| *** eernst has quit IRC | 00:27 | |
| *** annabelleB has quit IRC | 00:29 | |
| *** annabelleB has joined #kata-dev | 00:30 | |
| *** yingjun has joined #kata-dev | 00:46 | |
| *** annabelleB has quit IRC | 01:02 | |
| *** core_ has joined #kata-dev | 02:12 | |
| *** mordred has quit IRC | 02:12 | |
| *** core has quit IRC | 02:12 | |
| *** core_ is now known as core | 02:12 | |
| *** core has quit IRC | 02:12 | |
| *** core has joined #kata-dev | 02:12 | |
| *** mordred has joined #kata-dev | 02:14 | |
| *** mcastelino has quit IRC | 02:14 | |
| *** FL1SK has quit IRC | 02:15 | |
| *** mcastelino has joined #kata-dev | 02:15 | |
| *** libregeekingkid[ has quit IRC | 02:16 | |
| *** mcastelino has quit IRC | 02:21 | |
| *** eernst has joined #kata-dev | 03:01 | |
| *** eernst has quit IRC | 03:52 | |
| *** eernst has joined #kata-dev | 03:55 | |
| kata-dev-irc-bot | <eric.ernst> @bergwolf - around ? | 04:07 |
|---|---|---|
| kata-dev-irc-bot | <bergwolf> yup | 04:07 |
| kata-dev-irc-bot | <eric.ernst> found a container which segfaults with Kata (only) and having fun. | 04:09 |
| kata-dev-irc-bot | <eric.ernst> Fails in the entrypoint (this is a redis slave), where it does ```if [ "$1" = 'redis-server' ]; then chown -R redis . exec gosu redis "$@" fi exec "$@"``` | 04:11 |
| kata-dev-irc-bot | <eric.ernst> (I admit I'm just starting to read about gosu and hadn't known much about it before this evening) | 04:11 |
| kata-dev-irc-bot | <bergwolf> <- gosu first timer as well | 04:12 |
| kata-dev-irc-bot | <bergwolf> Is there a image for it on github? | 04:12 |
| kata-dev-irc-bot | <eric.ernst> I couldn't find exact one, but can check out the image via kubectl exec when using runc | 04:14 |
| kata-dev-irc-bot | <eric.ernst> https://raw.githubusercontent.com/kubernetes/website/master/docs/tutorials/stateless-application/guestbook/redis-slave-deployment.yaml | 04:14 |
| kata-dev-irc-bot | <eric.ernst> I made a simple pod based on that deployment. | 04:14 |
| *** FL1SK has joined #kata-dev | 04:15 | |
| *** sjas_ has joined #kata-dev | 04:17 | |
| *** yingjun has quit IRC | 04:17 | |
| kata-dev-irc-bot | <eric.ernst> ``` | 04:18 |
| kata-dev-irc-bot | <eric.ernst> ntrypoint.sh[185] vsyscall attempted with vsyscall=none ip:ffffffffff600400 cs:33 sp:7ffdfadbf6b8 ax:ffffffffff600400 si:7ffdfadc0d7b di:0\n" name=kata-proxy pid=112145 source=agent | 04:18 |
| *** sjas has quit IRC | 04:20 | |
| kata-dev-irc-bot | <bergwolf> agent segfault? | 04:20 |
| kata-dev-irc-bot | <bergwolf> do you have a full backtrack? | 04:20 |
| kata-dev-irc-bot | <eric.ernst> ``` entrypoint.sh[185] vsyscall attempted with vsyscall=none ip:ffffffffff600400 cs:33 sp:7ffdfadbf6b8 ax:ffffffffff600400 si:7ffdfadc0d7b di:0\n" name=kata-proxy pid=112145 source=agent entrypoint.sh[185]: segfault at ffffffffff600400 ip ffffffffff600400 sp 00007ffdfadbf6b8 error 15\n" name=kata-proxy pid=112145 source=agent Core dump to |/bin/false pipe failed\n" name=kata-proxy pid=112145 source=agent ``` | 04:20 |
| kata-dev-irc-bot | <bergwolf> missing vdso? | 04:21 |
| kata-dev-irc-bot | <eric.ernst> hmm. perhaps. maybe this is a terrible / old binary. | 04:23 |
| kata-dev-irc-bot | <eric.ernst> I wonder if this would work if I used an old guest kernel. | 04:23 |
| kata-dev-irc-bot | <eric.ernst> or different kernel config between host and kata. | 04:25 |
| kata-dev-irc-bot | <eric.ernst> Hrmm - seems like having vsyscall disabled is a security recommendation... | 04:26 |
| kata-dev-irc-bot | <eric.ernst> alas, we have CONFIG_LEGACY_VSYSCALL_NONE=y and Azure (host kernel in my testing) has CONFIG_LEGACY_VSYSCALL_EMULATE=y | 04:28 |
| kata-dev-irc-bot | <eric.ernst> From doing some reading -- I think that must be the issue. I suppose I could quickly verify. | 04:34 |
| kata-dev-irc-bot | <bergwolf> sorry I'm going for lunch. I'll pull the image and see if I can reproduce it locally later | 04:34 |
| kata-dev-irc-bot | <eric.ernst> But, we're "more secure" here, but I worry that we are failing to run a container that is described in the "examples" for k8s | 04:34 |
| kata-dev-irc-bot | <eric.ernst> If you do pull it and repro, verify my hunch that you can just neable VSYSCALL_EMULATE to avoid the failure. | 04:35 |
| kata-dev-irc-bot | <bergwolf> yeah, we should provide legacy support if that's required by k8s example IMO | 04:35 |
| kata-dev-irc-bot | <eric.ernst> ...then we can decide whether it makes sense to handle or not (most distros seem to have EMULATE set, but if we want maximal security.... | 04:35 |
| kata-dev-irc-bot | <bergwolf> @eric.ernst I am able to bring it up with my costumed guest kernel which includes VSYSCALL_EMULATE. I'm building a new kernel with the just merged kata kernel config and see how that one goes | 04:52 |
| kata-dev-irc-bot | <eric.ernst> I *think* its specifically LEGACY_VSYSCALL... | 04:53 |
| kata-dev-irc-bot | <eric.ernst> If it is specific to gosu, or that is a typical use case, perhaps we should enable. Curious if @kata has input on it. | 04:58 |
| kata-dev-irc-bot | <eric.ernst> And with that, I'm signing off - have a good day @bergwolf | 04:58 |
| kata-dev-irc-bot | <bergwolf> yeah, confirmed. without LEGACY_VSYSCALL it breaks | 04:59 |
| kata-dev-irc-bot | <bergwolf> good night @eric.ernst | 04:59 |
| kata-dev-irc-bot | <bergwolf> I think it's `CONFIG_LEGACY_VSYSCALL_EMULATE` we want there. | 05:01 |
| *** yingjun has joined #kata-dev | 05:02 | |
| *** eernst has quit IRC | 05:02 | |
| *** yingjun has quit IRC | 05:22 | |
| *** yingjun has joined #kata-dev | 05:52 | |
| *** jodh has joined #kata-dev | 06:30 | |
| *** sjas_ is now known as sjas | 06:34 | |
| *** diga has joined #kata-dev | 07:01 | |
| *** diga has quit IRC | 07:08 | |
| *** sameo has joined #kata-dev | 07:46 | |
| *** gwhaley has joined #kata-dev | 07:58 | |
| *** yingjun has quit IRC | 08:24 | |
| *** yingjun has joined #kata-dev | 08:31 | |
| *** libregeekingkid[ has joined #kata-dev | 08:46 | |
| *** yingjun has quit IRC | 08:49 | |
| *** yingjun has joined #kata-dev | 08:51 | |
| *** libregeekingkid[ has quit IRC | 09:39 | |
| *** yingjun has quit IRC | 09:50 | |
| *** cdent has joined #kata-dev | 10:01 | |
| *** libregeekingkid[ has joined #kata-dev | 10:16 | |
| *** davidgiluk has joined #kata-dev | 10:38 | |
| *** sameo_ has joined #kata-dev | 10:46 | |
| *** cdent has quit IRC | 10:47 | |
| *** sameo has quit IRC | 10:47 | |
| *** cdent has joined #kata-dev | 10:48 | |
| stefanha | oci-systemd-hook seems to be unhappy with the state JSON generated by Kata (virtcontainers): | 10:55 |
| stefanha | {"ociVersion":"","id":"","status":"","pid":5596,"bundle":""} | 10:55 |
| stefanha | https://github.com/projectatomic/oci-systemd-hook/blob/master/src/systemdhook.c#L884 | 10:55 |
| stefanha | Kata produces an empty string for "bundle" and systemdhook cannot find the <bundle>/config.json file. | 10:56 |
| stefanha | I'm not familiar with OCI, but this seems weird. Maybe this hook has never been tested with Kata and virtcontainers/hook.go is an incomplete implementation of the OCI hooks spec? | 10:57 |
| stefanha | Basically virtcontainers/hook.go doesn't populate the JSON fields: https://github.com/containers/virtcontainers/blob/master/hook.go#L51 :( | 11:00 |
| * stefanha disables the hook for now | 11:04 | |
| gwhaley | stefanha - oh, pls open a github issue. @eric.ernse @sboeuf | 11:09 |
| * gwhaley drops for a bit... | 11:09 | |
| *** gwhaley has quit IRC | 11:10 | |
| *** devimc has joined #kata-dev | 12:03 | |
| *** gwhaley has joined #kata-dev | 12:23 | |
| *** fuentess has joined #kata-dev | 12:36 | |
| kata-dev-irc-bot | <kata> hmmm what kernel version is it that requires LEGACY_VSYSCALL | 13:18 |
| kata-dev-irc-bot | <eric.ernst> Hmm; not sure. I only checked since 4.11 | 13:19 |
| kata-dev-irc-bot | <eric.ernst> I think it’s been around for quite a while though. Will look.... after coffee. | 13:28 |
| *** gabyc_ has joined #kata-dev | 14:02 | |
| *** yingjun has joined #kata-dev | 14:13 | |
| *** annabelleB has joined #kata-dev | 14:41 | |
| *** eernst has joined #kata-dev | 14:41 | |
| kata-dev-irc-bot | <eric.ernst> @kata I guess what I am wondering is if the redis slave entrypoint it is a common design pattern: ``` | 14:56 |
| kata-dev-irc-bot | <eric.ernst> ``` # cat ../entrypoint.sh #!/bin/bash set -e if [ "$1" = 'redis-server' ]; then chown -R redis . exec gosu redis "$@" fi exec "$@" ``` | 14:57 |
| *** djinni has quit IRC | 15:03 | |
| kata-dev-irc-bot | <kata> oh not really | 15:07 |
| kata-dev-irc-bot | <kata> it is and it isnt | 15:07 |
| kata-dev-irc-bot | <kata> hahhaah | 15:07 |
| kata-dev-irc-bot | <kata> i think for applications like redis and other apps not really built for containers it is | 15:08 |
| kata-dev-irc-bot | <eric.ernst> Okay; when reading more about VSYSCALL, only old old applications should fall over. | 15:15 |
| *** djinni has joined #kata-dev | 15:15 | |
| kata-dev-irc-bot | <eric.ernst> https://github.com/kata-containers/runtime/issues/265 opened to track whether we need changes to our guest kernel config, or to see what we end up even getting to vsyscall in the first place.. | 15:16 |
| kata-dev-irc-bot | <raravena80> our elasticsearch entrypoints use `gosu` btw | 15:21 |
| kata-dev-irc-bot | <raravena80> ``` # Drop root privileges if we are running elasticsearch # allow the container to be started with `--user` if [ "$1" = 'elasticsearch' -a "$(id -u)" = '0' ]; then # Change the ownership of /usr/share/elasticsearch/data to elasticsearch chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/data set -- gosu elasticsearch "$@" -E cluster.name=${CLUSTER_NAME} \ -E node.name=${NODE_NAME} -E | 15:21 |
| kata-dev-irc-bot | network.publish_host=${HOST} #exec gosu elasticsearch "$BASH_SOURCE" "$@" fi``` | 15:21 |
| kata-dev-irc-bot | <eric.ernst> @raravena80 want to try that out on kata? | 15:35 |
| *** yingjun has quit IRC | 15:36 | |
| kata-dev-irc-bot | <raravena80> sure, let me try it out, give me a few hours :slightly_smiling_face: | 15:39 |
| kata-dev-irc-bot | <eric.ernst> ok. If you have pointer to container image i can do it now. | 15:44 |
| kata-dev-irc-bot | <raravena80> hang on.... | 15:46 |
| kata-dev-irc-bot | <raravena80> ```docker.elastic.co/elasticsearch/elasticsearch:<version>``` we are using 5.5.1 now but the latest is 6.2.4 | 15:47 |
| kata-dev-irc-bot | <eric.ernst> dthx. | 15:47 |
| kata-dev-irc-bot | <eric.ernst> will test it now. | 15:47 |
| kata-dev-irc-bot | <raravena80> you can set `$CLUSTER_NAME` and `$NODE_NAME` to whatever for $HOST you need the IP address mainly if you are running a cluster where other nodes need to discover the master | 15:50 |
| *** gabyc_ has quit IRC | 15:52 | |
| kata-dev-irc-bot | <raravena80> let me know how if you have any other questions | 15:52 |
| *** mcastelino has joined #kata-dev | 15:54 | |
| *** fdegir has joined #kata-dev | 15:57 | |
| *** mcastelino has quit IRC | 15:57 | |
| *** devimc has quit IRC | 15:57 | |
| *** gabyc_ has joined #kata-dev | 15:58 | |
| *** gabyc_ has quit IRC | 15:58 | |
| *** gabyc_ has joined #kata-dev | 15:59 | |
| *** mcastelino has joined #kata-dev | 15:59 | |
| *** annabelleB has quit IRC | 16:00 | |
| *** annabelleB has joined #kata-dev | 16:26 | |
| kata-dev-irc-bot | <eric.ernst> I don't see any segs there, @raravena80 | 16:35 |
| kata-dev-irc-bot | <eric.ernst> Probably because the glib version is "good enough" there. | 16:35 |
| kata-dev-irc-bot | <eric.ernst> I didn't get to test it out more thoroughly, though, just make sure init of the container worked. | 16:36 |
| kata-dev-irc-bot | <eric.ernst> may be worth looking @ deeper. | 16:36 |
| kata-dev-irc-bot | <raravena80> Awesome! I'll play around with it a bit more. | 16:36 |
| *** gabyc_ has quit IRC | 16:43 | |
| *** gabyc_ has joined #kata-dev | 16:49 | |
| *** devimc has joined #kata-dev | 16:53 | |
| *** jodh has quit IRC | 17:00 | |
| *** gwhaley has quit IRC | 17:02 | |
| *** eernst has quit IRC | 17:34 | |
| *** eernst has joined #kata-dev | 17:35 | |
| *** sameo_ has quit IRC | 18:00 | |
| *** eernst has quit IRC | 18:08 | |
| *** annabelleB has quit IRC | 18:33 | |
| *** annabelleB has joined #kata-dev | 18:37 | |
| *** annabelleB has quit IRC | 18:38 | |
| *** eernst has joined #kata-dev | 18:48 | |
| *** cdent has quit IRC | 18:53 | |
| *** davidgiluk has quit IRC | 19:31 | |
| *** annabelleB has joined #kata-dev | 20:36 | |
| *** eernst has quit IRC | 20:38 | |
| *** annabelleB has quit IRC | 20:46 | |
| *** annabelleB has joined #kata-dev | 20:49 | |
| *** eernst has joined #kata-dev | 20:51 | |
| *** gabyc_ has quit IRC | 20:51 | |
| *** devimc has quit IRC | 20:54 | |
| *** gabyc_ has joined #kata-dev | 21:01 | |
| kata-dev-irc-bot | Action: eric.ernst is tired of the lame ping demo on k8s. Ie, startup cluster with a mix of runc and kata and saying "hey look, they can ping each other" | 21:18 |
| kata-dev-irc-bot | <eric.ernst> if anyone has any suggestions for good example, I can work on getting it going... | 21:22 |
| *** fuentess has quit IRC | 21:31 | |
| *** gabyc_ has quit IRC | 21:41 | |
| *** annabelleB has quit IRC | 21:56 | |
| kata-dev-irc-bot | <raravena80> @eric.ernst if you'd like display something more related to security and may be more practical, how about something like Vault (https://www.vaultproject.io/) . Another one, how about setting an oauth2 server/microservice like hydra (https://github.com/ory/hydra) ? Others things that can be configured with encryption at rest might be interesting too, like Mariadb with encryption at rest (might take longer) | 22:36 |
| *** annabelleB has joined #kata-dev | 23:42 | |
| *** annabelleB has quit IRC | 23:43 | |
| *** annabelleB has joined #kata-dev | 23:44 | |
| *** eernst has quit IRC | 23:51 | |
| *** annabelleB has quit IRC | 23:55 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!