Upgrade to 1.14 breaks some docker container (os: debian) #1400
Comments
Skiepp
changed the title
|
I also need to disable my https://build.opensuse.org/package/show/home:alvistack/containers-crun-1.14, and rolling back all of my Kubernetes nodes on Ubuntu 20.04/22.04 with crun 1.13. If bpf related should due to 9306457 If apparmor related should due to 5078ce6 |
|
I am not able to reproduce the issue (I've not tried to configure Docker), could you try if the following patch solves the problem for you? diff --git a/src/libcrun/ebpf.c b/src/libcrun/ebpf.c
index 5534d47..cb0f8f2 100644
--- a/src/libcrun/ebpf.c
+++ b/src/libcrun/ebpf.c
@@ -483,12 +483,15 @@ libcrun_ebpf_load (struct bpf_program *program, int dirfd, const char *pin, libc
fd = bpf (BPF_PROG_LOAD, &attr, sizeof (attr));
if (fd < 0)
{
- const size_t log_size = 8192;
- cleanup_free char *log = xmalloc (log_size);
-
/* Prior to Linux 5.11, eBPF programs were accounted to the memlock
prlimit. Attempt to bump the limit, if possible. */
bump_memlock ();
+ fd = bpf (BPF_PROG_LOAD, &attr, sizeof (attr));
+ }
+ if (fd < 0)
+ {
+ const size_t log_size = 8192;
+ cleanup_free char *log = xmalloc (log_size);
log[0] = '\0';
attr.log_level = 1;As a workaround, you can try forcing the memory lock ulimit to 4kb, if you are using systemd you can force |
|
Ciao Giuseppe, e grazie Actually, in all vms affected by this issue the ulimit is set to unlimited, so I dont' think setting to 4kb can help. |
could you please check what is the limit for the Docker (or containerd) daemon? You can grab it from |
|
Sure! |
|
thanks, the locked memory ulimit seems fine. I can open a PR with my patch, if you've a possibility to try it out |
|
I've configured Docker on Debian 11 with crun, but I am not able to reproduce the issue. What kernel version are you using? How have you created the container? |
|
@giuseppe just a guess, could it be related to cgroupns which I set to host? It's the only customization which I have done on docker Also, I wrote you an email if you wish to test something together, just a proposal ;) |
|
that should not really matter, but you never know... Thanks for the proposal, yes that would help, I'd like to validate my patch in a configuration where we can see the regression |
|
Hi @giuseppe, I tried to apply the diff you suggested, and the problem seems to have disappeared Thanks a lot! Marco |
commit 9306457 was too eager to use the same fallback with a log, and that could fail for other reasons (e.g. not enough buffer space). Add a fallback without using the log, so that on kernels older than 5.11 we have better chance of success. Closes: containers#1400 Signed-off-by: Giuseppe Scrivano <[email protected]>
commit 9306457 was too eager to use the same fallback with a log, and that could fail for other reasons (e.g. not enough buffer space). Add a fallback without using the log, so that on kernels older than 5.11 we have a better chance of success. Closes: containers#1400 Signed-off-by: Giuseppe Scrivano <[email protected]>
|
thanks for onfirming it! Opened a PR: #1405 |
User Story
After upgrading crun to 1.14 some containers are not able to start.
Steps to reproduce:
Workaround:
Output
Output of docker start attached:
(Quick note: No space left on device is not caused by missing space on the HDD)
The text was updated successfully, but these errors were encountered: