runtime options seem to be ignored (again) with v2.0.1 #11169
Labels
Comments
|
@mathias-ioki I tried your Curious how you encounter this, e.g., how/where did you specify the runtime/runtime-handler? Is it through a k8s/pod runtime-handler or something else? containerd config: default generated on main + your $ cat pod-config.json
{
"metadata": {
"name": "nginx-crun-sandbox",
"namespace": "default",
"attempt": 1,
"uid": "hdishd83djaidwnduwk28bcsb"
},
"log_directory": "/tmp",
"linux": {
}
}
$ sudo crictl runp --runtime=crun pod-config.json
E1228 19:10:24.081804 542569 remote_runtime.go:193] "RunPodSandbox from runtime service failed" err="rpc error: code = Unknown desc = failed to start sandbox \"375d3d696ea415b511f4c92894237526b85504e97a87a2155c94815f0f5ee05f\": failed to create containerd task: failed to create shim task: OCI runti
me create failed: sd-bus call: Invalid unit name or type.: Invalid argument"
FATA[0000] run pod sandbox: rpc error: code = Unknown desc = failed to start sandbox "375d3d696ea415b511f4c92894237526b85504e97a87a2155c94815f0f5ee05f": failed to create containerd task: failed to create shim task: OCI runtime create failed: sd-bus call: Invalid unit name or type.: Invalid argumentThe And crun is not in my path: $ which crun
crun not found
$ /opt/crun/crun --version
crun version 1.19
commit: db31c42ac46e20b5527f5339dcbf6f023fcd539c
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL |
|
Hey @djdongjin , I don't specify the runtime explicitly, as I have set it as default one in the containerd config: Looks like, this parameter isn't working then, if you can specify it manually. So with version 2.0.0 it should use the crun runtime, if you don't specify anything else, but not with 2.0.1. Can you confirm? |
|
Hi @mathias-ioki I tried again without specifying the runtime explicitly. It still works (on both main branch and v.2.0.1. # run sandbox still fails on the same crun error
$ sudo crictl runp pod-config.json
E0106 13:14:06.938129 462892 remote_runtime.go:193] "RunPodSandbox from runtime service failed" err="rpc error: code = Unknown desc = failed to start sandbox \"ecb1afa0a95d187a5ca14b0aaacfedeee63a6b09636cd74a048279cc210501d8\": failed to create containerd task: failed to create shim task: OCI runtime create failed: sd-bus call: Invalid unit name or type.: Invalid argument"
FATA[0000] run pod sandbox: rpc error: code = Unknown desc = failed to start sandbox "ecb1afa0a95d187a5ca14b0aaacfedeee63a6b09636cd74a048279cc210501d8": failed to create containerd task: failed to create shim task: OCI runtime create failed: sd-bus call: Invalid unit name or type.: Invalid argument
# the `crun` runtime is used, as well as the `BinaryName:/opt/crun/crun` option
$ sudo journalctl -u containerd | grep ecb1afa0a95d
...
Jan 06 13:14:06 ctd.us-central1-c.c.fair-app-446404-m2.internal containerd[462812]: time="2025-01-06T13:14:06.714955709Z" level=debug msg="use OCI runtime {Type:io.containerd.runc.v2 Path: PodAnnotations:[] ContainerAnnotations:[] Options:map[BinaryName:/opt/crun/crun CriuImagePath: CriuWorkPath: IoGid:0 IoUid:0 NoNewKeyring:false Root: ShimCgroup: SystemdCgroup:true] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: Sandboxer:podsandbox IOType:}" podsandboxid=ecb1afa0a95d187a5ca14b0aaacfedeee63a6b09636cd74a048279cc210501d8Attached is the full pod-config and containerd config. Can you try this on your end and see if the issue still persist? {
"metadata": {
"name": "nginx-crun-sandbox-default-runtime2",
"namespace": "default",
"attempt": 1,
"uid": "hdishd83djaidwnduwk28b"
},
"log_directory": "/tmp",
"linux": {
}
}version = 3
root = '/var/lib/containerd'
state = '/run/containerd'
temp = ''
plugin_dir = ''
disabled_plugins = []
required_plugins = []
oom_score = 0
imports = []
[grpc]
address = '/run/containerd/containerd.sock'
tcp_address = ''
tcp_tls_ca = ''
tcp_tls_cert = ''
tcp_tls_key = ''
uid = 0
gid = 0
max_recv_message_size = 16777216
max_send_message_size = 16777216
[ttrpc]
address = ''
uid = 0
gid = 0
[debug]
address = ''
uid = 0
gid = 0
level = 'debug'
format = ''
[metrics]
address = ''
grpc_histogram = false
[plugins]
[plugins.'io.containerd.cri.v1.images']
default_runtime_name = 'crun'
snapshotter = 'overlayfs'
disable_snapshot_annotations = true
discard_unpacked_layers = false
max_concurrent_downloads = 3
image_pull_progress_timeout = '5m0s'
image_pull_with_sync_fs = false
stats_collect_period = 10
[plugins.'io.containerd.cri.v1.images'.pinned_images]
sandbox = 'registry.k8s.io/pause:3.10'
[plugins.'io.containerd.cri.v1.images'.registry]
config_path = ''
[plugins.'io.containerd.cri.v1.images'.image_decryption]
key_model = 'node'
[plugins.'io.containerd.cri.v1.runtime']
enable_selinux = false
selinux_category_range = 1024
max_container_log_line_size = 16384
disable_apparmor = false
restrict_oom_score_adj = false
disable_proc_mount = false
unset_seccomp_profile = ''
tolerate_missing_hugetlb_controller = true
disable_hugetlb_controller = true
device_ownership_from_security_context = false
ignore_image_defined_volumes = false
netns_mounts_under_state_dir = false
enable_unprivileged_ports = true
enable_unprivileged_icmp = true
enable_cdi = true
cdi_spec_dirs = ['/etc/cdi', '/var/run/cdi']
drain_exec_sync_io_timeout = '0s'
ignore_deprecation_warnings = []
[plugins.'io.containerd.cri.v1.runtime'.containerd]
default_runtime_name = 'crun'
ignore_blockio_not_enabled_errors = false
ignore_rdt_not_enabled_errors = false
[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes]
[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc]
runtime_type = 'io.containerd.runc.v2'
runtime_path = ''
pod_annotations = []
container_annotations = []
privileged_without_host_devices = false
privileged_without_host_devices_all_devices_allowed = false
base_runtime_spec = ''
cni_conf_dir = ''
cni_max_conf_num = 0
snapshotter = ''
sandboxer = 'podsandbox'
io_type = ''
[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc.options]
BinaryName = ''
CriuImagePath = ''
CriuWorkPath = ''
IoGid = 0
IoUid = 0
NoNewKeyring = false
Root = ''
ShimCgroup = ''
[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.crun]
runtime_type = 'io.containerd.runc.v2'
runtime_path = ''
pod_annotations = []
container_annotations = []
privileged_without_host_devices = false
privileged_without_host_devices_all_devices_allowed = false
base_runtime_spec = ''
cni_conf_dir = ''
cni_max_conf_num = 0
snapshotter = ''
sandboxer = 'podsandbox'
io_type = ''
[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.crun.options]
BinaryName = '/opt/crun/crun'
CriuImagePath = ''
CriuWorkPath = ''
IoGid = 0
IoUid = 0
NoNewKeyring = false
Root = ''
ShimCgroup = ''
SystemdCgroup = true
[plugins.'io.containerd.cri.v1.runtime'.cni]
bin_dir = '/opt/cni/bin'
conf_dir = '/etc/cni/net.d'
max_conf_num = 1
setup_serially = false
conf_template = ''
ip_pref = ''
use_internal_loopback = false
[plugins.'io.containerd.gc.v1.scheduler']
pause_threshold = 0.02
deletion_threshold = 0
mutation_threshold = 100
schedule_delay = '0s'
startup_delay = '100ms'
[plugins.'io.containerd.grpc.v1.cri']
disable_tcp_service = true
stream_server_address = '127.0.0.1'
stream_server_port = '0'
stream_idle_timeout = '4h0m0s'
enable_tls_streaming = false
[plugins.'io.containerd.grpc.v1.cri'.x509_key_pair_streaming]
tls_cert_file = ''
tls_key_file = ''
[plugins.'io.containerd.image-verifier.v1.bindir']
bin_dir = '/opt/containerd/image-verifier/bin'
max_verifiers = 10
per_verifier_timeout = '10s'
[plugins.'io.containerd.internal.v1.opt']
path = '/opt/containerd'
[plugins.'io.containerd.internal.v1.tracing']
[plugins.'io.containerd.metadata.v1.bolt']
content_sharing_policy = 'shared'
[plugins.'io.containerd.monitor.container.v1.restart']
interval = '10s'
[plugins.'io.containerd.monitor.task.v1.cgroups']
no_prometheus = false
[plugins.'io.containerd.nri.v1.nri']
disable = false
socket_path = '/var/run/nri/nri.sock'
plugin_path = '/opt/nri/plugins'
plugin_config_path = '/etc/nri/conf.d'
plugin_registration_timeout = '5s'
plugin_request_timeout = '2s'
disable_connections = false
[plugins.'io.containerd.runtime.v2.task']
platforms = ['linux/amd64']
[plugins.'io.containerd.service.v1.diff-service']
default = ['walking']
sync_fs = false
[plugins.'io.containerd.service.v1.tasks-service']
blockio_config_file = ''
rdt_config_file = ''
[plugins.'io.containerd.shim.v1.manager']
env = []
[plugins.'io.containerd.snapshotter.v1.blockfile']
root_path = ''
scratch_file = ''
fs_type = ''
mount_options = []
recreate_scratch = false
[plugins.'io.containerd.snapshotter.v1.btrfs']
root_path = ''
[plugins.'io.containerd.snapshotter.v1.devmapper']
root_path = ''
pool_name = ''
base_image_size = ''
async_remove = false
discard_blocks = false
fs_type = ''
fs_options = ''
[plugins.'io.containerd.snapshotter.v1.native']
root_path = ''
[plugins.'io.containerd.snapshotter.v1.overlayfs']
root_path = ''
upperdir_label = false
sync_remove = false
slow_chown = false
mount_options = []
[plugins.'io.containerd.snapshotter.v1.zfs']
root_path = ''
[plugins.'io.containerd.tracing.processor.v1.otlp']
[plugins.'io.containerd.transfer.v1.local']
max_concurrent_downloads = 3
max_concurrent_uploaded_layers = 3
config_path = ''
[cgroup]
path = ''
[timeouts]
'io.containerd.timeout.bolt.open' = '0s'
'io.containerd.timeout.metrics.shimstats' = '2s'
'io.containerd.timeout.shim.cleanup' = '5s'
'io.containerd.timeout.shim.load' = '5s'
'io.containerd.timeout.shim.shutdown' = '3s'
'io.containerd.timeout.task.state' = '2s'
[stream_processors]
[stream_processors.'io.containerd.ocicrypt.decoder.v1.tar']
accepts = ['application/vnd.oci.image.layer.v1.tar+encrypted']
returns = 'application/vnd.oci.image.layer.v1.tar'
path = 'ctd-decoder'
args = ['--decryption-keys-path', '/etc/containerd/ocicrypt/keys']
env = ['OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf']
[stream_processors.'io.containerd.ocicrypt.decoder.v1.tar.gzip']
accepts = ['application/vnd.oci.image.layer.v1.tar+gzip+encrypted']
returns = 'application/vnd.oci.image.layer.v1.tar+gzip'
path = 'ctd-decoder'
args = ['--decryption-keys-path', '/etc/containerd/ocicrypt/keys']
env = ['OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf']Start a pod by |
|
Hey @djdongjin, thank you for testing it again. After testing a bit more, the issue seems to be a bit more complicated. My findings so far:
TL;TR: You have to enable user namespaces for your container, to make it fail. If you do that, the pod is created, but the container within the pod can't be started. |
|
Hey folks, it's still an issue with version 2.0.2. Is there anything I can do to help find a solution? |
|
Hi @mathias-ioki , I haven't got time to repro with a user namespace case. Do you have an existing |
jfernandez
added a commit
to jfernandez/containerd
that referenced
this issue
Feb 26, 2025
Previously, PluginInfo was called with task options as the primary value, resulting in opts.BinaryName being omitted. Consequently, the containerd-shim-runc-v2 fell back to the system's runc binary in the PATH rather than the explicitly specified one. This change inverts the option fallback by preferring runtime options over task options, ensuring the correct binary is used for the PluginInfo request. Closes: containerd#11169 Signed-off-by: Jose Fernandez <[email protected]> Reviewed-by: Erikson Tung <[email protected]>
|
@mathias-ioki @djdongjin, we believe we encountered this issue when we enabled user namespaces. In particular, the |
k8s-infra-cherrypick-robot
pushed a commit
to k8s-infra-cherrypick-robot/containerd
that referenced
this issue
Feb 27, 2025
Previously, PluginInfo was called with task options as the primary value, resulting in opts.BinaryName being omitted. Consequently, the containerd-shim-runc-v2 fell back to the system's runc binary in the PATH rather than the explicitly specified one. This change inverts the option fallback by preferring runtime options over task options, ensuring the correct binary is used for the PluginInfo request. Closes: containerd#11169 Signed-off-by: Jose Fernandez <[email protected]> Reviewed-by: Erikson Tung <[email protected]>
jfernandez
added a commit
to jfernandez/containerd
that referenced
this issue
Feb 27, 2025
Previously, PluginInfo was called with task options as the primary value, resulting in opts.BinaryName being omitted. Consequently, the containerd-shim-runc-v2 fell back to the system's runc binary in the PATH rather than the explicitly specified one. This change inverts the option fallback by preferring runtime options over task options, ensuring the correct binary is used for the PluginInfo request. Closes: containerd#11169 Signed-off-by: Jose Fernandez <[email protected]> Reviewed-by: Erikson Tung <[email protected]>
jfernandez
added a commit
to jfernandez/containerd
that referenced
this issue
Feb 27, 2025
Previously, PluginInfo was called with task options as the primary value, resulting in opts.BinaryName being omitted. Consequently, the containerd-shim-runc-v2 fell back to the system's runc binary in the PATH rather than the explicitly specified one. This change inverts the option fallback by preferring runtime options over task options, ensuring the correct binary is used for the PluginInfo request. Closes: containerd#11169 Signed-off-by: Jose Fernandez <[email protected]> Reviewed-by: Erikson Tung <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
The behaviour looks exactly the same, as described here: #10249
TL;TR: We are using crun instead of runc and have therefore a dedicated section for it in our containerd config. With the latest release, this seems to be ignored again.
Error:
Steps to reproduce the issue
Describe the results you received and expected
Results I expect:
Results I received:
What version of containerd are you using?
v2.0.1
Any other relevant information
/opt/crun/crun --version
Show configuration if it is related to CRI plugin.
Related config section - was working fine with 2.0.0:
The text was updated successfully, but these errors were encountered: