev" # Cgroup management implementation used for the runtime. cgroup_manager = "cgroupfs" # List of default capabilities for containers. If it is empty or commented out, # only the capabilities defined in the containers json file by the user/kube # will be added. default_capabilities = [ "CHOWN", "DAC_OVERRIDE", "FSETID", "FOWNER", "NET_RAW", "SETGID", "SETUID", "SETPCAP", "NET_BIND_SERVICE", "SYS_CHROOT", "KILL", ] # List of default sysctls. If it is empty or commented out, only the sysctls # defined in the container json file by the user/kube will be added. default_sysctls = [ ] # List of additional devices. specified as # "::", for example: "--device=/dev/sdc:/dev/xvdc:rwm". #If it is empty or commented out, only the devices # defined in the container json file by the user/kube will be added. additional_devices = [ ] # Path to OCI hooks directories for automatically executed hooks. If one of the # directories does not exist, then CRI-O will automatically skip them. hooks_dir = [ "/usr/share/containers/oci/hooks.d", ] # List of default mounts for each container. **Deprecated:** this option will # be removed in future versions in favor of default_mounts_file. default_mounts = [ ] # Path to the file specifying the defaults mounts for each container. The # format of the config is /SRC:/DST, one mount per line. Notice that CRI-O reads # its default mounts from the following two files: # # 1) /etc/containers/mounts.conf (i.e., default_mounts_file): This is the # override file, where users can either add in their own default mounts, or # override the default mounts shipped with the package. # # 2) /usr/share/containers/mounts.conf: This is the default file read for # mounts. If you want CRI-O to read from a different, specific mounts file, # you can change the default_mounts_file. Note, if this is done, CRI-O will # only add mounts it finds in this file. # #default_mounts_file = "" # Maximum number of processes allowed in a container. pids_limit = 1024 # Maximum sized allowed for the container log file. Negative numbers indicate # that no size limit is imposed. If it is positive, it must be >= 8192 to # match/exceed conmon's read buffer. The file is truncated and re-opened so the # limit is never exceeded. log_size_max = -1 # Whether container output should be logged to journald in addition to the kuberentes log file log_to_journald = false # Path to directory in which container exit files are written to by conmon. container_exits_dir = "/var/run/crio/exits" # Path to directory for container attach sockets. container_attach_socket_dir = "/var/run/crio" # The prefix to use for the source of the bind mounts. bind_mount_prefix = "" # If set to true, all containers will run in read-only mode. read_only = false # Changes the verbosity of the logs based on the level it is set to. Options # are fatal, panic, error, warn, info, debug and trace. This option supports # live configuration reload. log_level = "info" # Filter the log messages by the provided regular expression. # This option supports live configuration reload. log_filter = "" # The UID mappings for the user namespace of each container. A range is # specified in the form containerUID:HostUID:Size. Multiple ranges must be # separated by comma. uid_mappings = "" # The GID mappings for the user namespace of each container. A range is # specified in the form containerGID:HostGID:Size. Multiple ranges must be # separated by comma. gid_mappings = "" # The minimal amount of time in seconds to wait before issuing a timeout # regarding the proper termination of the container. ctr_stop_timeout = 0 # **DEPRECATED** this option is being replaced by manage_ns_lifecycle, which is described below. # #manage_network_ns_lifecycle = false # manage_ns_lifecycle determines whether we pin and remove namespaces # and manage their lifecycle manage_ns_lifecycle = false # The directory where the state of the managed namespaces gets tracked. # Only used when manage_ns_lifecycle is true. namespaces_dir = "/var/run/crio/ns" # pinns_path is the path to find the pinns binary, which is needed to manage namespace lifecycle pinns_path = "" # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes. # The runtime to use is picked based on the runtime_handler provided by the CRI. # If no runtime_handler is provided, the runtime will be picked based on the level # of trust of the workload. Each entry in the table should follow the format: # #[crio.runtime.runtimes.runtime-handler] # runtime_path = "/usr/local/bin/crio-runc" # runtime_type = "oci" # runtime_root = "/path/to/the/root" # # Where: # - runtime-handler: name used to identify the runtime # - runtime_path (optional, string): absolute path to the runtime executable in # the host filesystem. If omitted, the runtime-handler identifier should match # the runtime executable name, and the runtime executable should be placed # in $PATH. # - runtime_type (optional, string): type of runtime, one of: "oci", "vm". If # omitted, an "oci" runtime is assumed. # - runtime_root (optional, string): root directory for storage of containers # state. [crio.runtime.runtimes.runc] runtime_path = "/usr/local/bin/crio-runc" runtime_type = "oci" runtime_root = "/run/runc" [crio.runtime.runtimes.kata] runtime_path = "/usr/local/bin/kata-runtime" runtime_root = "/run/vc" runtime_type = "oci" # Kata Containers is an OCI runtime, where containers are run inside lightweight # VMs. Kata provides additional isolation towards the host, minimizing the host attack # surface and mitigating the consequences of containers breakout. # Kata Containers with the default configured VMM #[crio.runtime.runtimes.kata-runtime] # Kata Containers with the QEMU VMM #[crio.runtime.runtimes.kata-qemu] # Kata Containers with the Firecracker VMM #[crio.runtime.runtimes.kata-fc] # The crio.image table contains settings pertaining to the management of OCI images. # # CRI-O reads its configured registries defaults from the system wide # containers-registries.conf(5) located in /etc/containers/registries.conf. If # you want to modify just CRI-O, you can change the registries configuration in # this file. Otherwise, leave insecure_registries and registries commented out to # use the system's defaults from /etc/containers/registries.conf. [crio.image] # Default transport for pulling images from a remote container storage. default_transport = "docker://" # The path to a file containing credentials necessary for pulling images from # secure registries. The file is similar to that of /var/lib/kubelet/config.json global_auth_file = "" # The image used to instantiate infra containers. # This option supports live configuration reload. pause_image = "k8s.gcr.io/pause:3.1" # The path to a file containing credentials specific for pulling the pause_image from # above. The file is similar to that of /var/lib/kubelet/config.json # This option supports live configuration reload. pause_image_auth_file = "" # The command to run to have a container stay in the paused state. # When explicitly set to "", it will fallback to the entrypoint and command # specified in the pause image. When commented out, it will fallback to the # default: "/pause". This option supports live configuration reload. pause_command = "/pause" # Path to the file which decides what sort of policy we use when deciding # whether or not to trust an image that we've pulled. It is not recommended that # this option be used, as the default behavior of using the system-wide default # policy (i.e., /etc/containers/policy.json) is most often preferred. Please # refer to containers-policy.json(5) for more details. signature_policy = "" # List of registries to skip TLS verification for pulling images. Please # consider configuring the registries via /etc/containers/registries.conf before # changing them here. #insecure_registries = "[]" # Controls how image volumes are handled. The valid values are mkdir, bind and # ignore; the latter will ignore volumes entirely. image_volumes = "mkdir" # List of registries to be used when pulling an unqualified image (e.g., # "alpine:latest"). By default, registries is set to "docker.io" for # compatibility reasons. Depending on your workload and usecase you may add more # registries (e.g., "quay.io", "registry.fedoraproject.org", # "registry.opensuse.org", etc.). registries = [ "docker.io" ] # ] # The crio.network table containers settings pertaining to the management of # CNI plugins. [crio.network] # Path to the directory where CNI configuration files are located. network_dir = "/etc/cni/net.d/" # Paths to directories where CNI plugin binaries are located. plugin_dirs = [ "/opt/cni/bin/", ] # A necessary configuration for Prometheus based metrics retrieval [crio.metrics] # Globally enable or disable metrics support. enable_metrics = false # The port on which the metrics server will listen. metrics_port = 9090 ``` No `containerd` --- # Packages Have `dpkg` Output of "`dpkg -l|egrep "(cc-oci-runtimecc-runtimerunv|kata-proxy|kata-runtime|kata-shim|kata-ksm-throttler|kata-containers-image|linux-container|qemu-)"`": ``` ``` No `rpm` ---

[c3d]

I checked with various versions all the way back to 1.9.2, it's not a recent regression.

[rhatdan]

This looks like the container is not allowed to install file capabilities. These are valid and should be installable. I would ask if the same issue happens in Podman on these platforms.

[rhatdan]

This could be an issue with the underlying file system under docker not supporting file caps.

[c3d]

@rhatdan The tests were done with podman. What do you mean with "the same issue happens in Podman on these platforms"?

[rhatdan]

The command above was done with Docker. Just wanted to see if Podman worked better.

[rhatdan]

What is the underlying File system, and does it support File Capabiltiies?

[c3d]

I just realized that by returning to an older build, I ended up testing with 9p. Trying to re-do the series of test with virtiofs each time. Will post here.

Would there be a simple capsh test that could allow me to check the capabilities? Asking because the dnf update takes a very long time, my network being currently extremely slow.

[fidencio]

@rhatdan, I'm hitting this on Fedora32 using podman + virtiofsd.

fidencio@dahmer ~ $ mount | grep kata
overlay on /run/kata-containers/shared/sandboxes/4d17dfb9815b913e38e6f134137c84de62b8dc9b1d126092756deadf56a8f55d/4d17dfb9815b913e38e6f134137c84de62b8dc9b1d126092756deadf56a8f55d/rootfs type overlay (rw,nodev,relatime,context="system_u:object_r:container_file_t:s0:c601,c652",lowerdir=/var/lib/containers/storage/overlay/l/UVYA5K2GF4LJTEYYCMNE43CTUM,upperdir=/var/lib/containers/storage/overlay/c8f4f7fdcab20e7752498bd31461b017d4b7cc07d986fa232002c6764e63f361/diff,workdir=/var/lib/containers/storage/overlay/c8f4f7fdcab20e7752498bd31461b017d4b7cc07d986fa232002c6764e63f361/work,metacopy=on)
tmpfs on /run/kata-containers/shared/sandboxes/4d17dfb9815b913e38e6f134137c84de62b8dc9b1d126092756deadf56a8f55d/4d17dfb9815b913e38e6f134137c84de62b8dc9b1d126092756deadf56a8f55d-b434a77dad6a3407-secrets type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
tmpfs on /run/kata-containers/shared/sandboxes/4d17dfb9815b913e38e6f134137c84de62b8dc9b1d126092756deadf56a8f55d/4d17dfb9815b913e38e6f134137c84de62b8dc9b1d126092756deadf56a8f55d-c320f8d020e02bc3-resolv.conf type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
tmpfs on /run/kata-containers/shared/sandboxes/4d17dfb9815b913e38e6f134137c84de62b8dc9b1d126092756deadf56a8f55d/4d17dfb9815b913e38e6f134137c84de62b8dc9b1d126092756deadf56a8f55d-94f0ae4cfe5884f5-hosts type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
tmpfs on /run/kata-containers/shared/sandboxes/4d17dfb9815b913e38e6f134137c84de62b8dc9b1d126092756deadf56a8f55d/4d17dfb9815b913e38e6f134137c84de62b8dc9b1d126092756deadf56a8f55d-5307ad7128540020-hostname type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
tmpfs on /run/kata-containers/shared/sandboxes/4d17dfb9815b913e38e6f134137c84de62b8dc9b1d126092756deadf56a8f55d/4d17dfb9815b913e38e6f134137c84de62b8dc9b1d126092756deadf56a8f55d-936e39ad8099de96-.containerenv type tmpfs (rw,nosuid,nodev,seclabel,mode=755)

I'm using EXT4 as the host filesystem (default Fedora).

Switching from kata-runtime to crun or runc it just works.

[dagrh]

Running with -o xattr on virtiofsd has a better chance of making this work - it will then enable the getxattr/setxattr/listxattr fuse calls. I think the 'getcap' command is a simple test. It sounds like we just need to enable xattr; there's then a separate question about whether the selinux context we run in should allow us to set certain attributes and/or whether we should translate the names of those attributes (e.g. to stop a container setting an selinux context on a file)

[c3d]

I can confirm that adding virtio_fs_extra_args = ["-o", "xattr" ] makes the problem go away. I believe that @fidencio saw the same thing.

That is with kata-runtime-1.10.0-3.fc32.x86_64. Testing now with 1.11.

[fidencio]

I did see the same thing using 1.11.0-alpha1.

[c3d]

Apparently works with kata-runtime-1.11.0-0.alpha1.fc33.x86_64. So not a regression.

(Edit: Ah, apparently @fidencio beat me to it)

[alicefr]

hi, the error you're hitting is due of a lack of xattr support in 9p. If you use devicemapper or virtiofs with the xattr support it works. Please see my comment https://github.com/kata-containers/tests/issues/2358#issuecomment-606565991 . It's not a problem either in docker or podman. It is a limitation in qemu.

[c3d]

The ability to change this kind of file attributes has security implications. In this case, it is useful because you want to set a file capability that allows the corresponding executable to perform a setgid operation. It's normal for dnf to do that, but allowing it in general is neither necessary nor harmless.

In theory, for example, this could be used by malicious code to grant special capabilities to a file that, ultimately, resides on the host. This could be used as a vector for an attack on the host.

In addition, I have a gut feeling that the operation being performed is not typical of normal container use. Many containers only need to execute whatever binaries are in their image, not to update or modify them. There are exceptions, of course, like builds, but they are IMO just that, exceptions.

This means that:

• We should probably not make a change in the default virtiofs options to add -o xattr
• We should offer an easy way to add a "semantic" install option associated to specific volume mounts, that says this is intented to allow me to install stuff on this volume, and behaves correctly whether the underlying FS is virtio-fs or 9p.

See also #2595 for a similar issue with locking.

[jcvenegas]

@c3d thanks for explain your concerns, trying to exend your idea about a "semantic install" do you think possible something like kata configuration

[hypervisor]
shared_fs_privileged_ops = <true|false>

This is still global but for users want to maximize security for fs this should be the way to go.

This of course will be a global config that could be then converted in a docker-runtime option or a runtime class in case of k8s.

Saying that, do we have the list of virtiofsd options that maximize file operations functionality but increase the security risk?

[amshinde]

The ability to change this kind of file attributes has security implications. In this case, it is useful because you want to set a file capability that allows the corresponding executable to perform a setgid operation. It's normal for dnf to do that, but allowing it in general is neither necessary nor harmless.

@c3d Thanks for pointing this out. But will this not be true in case of runc as well?

• We should offer an easy way to add a "semantic" install option associated to specific volume mounts, We would probably need to do this for all container rootfs since the updates are typically performed there.

[c3d]

@jcvenegas Having a global option seems like a good idea, though I see that more as an addition than a replacement for a per-volume option. I agree with the benefits you listed.

If you consider a workflow where your "build" step requires the privilege but your "test" step does not want then, you cannot do that with a global setting.

[c3d]

@amshinde Still trying to evaluate what is true with runc. There are definitely issues that are introduced by the shared fs.

[c3d]

@jcvenegas Sorry, I forgot to answer the second question. The one option being considered at the moment is -o xattr. I have not investigated to list all options that could have a similar effect. @dagrh do you have a list somewhere?

[GabyCT]

For RHEL 8, I see a failure trying to perform a dnf -y update in a Fedora 32 container

12:45:24 [Serial Test] package manager update test check dnf update 
12:45:24   should not fail
12:45:24   /tmp/jenkins/workspace/kata-containers-tests-rhel-8-q35-PR/go/src/github.com/kata-containers/tests/integration/docker/package_manager_test.go:72
12:45:24 Running command '/usr/bin/docker [docker run --cidfile /tmp/cid092564149/kFaclLSQDChOYVSzCMhwV32fOl8SC1 --runtime kata-runtime -td --name kFaclLSQDChOYVSzCMhwV32fOl8SC1 fedora:32 sh]'
12:45:34 [docker run --cidfile /tmp/cid092564149/kFaclLSQDChOYVSzCMhwV32fOl8SC1 --runtime kata-runtime -td --name kFaclLSQDChOYVSzCMhwV32fOl8SC1 fedora:32 sh]
12:45:34 Timeout: 120 seconds
12:45:34 Exit Code: 0
12:45:34 Stdout: 4d5028249d6ace57e161276c780eff41bb76a6a67ac5490144cd93deb0297cb0
12:45:34 
12:45:34 Stderr: Unable to find image 'fedora:32' locally
12:45:34 32: Pulling from library/fedora
12:45:34 0169c1449c16: Pulling fs layer
12:45:34 0169c1449c16: Verifying Checksum
12:45:34 0169c1449c16: Download complete
12:45:34 0169c1449c16: Pull complete
12:45:34 Digest: sha256:e69b5a62ce23c673885bddc94e6679c9b2af683059637ceddb9cff458537a326
12:45:34 Status: Downloaded newer image for fedora:32
12:45:34 
12:45:34 Running command '/usr/bin/docker [docker exec kFaclLSQDChOYVSzCMhwV32fOl8SC1 dnf -y update]'
12:46:06 command failed error 'exit status 1'
12:46:06 [docker exec kFaclLSQDChOYVSzCMhwV32fOl8SC1 dnf -y update]
12:46:06 Timeout: 900 seconds
12:46:06 Exit Code: 1
12:46:06 Stdout: Fedora 32 openh264 (From Cisco) - x86_64        0.0  B/s |   0  B     00:15    
12:46:06 Fedora Modular 32 - x86_64                      0.0  B/s |   0  B     00:15    
12:46:06 
12:46:06 Stderr: Errors during downloading metadata for repository 'fedora-cisco-openh264':
12:46:06   - Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-32&arch=x86_64 [Could not resolve host: mirrors.fedoraproject.org]
12:46:06 Error: Failed to download metadata for repo 'fedora-cisco-openh264': Cannot prepare internal mirrorlist: ftruncate() failed: No such file or directory
12:46:06 Errors during downloading metadata for repository 'fedora-modular':

[rhvgoyal]

The ability to change this kind of file attributes has security implications. In this case, it is useful because you want to set a file capability that allows the corresponding executable to perform a setgid operation. It's normal for dnf to do that, but allowing it in general is neither necessary nor harmless.

In theory, for example, this could be used by malicious code to grant special capabilities to a file that, ultimately, resides on the host. This could be used as a vector for an attack on the host.

In addition, I have a gut feeling that the operation being performed is not typical of normal container use. Many containers only need to execute whatever binaries are in their image, not to update or modify them. There are exceptions, of course, like builds, but they are IMO just that, exceptions.

This means that:

• We should probably not make a change in the default virtiofs options to add -o xattr
• We should offer an easy way to add a "semantic" install option associated to specific volume mounts, that says this is intented to allow me to install stuff on this volume, and behaves correctly whether the underlying FS is virtio-fs or 9p.

See also #2595 for a similar issue with locking.

An unprivliged user exploiting capabilities setup by guest user is just one example. What about setuid root binary guest root can drop and if unpriviliged user can get access to it, it can become root on host.

So to me we need to make sure shared directories are hidden from unpriviliged users and only root should be able to have access to it. If we can do that, there is no good reason to use xattrmap in my opinion.

It might have some performance cost. So it might be a good idea to quantify the cost before using it. I would use xattrmap only when there is a need and tighten rest of the code to make sure non-root users can't access shared directory on host.

[fidencio]

---

This issue is being automatically closed as Kata Containers 1.x has now reached EOL (End of Life). This means it is no longer being maintained.

Important:

All users should switch to the latest Kata Containers 2.x release to ensure they are using a maintained release that contains the latest security fixes, performance improvements and new features.

This decision was discussed by the @kata-containers/architecture-committee and has been announced via the Kata Containers mailing list:

• http://lists.katacontainers.io/pipermail/kata-dev/2020-November/001601.html
• http://lists.katacontainers.io/pipermail/kata-dev/2021-April/001843.html
• http://lists.katacontainers.io/pipermail/kata-dev/2021-May/001896.html

If you believe this issue still applies to Kata Containers 2.x, please open an issue against the Kata Containers 2.x repository, pointing to this one, providing details to allow us to migrate it.

---