nri-plugins icon indicating copy to clipboard operation
nri-plugins copied to clipboard
verified publisher icon containers

NRI pod can't access the device /dev/isst_interface

Open changzhi1990 opened this issue 2 years ago • 3 comments

Hi, all.

Based on my testing about the sst feature in the topology-aware policy. I found that there some problems in the NRI pod.

The NRI pod can't find the /host/dev/isst_interface device.

image

After some research, I add these lines to the NRI daemonset. image

Then, the NRI pod has no permission to access this device:

W0804 01:56:49.287017       1 system.go:297] failed to get SST info for package 0: failed to read SST PP info: Mbox command failed with failed to open isst device "/host/dev/isst_interface": open /host/dev/isst_interface: operation not permitted

After that, I noticed that there are some securitycontext in the daemonset file and I modified it: image

I added the privileged: true into it and I commented the next two lines. At last, the NRI can access the sst device: image

So does my approach was correct?

changzhi1990 avatar Aug 04 '23 02:08 changzhi1990

Yes, looks about right. Running privileged should be an option (default to false) in the Helm chart

marquiz avatar Aug 07 '23 07:08 marquiz

Yes, looks about right. Running privileged should be an option (default to false) in the Helm chart

Do we need to create a pr to fix it?

changzhi1990 avatar Aug 08 '23 06:08 changzhi1990

Do we need to create a pr to fix it?

Yes, we need that. Add new options to the Helm chart to enable privileged mode and mount the host-dev

marquiz avatar Aug 16 '23 07:08 marquiz