search

kata-containers / runtime

Kata Containers version 1.x runtime (for version 2.x see https://github.com/kata-containers/kata-containers).
https://katacontainers.io/
Apache License 2.0
2.1k stars 375 forks source link

running systemd in container caused 9pfs / remounted read-only #3012

Closed wenbinzeng closed 3 years ago

wenbinzeng commented 4 years ago

Description of problem

Steps to reproduce the problem:

  1. install docker with kata static tarball -- https://github.com/kata-containers/runtime/releases/download/1.11.3/kata-static-1.11.3-x86_64.tar.xz
  2. docker run --rm -ti --cap-add=ALL -d centos/systemd /usr/sbin/init

Expected result

Expect to see the file systems mounted in rw mode as same as non-systemd containers:

$ docker run --rm -ti --cap-add=ALL centos/systemd bash [root@6d091acadfad /]# mount kataShared on / type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio) shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k) kataShared on /etc/resolv.conf type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio) kataShared on /etc/hostname type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio) kataShared on /etc/hosts type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio)

Actual result

In the systemd container, rootfs and other 9pfs are remounted as read-only:

[root@965bdf129458 /]# mount kataShared on / type 9p (ro,nodev,relatime,dirsync,mmap,access=client,trans=virtio) kataShared on /etc/resolv.conf type 9p (ro,nodev,relatime,dirsync,mmap,access=client,trans=virtio) kataShared on /etc/hostname type 9p (ro,nodev,relatime,dirsync,mmap,access=client,trans=virtio) kataShared on /etc/hosts type 9p (ro,nodev,relatime,dirsync,mmap,access=client,trans=virtio)

Further information

I also tested virtio-fs, systemd containers worked well, rootfs is mounted in rw mode as expected.

ariel-adam commented 3 years ago

@jcvenegas can you try and reproduce this issue?

fidencio commented 3 years ago

This issue is being automatically closed as Kata Containers 1.x has now reached EOL (End of Life). This means it is no longer being maintained.

Important:

All users should switch to the latest Kata Containers 2.x release to ensure they are using a maintained release that contains the latest security fixes, performance improvements and new features.

This decision was discussed by the @kata-containers/architecture-committee and has been announced via the Kata Containers mailing list:

If you believe this issue still applies to Kata Containers 2.x, please open an issue against the Kata Containers 2.x repository, pointing to this one, providing details to allow us to migrate it.