Description
We use two different versions of Golang to build containerd binaries with the same tag.
containerd tag: v1.6.16
-
build with golang 1.18.x
Create a new container with docker inside the container created by containerd. This works fine.
-
build with golang 1.20.x
Create a new container with docker inside the container created by containerd. Gets errors:
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "proc" to rootfs at "/proc": mount proc:/proc (via /proc/self/fd/10), flags: 0xe: operation not permitted: unknown.
Steps to reproduce the issue
- install lxcfs in node
apt-get update
apt-get install lxcfs -y
- replace containerd binaries to the binaries built with Golang 1.20.x and restart
containerd service
- create pod
apiVersion: v1
kind: Pod
metadata:
name: docker-mount-sort-test-pod
namespace: default
spec:
containers:
- image: ghcr.io/sctb512/docker-test:latest
imagePullPolicy: Always
name: docker
securityContext:
privileged: true
runAsNonRoot: false
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/lib/containerd
mountPropagation: HostToContainer
name: containerd-image
- mountPath: /proc/meminfo
name: lxcfs-proc-meminfo
readOnly: true
- mountPath: /proc/cpuinfo
name: lxcfs-proc-cpuinfo
readOnly: true
- mountPath: /run/containerd
name: containerd-dir
volumes:
- hostPath:
path: /var/lib/lxc/lxcfs/proc/meminfo
type: File
name: lxcfs-proc-meminfo
- hostPath:
path: /var/lib/lxc/lxcfs/proc/cpuinfo
type: File
name: lxcfs-proc-cpuinfo
- hostPath:
path: /run/containerd
type: Directory
name: containerd-dir
- hostPath:
path: /var/lib/containerd
type: Directory
name: containerd-image
- Create a new container with docker in
docker container.
docker run --rm -it nginx:latest
Describe the results you received and expected
Result:
Create container failed and I get the following errors:
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "proc" to rootfs at "/proc": mount proc:/proc (via /proc/self/fd/10), flags: 0xe: operation not permitted: unknown.
Expect: container created successfully.
What version of containerd are you using?
1.6.16
Any other relevant information
No response
Show configuration if it is related to CRI plugin.
No response
Description
We use two different versions of Golang to build containerd binaries with the same tag.
containerd tag: v1.6.16
build with golang 1.18.x
Create a new container with docker inside the container created by containerd. This works fine.
build with golang 1.20.x
Create a new container with docker inside the container created by containerd. Gets errors:
Steps to reproduce the issue
containerdservicedockercontainer.Describe the results you received and expected
Result:
Create container failed and I get the following errors:
Expect: container created successfully.
What version of containerd are you using?
1.6.16
Any other relevant information
No response
Show configuration if it is related to CRI plugin.
No response