usernetes icon indicating copy to clipboard operation
usernetes copied to clipboard
verified publisher icon rootless-containers

Fails on Chrome OS Crostini

Open wpwoodjr opened this issue 5 years ago • 8 comments 

$ docker run -d --name usernetes-node -p 127.0.0.1:8080:8080  -e U7S_ROOTLESSKIT_PORTS=0.0.0.0:8080:8080/tcp --privileged rootlesscontainers/usernetes default-docker
03c3f4df528ff65f8bef7733613ce1443424356a7fadd60b74012499a48742df

$ docker container logs usernetes-node 
./boot/kube-proxy.sh
./boot/etcd.sh
./boot/rootlesskit.sh
./boot/dockerd.sh
./boot/kube-scheduler.sh
./boot/kubelet-dockershim.sh
./boot/kube-controller-manager.sh
./boot/kube-apiserver.sh
[rootlesskit] open: No such file or directory
[rootlesskit] [rootlesskit:parent] error: failed to setup network &{binary:slirp4netns mtu:65520 ipnet:<nil> disableHostLoopback:true apiSocketPath: enableSandbox:true enableSeccomp:true}: setting up tap tap0: executing [[nsenter -t 107 -n -m -U --preserve-credentials ip tuntap add name tap0 mode tap] [nsenter -t 107 -n -m -U --preserve-credentials ip link set tap0 up]]: exit status 1
[rootlesskit] [rootlesskit:child ] error: parsing message from fd 3: EOF
[kube-proxy] [INFO] Entering RootlessKit namespaces: ...
[kube-apiserver] [INFO] Entering RootlessKit namespaces: ...
[etcd] [INFO] Entering RootlessKit namespaces: ...
[kube-controller-manager] [INFO] Entering RootlessKit namespaces: ...
[kubelet-dockershim] [INFO] Entering RootlessKit namespaces: ...
[kube-scheduler] [INFO] Entering RootlessKit namespaces: ...
task: Failed to run task "rootlesskit": exit status 1
[dockerd] [INFO] Entering RootlessKit namespaces: ...
$

wpwoodjr avatar Jan 15 '20 00:01 wpwoodjr

Missing /dev/net/tun?

AkihiroSuda avatar Jan 15 '20 00:01 AkihiroSuda

$ ls -lat /dev/net/tun crw-rw-rw- 1 root root 10, 200 Jan 16 20:26 /dev/net/tun

Crostini runs in an LXC unprivileged container (I'm running Ubuntu 18.04 in Crostini). Could that be the issue?

wpwoodjr avatar Jan 17 '20 01:01 wpwoodjr

missing /etc/subuid and subgid?

AkihiroSuda avatar Jan 17 '20 03:01 AkihiroSuda

also you need security.nesting=true (not sure chromeos supports that, but I think I heard it supports)

AkihiroSuda avatar Jan 17 '20 03:01 AkihiroSuda 

$ cat /etc/subuid
lxd:100000:65536
root:100000:65536
ubuntu:165536:65536

$ cat /etc/subgid
lxd:100000:65536
root:100000:65536
ubuntu:165536:65536

I did lxc config set penguin security.nesting true and started the container but got the same errors from the Docker container log.

wpwoodjr avatar Jan 17 '20 04:01 wpwoodjr

Here's the configuration of my "penguin" Crostini container (I removed security.nesting after trying it):

$ lxc config show penguin
architecture: x86_64
config:
  image.architecture: x86_64
  image.description: Ubuntu 18.04 LTS server (20180831)
  image.os: ubuntu
  image.release: bionic
  volatile.base_image: f8597069baf75400ab02d896d424e4fb71476125a528168f7ecbe9ecc36f16cd
  volatile.eth0.hwaddr: 00:16:3e:af:4d:4a
  volatile.eth0.name: eth0
  volatile.idmap.base: "0"
  volatile.idmap.next: '[{"Isuid":true,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000},{"Isuid":true,"Isgid":true,"Hostid":1000,"Nsid":1000,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":1001,"Nsid":1001,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":1001002,"Nsid":1002,"Maprange":654358},{"Isuid":true,"Isgid":true,"Hostid":655360,"Nsid":655360,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":1655361,"Nsid":655361,"Maprange":9996},{"Isuid":true,"Isgid":true,"Hostid":665357,"Nsid":665357,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":1665358,"Nsid":665358,"Maprange":999334642}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000},{"Isuid":true,"Isgid":true,"Hostid":1000,"Nsid":1000,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":1001,"Nsid":1001,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":1001002,"Nsid":1002,"Maprange":654358},{"Isuid":true,"Isgid":true,"Hostid":655360,"Nsid":655360,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":1655361,"Nsid":655361,"Maprange":9996},{"Isuid":true,"Isgid":true,"Hostid":665357,"Nsid":665357,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":1665358,"Nsid":665358,"Maprange":999334642}]'
  volatile.last_state.power: STOPPED
devices:
  container_token:
    path: /dev/.container_token
    source: /run/tokens/penguin_token
    type: disk
  ssh_authorized_keys:
    path: /dev/.ssh/ssh_authorized_keys
    source: /run/sshd/penguin/authorized_keys
    type: disk
  ssh_host_key:
    path: /dev/.ssh/ssh_host_key
    source: /run/sshd/penguin/ssh_host_key
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

wpwoodjr avatar Jan 17 '20 04:01 wpwoodjr

subuid and subgid needs to be set up in the LXC container, not on the host.

Also, maybe you need security.privileged rather than security.nesting.

AkihiroSuda avatar Jan 17 '20 04:01 AkihiroSuda

I can't do security.privileged on Chrome OS.

How should /etc/subuid and /etc/subgid be set up in the container? Right now they are:

lxd:100000:65536
root:100000:65536
wpwoodjr:165536:65536

where wpwoodjr is my username in the container.

wpwoodjr avatar Jan 18 '20 03:01 wpwoodjr