Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Ian Lewis
    @ianlewis
    Yeah, cri-o doesn't have the concept of a shim like containerd does to smooth things over
    In general containerd should work better
    gattytto
    @gattytto
    here's the full debug log @ianlewis https://pastebin.com/88G62kWy I'll upload it to the issue too
    gattytto
    @gattytto
    I'm taking the chance to test log highlight in sublime text :thumbsup:
    Ian Lewis
    @ianlewis
    Yah, it looks like net.Interfaces() is just returning an empty list for the network namespace
    Like you said 
    I0322 19:40:08.232157  301309 network.go:53] Setting up network
I0322 19:40:08.232189  301309 namespace.go:122] Applying namespace network at path "/proc/301284/ns/net"
I0322 19:40:08.232268  301309 network.go:145] Skipping down interface: {Index:1 MTU:65536 Name:lo HardwareAddr: Flags:loopback}
D0322 19:40:08.232285  301309 network.go:252] Setting up network, config: {FilePayload:{Files:[]} LoopbackLinks:[] FDBasedLinks:[] Defaultv4Gateway:{Route:{Destination:{IP:<nil> Mask:<nil>} Gateway:<nil>} Name:} Defaultv6Gateway:{Route:{Destination:{IP:<nil> Mask:<nil>} Gateway:<nil>} Name:}}
    https://github.com/google/gvisor/blob/4a73bae269ae9f52a962ae3b08a17ccaacf7ba80/runsc/sandbox/network.go#L127
    I'm not sure why that would be. cri-o/CNI is not creating a network ns with any ifaces set up.
    Do you have any config in /etc/cni/net.d/?
    gattytto
    @gattytto
    yes
    runc runtime uses them just nice so changing "runsc" to runc in the same pod will create a working one (apt update etc works, I can see eth0 with ip and all)
    Ian Lewis
    @ianlewis
    strange
    It should basically be the same. runc/runsc etc. don't set up the network or ifaces themselves. crio-o does that and passes the network ns to the OCI runtime
    I'd have to look at it a bit more and see if I can reproduce it.
    gattytto
    @gattytto
    I can get you the srv ip and ssh access if you wanna get in and check it out
    so you don't have to setup the whole thing
    Ian Lewis
    @ianlewis
    No, I think I'll set up my own environment.
    gattytto
    @gattytto
    ok, I'm using minikube with driver=none and --container-runtime=cri-o (along with other non-related args)
    inside a LXC container
    Ian Lewis
    @ianlewis
    ok. I'm not sure we'll be able to support running it via cri-o in minikube specifically but I'd like to support cri-o as best as possible.
    Not everything will work well but networking should work at least
    gattytto
    @gattytto
    that's why I used driver=none, it doesn't start a vm for stuff, so I can be using crio service and cni configs residing all in the LXC container directly
    gattytto
    @gattytto
    @ianlewis I'm sorry for wasting your time, it is the following config in crio.conf:
    # manage_ns_lifecycle determines whether we pin and remove namespaces
# and manage their lifecycle
manage_ns_lifecycle = false
    must be set to true and restart crio, recreate pod and works
    Marek
    @majek
    I'm struggling to get runsc to set up cgroups.
    I tried this in config.json but that doesn't seem to work 
        "linux": {
    "namespaces": [
        {
        "type": "pid"
        },
        {
        "type": "network"
        },
        {
        "type": "ipc"
        },
        {
        "type": "uts"
        },
        {
        "type": "mount"
        },
            {
                "type": "cgroup"
            }
    ]
    },
    "cgroupsPath": "myRuntime/myContainer",
    "resources": {
        "memory": {
            "limit": 1000000,
            "reservation": 1500000
        },
        "devices": [
            {
                "allow": false,
                "access": "rwm"
            }
        ],
        "cpu": {
            "cpus": 1
        }
    }
    Ian Lewis
    @ianlewis
    @majek @gattytto both of those issues likely deserve github issues
    gattytto
    @gattytto
    @ianlewis google/gvisor#2233 thank you for the help
    GuhuangLS
    @GuhuangLS
    Hi. I have a question. What is the reason about getHandlesLocked(): "flags.Truncate && p9.VersionSupportsOpenTruncateFlag() , need a new handle"?
    Dmitrii Ustiugov
    @ustiugov
    Hi, could you please advise me if gvisor supports containerd's commands to Checkpoint and Restore a container?
    for example:
    checkpoint, err := task.Checkpoint(context)
    task, err = redis.NewTask(context, cio.Stdio, containerd.WithTaskCheckpoint(checkpoint))
    Ian Lewis
    @ianlewis
    We don't currently implement it via gvisor-containerd-shim
    https://github.com/google/gvisor-containerd-shim/blob/f299b553afdd8455a0057862004061ea12e660f5/pkg/v1/shim/service.go#L405
    You can use it with checkpointing with Docker though there are a few issues with it.
    https://gvisor.dev/docs/user_guide/checkpoint_restore/
    gattytto
    @gattytto
    image.png
    that was quick lol
    Dmitrii Ustiugov
    @ustiugov
    thank you, @ianlewis Is there any fundamental problem with checkpoints support in containerd-shim? would it be easy to extend the functionality? Are there any plans already to do so?
    Dmitrii Ustiugov
    @ustiugov
    regarding using docker, the second link that you provided says that Docker does not support restoration into a new container whereas runsc does not support restoration into the same container so that, AFAIU, the "ideal workflow" (from the link) does not work as of now. Could you please specify which flow I could follow in this case?
    Zach Koopmans
    @zkoopmans
    @tanjianfeng For the bi-weekly, looking at next Thursday the 9th @ 6P (should be Friday the 10th @ 9A for you). How does that look? Other days if not?
    Marek
    @majek
    I'm trying to get ssh daemon working inside gvisor
    now I'm at "console" questions 
    root@runsc:~# top

top: failed tty set: Inappropriate ioctl for device
    Marek
    @majek
    ioctl(0, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig -icanon -echo ...}) = -1 ENOTTY (Inappropriate ioctl for device)
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon echo ...}) = -1 ENOTTY (Inappropriate ioctl for device)
    Marek
    @majek
    Not sure if related but I can't figure out what --console-socket is for
    gattytto
    @gattytto
    @majek ENOTTY = &Errno{25, "not a typewriter"}
    ErrQueueSizeNotSupported = New(tcpip.ErrQueueSizeNotSupported.String(), linux.ENOTTY)
    This message was deleted
    Kevin Krakauer
    @kevinGC
    @majek TCSETSF isn't implemented. It looks like it's just TCSETS, but it clears data waiting to be read.
    I'll file a github issue
    Kevin Krakauer
    @kevinGC
    google/gvisor#2335