Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fails on Chrome OS Crostini #121

Open
wpwoodjr opened this issue Jan 15, 2020 · 8 comments
Open

Fails on Chrome OS Crostini #121

wpwoodjr opened this issue Jan 15, 2020 · 8 comments

Comments

@wpwoodjr
Copy link 

$ docker run -d --name usernetes-node -p 127.0.0.1:8080:8080  -e U7S_ROOTLESSKIT_PORTS=0.0.0.0:8080:8080/tcp --privileged rootlesscontainers/usernetes default-docker
03c3f4df528ff65f8bef7733613ce1443424356a7fadd60b74012499a48742df

$ docker container logs usernetes-node 
./boot/kube-proxy.sh
./boot/etcd.sh
./boot/rootlesskit.sh
./boot/dockerd.sh
./boot/kube-scheduler.sh
./boot/kubelet-dockershim.sh
./boot/kube-controller-manager.sh
./boot/kube-apiserver.sh
[rootlesskit] open: No such file or directory
[rootlesskit] [rootlesskit:parent] error: failed to setup network &{binary:slirp4netns mtu:65520 ipnet:<nil> disableHostLoopback:true apiSocketPath: enableSandbox:true enableSeccomp:true}: setting up tap tap0: executing [[nsenter -t 107 -n -m -U --preserve-credentials ip tuntap add name tap0 mode tap] [nsenter -t 107 -n -m -U --preserve-credentials ip link set tap0 up]]: exit status 1
[rootlesskit] [rootlesskit:child ] error: parsing message from fd 3: EOF
[kube-proxy] [INFO] Entering RootlessKit namespaces: ...
[kube-apiserver] [INFO] Entering RootlessKit namespaces: ...
[etcd] [INFO] Entering RootlessKit namespaces: ...
[kube-controller-manager] [INFO] Entering RootlessKit namespaces: ...
[kubelet-dockershim] [INFO] Entering RootlessKit namespaces: ...
[kube-scheduler] [INFO] Entering RootlessKit namespaces: ...
task: Failed to run task "rootlesskit": exit status 1
[dockerd] [INFO] Entering RootlessKit namespaces: ...
$
@AkihiroSuda
Copy link
Member

Missing /dev/net/tun?

@wpwoodjr
Copy link
Author

wpwoodjr commented Jan 17, 2020
edited
Loading

$ ls -lat /dev/net/tun
crw-rw-rw- 1 root root 10, 200 Jan 16 20:26 /dev/net/tun

Crostini runs in an LXC unprivileged container (I'm running Ubuntu 18.04 in Crostini). Could that be the issue?

@AkihiroSuda
Copy link
Member

missing /etc/subuid and subgid?

@AkihiroSuda
Copy link
Member

also you need security.nesting=true (not sure chromeos supports that, but I think I heard it supports)

@wpwoodjr
Copy link
Author 

$ cat /etc/subuid
lxd:100000:65536
root:100000:65536
ubuntu:165536:65536

$ cat /etc/subgid
lxd:100000:65536
root:100000:65536
ubuntu:165536:65536

I did lxc config set penguin security.nesting true and started the container but got the same errors from the Docker container log.

@wpwoodjr
Copy link
Author

Here's the configuration of my "penguin" Crostini container (I removed security.nesting after trying it):

$ lxc config show penguin
architecture: x86_64
config:
  image.architecture: x86_64
  image.description: Ubuntu 18.04 LTS server (20180831)
  image.os: ubuntu
  image.release: bionic
  volatile.base_image: f8597069baf75400ab02d896d424e4fb71476125a528168f7ecbe9ecc36f16cd
  volatile.eth0.hwaddr: 00:16:3e:af:4d:4a
  volatile.eth0.name: eth0
  volatile.idmap.base: "0"
  volatile.idmap.next: '[{"Isuid":true,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000},{"Isuid":true,"Isgid":true,"Hostid":1000,"Nsid":1000,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":1001,"Nsid":1001,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":1001002,"Nsid":1002,"Maprange":654358},{"Isuid":true,"Isgid":true,"Hostid":655360,"Nsid":655360,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":1655361,"Nsid":655361,"Maprange":9996},{"Isuid":true,"Isgid":true,"Hostid":665357,"Nsid":665357,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":1665358,"Nsid":665358,"Maprange":999334642}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000},{"Isuid":true,"Isgid":true,"Hostid":1000,"Nsid":1000,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":1001,"Nsid":1001,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":1001002,"Nsid":1002,"Maprange":654358},{"Isuid":true,"Isgid":true,"Hostid":655360,"Nsid":655360,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":1655361,"Nsid":655361,"Maprange":9996},{"Isuid":true,"Isgid":true,"Hostid":665357,"Nsid":665357,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":1665358,"Nsid":665358,"Maprange":999334642}]'
  volatile.last_state.power: STOPPED
devices:
  container_token:
    path: /dev/.container_token
    source: /run/tokens/penguin_token
    type: disk
  ssh_authorized_keys:
    path: /dev/.ssh/ssh_authorized_keys
    source: /run/sshd/penguin/authorized_keys
    type: disk
  ssh_host_key:
    path: /dev/.ssh/ssh_host_key
    source: /run/sshd/penguin/ssh_host_key
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

@AkihiroSuda
Copy link
Member

subuid and subgid needs to be set up in the LXC container, not on the host.

Also, maybe you need security.privileged rather than security.nesting.

@wpwoodjr
Copy link
Author

I can't do security.privileged on Chrome OS.

How should /etc/subuid and /etc/subgid be set up in the container? Right now they are:

lxd:100000:65536
root:100000:65536
wpwoodjr:165536:65536

where wpwoodjr is my username in the container.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wpwoodjr @AkihiroSuda