Ben Cressey
Ben Cressey
https://github.com/opencontainers/runc/commit/d83a861d950b42b53406424468f8644551fa8980 added a potential syscall to `faccessat2()`, which would happen on Bottlerocket because nodes will run with a 5.10 kernel. I don't have a fully working datadog agent setup, but...
It looks unrelated, but might need a fix somewhere. Here `system-probe` is running with an unprivileged label (`system_u:system_r:container_t:s0:c503,c650`) trying to send a signal to some process with a privileged label...
I expect you're correct that this is related to #1747. `dmesg` on the node would show a lot of AVC denials. EBS volume mounts currently get labeled with the MCS...
Force push above: * applies all the patches in `glibc.spec` * updates `cargo-make` as well * drops the clippy fix from 23255a829f96b6464ebf116b06d9f724ee1d17be
Force push for a rebase to pull in the lint fix.
Force push applies `go fmt` from Go 1.19.
This may be the root cause for #2295 as well - if the overlayfs is not mounted with a `context=` override, then the SELinux label will be the same as...
Interesting! This doesn't actually fix the issue on Bottlerocket; the `emptyDir` mount still has the problematic `nosuid,nodev` flags: ``` /dev/nvme1n1p1 on /home/user/.local/share/buildkit type ext4 (rw,seclabel,nosuid,nodev,noatime) ``` It's great that it...
A nice end state here would be to add CPU and memory limits to all the pods involved.
ECS also supports auto-scaling warm pools now, so we should try to implement this in an orchestrator-agnostic way.