-
Notifications
You must be signed in to change notification settings - Fork 592
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
when I installed containerd with root user i can't run nerdctl with non-root user in a rootless mode (fork/exec /opt/cni/bin/bridge: permission denied
)
#2940
Comments
|
fork/exec /opt/cni/bin/bridge: permission denied
)
Make sure that |
yap, i run the script from the non-root user.
it has a because the |
if we do a ls -l on |
@israeldahan could you try the above? |
Description
I installed Containerd and CNI as a root user and when i install nerdctl with a user he's not participate in a root group i'm receive this error
nerdctl run hello-world FATA[0000] failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error running hook #0: error running hook: exit status 1, stdout: , stderr: time="2024-04-15T16:02:51+03:00" level=fatal msg="failed to call cni.Setup: plugin type=\"bridge\" failed (add): netplugin failed with no error message: fork/exec /opt/cni/bin/bridge: permission denied" Failed to write to log, write /home/shalea2/.local/share/nerdctl/1935db59/containers/default/7d19f6a0f68a0210719d5d14b631a70738de69af0776f741fd18eb576a7f4588/oci-hook.createRuntime.log: file already closed: unknown
and this is log of install as a rootless mode:
`./containerd-rootless-setuptool.sh install
[INFO] Checking RootlessKit functionality
[INFO] Checking cgroup v2
[WARNING] Enabling cgroup v2 is highly recommended, see https://rootlesscontaine.rs/getting-started/common/cgroup2/
[INFO] Checking overlayfs
[INFO] Requirements are satisfied
[INFO] Creating "/home/shalea2/.config/systemd/user/containerd.service"
[INFO] Starting systemd unit "containerd.service"
● containerd.service - containerd (Rootless)
Loaded: loaded (/home/shalea2/.config/systemd/user/containerd.service; disabled; vendor preset: enabled)
Active: active (running) since Mon 2024-04-15 16:15:12 IDT; 3s ago
Main PID: 2972668 (rootlesskit)
CGroup: /user.slice/user-1022.slice/[email protected]/app.slice/containerd.service
├─2972668 rootlesskit --state-dir=/run/user/1022/containerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --copy-up=/var/lib --propagation=rslave /usr/local/bin/containerd-rootless.sh
├─2972680 /proc/self/exe --state-dir=/run/user/1022/containerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --copy-up=/var/lib --propagation=rslave /usr/local/bin/containerd-rootless.sh
├─2972699 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 2972680 tap0
└─2972707 containerd
Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.910830407+03:00" level=error msg="failed to initialize a tracing processor "otlp"" error="no OpenTelemetry endpoint: skip plugin"
Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.910904697+03:00" level=info msg="loading plugin "io.containerd.grpc.v1.cri"..." type=io.containerd.grpc.v1
Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.911044890+03:00" level=info msg="Start cri plugin with config {PluginConfig:{ContainerdConfig:{Snapshotter:overlayfs DefaultRuntimeName:runc DefaultRuntime:{Type: Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[] PrivilegedWithoutHostDevices:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0} UntrustedWorkloadRuntime:{Type: Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[] PrivilegedWithoutHostDevices:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0} Runtimes:map[runc:{Type:io.containerd.runc.v2 Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[BinaryName: CriuImagePath: CriuPath: CriuWorkPath: IoGid:0 IoUid:0 NoNewKeyring:false NoPivotRoot:false Root: ShimCgroup: SystemdCgroup:false] PrivilegedWithoutHostDevices:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0}] NoPivot:false DisableSnapshotAnnotations:true DiscardUnpackedLayers:false IgnoreRdtNotEnabledErrors:false} CniConfig:{NetworkPluginBinDir:/opt/cni/bin NetworkPluginConfDir:/etc/cni/net.d NetworkPluginMaxConfNum:1 NetworkPluginConfTemplate: IPPreference:} Registry:{ConfigPath: Mirrors:map[] Configs:map[] Auths:map[] Headers:map[]} ImageDecryption:{KeyModel:node} DisableTCPService:true StreamServerAddress:127.0.0.1 StreamServerPort:0 StreamIdleTimeout:4h0m0s EnableSelinux:false SelinuxCategoryRange:1024 SandboxImage:registry.k8s.io/pause:3.6 StatsCollectPeriod:10 SystemdCgroup:false EnableTLSStreaming:false X509KeyPairStreaming:{TLSCertFile: TLSKeyFile:} MaxContainerLogLineSize:16384 DisableCgroup:false DisableApparmor:false RestrictOOMScoreAdj:false MaxConcurrentDownloads:3 DisableProcMount:false UnsetSeccompProfile: TolerateMissingHugetlbController:true DisableHugetlbController:true DeviceOwnershipFromSecurityContext:false IgnoreImageDefinedVolumes:false NetNSMountsUnderStateDir:false EnableUnprivilegedPorts:false EnableUnprivilegedICMP:false} ContainerdRootDir:/var/lib/containerd ContainerdEndpoint:/run/containerd/containerd.sock RootDir:/var/lib/containerd/io.containerd.grpc.v1.cri StateDir:/run/containerd/io.containerd.grpc.v1.cri}"
Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.911107918+03:00" level=info msg="Connect containerd service"
Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.911170646+03:00" level=info msg="Get image filesystem path "/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs""
Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.911186696+03:00" level=warning msg="Running containerd in a user namespace typically requires disable_cgroup, disable_apparmor, restrict_oom_score_adj set to be true"
Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.911623495+03:00" level=warning msg="failed to load plugin io.containerd.grpc.v1.cri" error="failed to create CRI service: failed to create cni conf monitor for default: failed to create cni conf dir=/etc/cni/net.d for watch: mkdir /etc/cni/net.d: permission denied"
Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.911877722+03:00" level=info msg=serving... address=/run/containerd/containerd.sock.ttrpc
Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.911973762+03:00" level=info msg=serving... address=/run/containerd/containerd.sock
Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.912005602+03:00" level=info msg="containerd successfully booted in 0.036624s"
Created symlink /home/shalea2/.config/systemd/user/default.target.wants/containerd.service → /home/shalea2/.config/systemd/user/containerd.service.
[INFO] Installed "containerd.service" successfully.
[INFO] To control "containerd.service", run:
systemctl --user (start|stop|restart) containerd.service
[INFO] To run "containerd.service" on system startup automatically, run:
sudo loginctl enable-linger shalea2
[INFO] ------------------------------------------------------------------------------------------
[INFO] Use
nerdctl
to connect to the rootless containerd.[INFO] You do NOT need to specify $CONTAINERD_ADDRESS explicitly.`
when i add the user to the root group it pass successfully
Steps to reproduce the issue
Describe the results you received and expected
to install containerd and cni with root and nerdctl in all users as a rootless mode
What version of nerdctl are you using?
Are you using a variant of nerdctl? (e.g., Rancher Desktop)
None
Host information
nerdctl version
Client:
Version: v1.7.4
OS/Arch: linux/amd64
Git commit: 7b5f7e0
buildctl:
Version: v0.13.1
GitCommit: 2ae42e0c0c793d7d66b7a23424af6fd6c2f9c8f3
Server:
containerd:
Version: 1.6.21
GitCommit: 3dce8eb055cbb6872793272b4f20ed16117344f8
runc:
Version: 1.1.7
GitCommit: v1.1.7-0-g860f061
nerdctl info
Client:
Namespace: default
Debug Mode: false
Server:
Server Version: 1.6.21
Storage Driver: overlayfs
Logging Driver: json-file
Cgroup Driver: none
Cgroup Version: 1
Plugins:
Log: fluentd journald json-file syslog
Storage: native overlayfs
Security Options:
apparmor
seccomp
Profile: builtin
rootless
Kernel Version: 5.15.0-97-generic
Operating System: Ubuntu 22.04.4 LTS
OSType: linux
Architecture: x86_64
CPUs: 96
Total Memory: 503.5GiB
Name: magicuser
ID: 3f55e019-d45e-430b-9327-868d61749cfe
WARNING: Running in rootless-mode without cgroups. To enable cgroups in rootless-mode, you need to boot the system in cgroup v2 mode.
The text was updated successfully, but these errors were encountered: