kuberay icon indicating copy to clipboard operation
kuberay copied to clipboard
verified publisher icon ray-project

[Bug] CI/CD pipelines fail when we apply seccompProfile.type: RuntimeDefault to kuberay-operator container.

Open vinayakankugoyal opened this issue 1 year ago • 0 comments

Search before asking

  • [X] I searched the issues and found no similar issues.

KubeRay Component

ray-operator, ci

What happened + What you expected to happen

In https://github.com/ray-project/kuberay/commit/adbc5930aba72c2c549a9d3ca32f269a2533acf1 we attempted to set the seccompProfile.type to RuntimeDefault which is a security best practice and is required for a pod to be admitted if the Pod Security Standard(PSS) Restricted profile is enforced.

While in my testing on kind and GKE clusters the ray-operator deployment came up successfully, I couldn't get that change to pass the CI/CD pipeline.

My guess is this is related to the version of docker we are running and the golang version the binary uses. My best guess is that its related to: https://github.com/docker-library/golang/issues/467#issuecomment-1601845758.

Reproduction script

  1. Apply the following commit: https://github.com/ray-project/kuberay/pull/1896/commits/bdae08c1302f0403226729abe9c2b099f92ce9bc

  2. Create a PR and Run the CI/CD presubmit tests.

  3. The tests will fail with startup failures in the ray-operator binary. Look for the following errors

runtime/cgo: pthread_create failed: Operation not permitted
SIGABRT: abort

Anything else

No response

Are you willing to submit a PR?

  • [X] Yes I am willing to submit a PR!

vinayakankugoyal avatar Feb 21 '24 19:02 vinayakankugoyal