Ben Cressey
Ben Cressey
As far as I can tell this is the same error that was fixed in #3697, but at a different stage in the process. Running `mountsnoop` from `bcc`, I can...
@swagatbora90 that'd be great! Let me know if I can help advise on setting up a test environment, or testing out a change when ready.
@foersleo what do you think?
We need to wind all of this into a single early-boot-config package with sub-packages. Some of the tricks that @jmt-lab is using in #3700 should help, like `Supplements` and using...
@webern - absolutely, I just don't want the packaging scattered across nine spec files. In some sense each spec is "free" but only if future changes are largely decoupled, and...
Digging around with `bpftrace`, I was able to rule out LSM checks - SELinux, capabilities - and narrowed the EPERM result down to [path_mount](https://elixir.bootlin.com/linux/v5.10.95/source/fs/namespace.c#L3154). There are actually two mount calls...
This happens because the SELinux label is removed by containerd's CRI implementation [if the container is privileged](https://github.com/containerd/containerd/blob/b8654e36f49d44396c0acc4112c1cd15aabf25d8/internal/cri/server/podsandbox/sandbox_run.go#L124). This is similar to [how seccomp filters are treated](https://github.com/containerd/containerd/blob/b6ee1add7c47c7468db7b101e14499aae8e98141/internal/cri/server/podsandbox/container_linux.go#L44). Normally this is fine...
@nike21oct - I haven't had a chance to dig into this and try to repro, but the behavior you're seeing is sufficiently unexpected that there may be something deeper going...
I don't see a link, but if I check `alpine:latest` they are using iptables with the "nftables" backend: ``` / # apk add iptables fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/aarch64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/aarch64/APKINDEX.tar.gz (1/4) Installing...
> I am using nginx as in ingrees controller in my EKS cluster which is using creating NLB on AWS cloud and using nodeport to communicate with the target group...