search

rootless-containers / usernetes

Kubernetes without the root privileges
https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless
Apache License 2.0
865 stars 58 forks source link

sd-bus call: Permission denied #186

Closed liaohang122 closed 3 years ago

liaohang122 commented 4 years ago

Description Launching usernetes + enable cgroup V2, and create a pod failed. kubectl describe the pod, show : Warning FailedCreatePodSandBox 9s (x4 over 30s) kubelet, izj6cgx3q19bmgalpqjydtz Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create containerd task: OCI runtime create failed: sd-bus call: Permission denied: unknown

Steps to reproduce the issue:

Running Ubuntu 20.04 Linux iZj6cgx3q19bmgalpqjydtZ 5.4.0-31-generic #35-Ubuntu SMP Thu May 7 20:20:34 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Changed grub linux arguments to support the unified hierarchy: GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=1 vga=792 console=tty0 console=ttyS0,115200n8 net.ifnames=0 noibrs"

Install u7s: ./install.sh --cni=flannel --cri=containerd --publish=0.0.0.0:8472:8472/udp --publish=0.0.0.0:2379:2379/tcp --publish=0.0.0.0:6443:6443/tcp --cgroup-manager=systemd

kubectl create -f pod.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: busybox-master
spec:
  selector:
    matchLabels:
      user: test-master
  replicas: 1
  template:
    metadata:
      labels:
        user: test-master
    spec:
      containers:
      - name: busybox-master
        image: busybox
        command: ['sleep','100000000']

XDG_RUNTIME_DIR is exist: paas@iZj6cgx3q19bmgalpqjydtZ:~/usernetes$ echo $XDG_RUNTIME_DIR /run/user/1000

AkihiroSuda commented 4 years ago

Could you try this?

https://github.com/rootless-containers/usernetes/blob/6b7c064bf5ef4161cef3453bb858b7d6e05d9628/Vagrantfile#L19-L27

liaohang122 commented 4 years ago

It gives the same error: sd-bus call: Permission denied

paas@iZj6cgx3q19bmgalpqjydtZ:~/lhtest$ cat /etc/systemd/system/user@.service.d/delegate.conf
[Service]
# default: Delegate=pids memory
# NOTE: delegation of cpuset requires systemd >= 244 (Fedora >= 32, Ubuntu >= 20.04). cpuset is ignored on Fedora 31.
Delegate=cpu cpuset io memory pids
paas@iZj6cgx3q19bmgalpqjydtZ:~/lhtest$ mount |grep cgroup
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime)
paas@iZj6cgx3q19bmgalpqjydtZ:~$ cat /sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.controllers
cpuset cpu io memory pids
paas@iZj6cgx3q19bmgalpqjydtZ:~$ systemctl --version
systemd 245 (245.4-4ubuntu3)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid
AkihiroSuda commented 3 years ago

This should no longer happen in the latest release.