| *** zerocoolback has joined #kata-dev | 04:09 | |
| *** eernst has joined #kata-dev | 04:11 | |
| *** eernst has quit IRC | 04:21 | |
| *** zerocoolback has quit IRC | 04:25 | |
| *** sjas has joined #kata-dev | 04:28 | |
| *** sjas_ has quit IRC | 04:31 | |
| *** tonyb has quit IRC | 04:40 | |
| *** tonyb has joined #kata-dev | 04:40 | |
| *** marst has quit IRC | 05:34 | |
| *** jodh has joined #kata-dev | 07:23 | |
| *** davidgiluk has joined #kata-dev | 08:01 | |
| *** gwhaley has joined #kata-dev | 08:02 | |
| *** gwhaley has quit IRC | 11:02 | |
| *** jodh has quit IRC | 11:02 | |
| *** zerocoolback has joined #kata-dev | 11:51 | |
| *** fuentess has joined #kata-dev | 12:14 | |
| *** gwhaley has joined #kata-dev | 12:33 | |
| *** devimc has joined #kata-dev | 12:40 | |
| kata-irc-bot | <mvedovati> hi, have you ever done a security assessment of what are the risks of breaking outside of the container when using kata? would "owning" the vm lead to some more problems? | 15:07 |
|---|---|---|
| kata-irc-bot | <mvedovati> Because I see that seccomp is not supported by default so this makes the guest kernel more vulnerable to attacks (https://github.com/kata-containers/agent/pull/353) | 15:07 |
| *** changcheng has joined #kata-dev | 15:23 | |
| *** annabelleB has joined #kata-dev | 15:24 | |
| *** annabelleB has quit IRC | 15:26 | |
| *** annabelleB has joined #kata-dev | 15:27 | |
| *** annabelleB has quit IRC | 15:27 | |
| *** zerocoolback has quit IRC | 15:46 | |
| *** annabelleB has joined #kata-dev | 16:05 | |
| kata-irc-bot | <anne> hi @mvedovati -- it's on a list of things we (the kata community) need to be doing soon, but we could definitely use more hands to help with that effort. Is that something you'd be interested in? | 16:38 |
| kata-irc-bot | <mvedovati> hi @anne ; disclaimer: I'm not a security expert :slightly_smiling_face: I have some experience with the various security options available in docker (AppArmor, seccomp, etc..). But if there's nobody else really interested in doing this, or with extensive experience in security, then I'd be happy to kickstart an analysis and have more people jump in. | 16:46 |
| kata-irc-bot | <anne> We have a couple security gurus hanging around who can give advice, but we really do need someone to put up a first draft of a threat model, analysis, and then we can get input. If you're up for drafting, that would be _fantastic_ | 16:51 |
| *** annabelleB has quit IRC | 16:55 | |
| *** gwhaley has quit IRC | 18:01 | |
| *** annabelleB has joined #kata-dev | 18:30 | |
| *** annabelleB has quit IRC | 18:43 | |
| *** davidgiluk has quit IRC | 19:03 | |
| *** annabelleB has joined #kata-dev | 19:11 | |
| kata-irc-bot | <ydjainopensource> Hi! I was trting to port runtime to Z | 19:35 |
| kata-irc-bot | <ydjainopensource> I get ```time="2018-09-05T14:56:28.027073996-04:00" level=error msg="#\t0x80039809\truntime.allocm+0x1a9\t\t\t/usr/local/go/src/runtime/proc.go:1516" arch=s390x container=1 name=kata-runtime pid=41263 sandbox=1 source=runtime``` | 19:35 |
| kata-irc-bot | <ydjainopensource> Any ideas what might be causing this? | 19:36 |
| kata-irc-bot | <jose.carlos.venegas.m> @ydjainopensource not familiar with that errror, but I think is not from the runtime, but from go(?) | 19:38 |
| kata-irc-bot | <ydjainopensource> yup it does say go | 19:38 |
| kata-irc-bot | <jose.carlos.venegas.m> what go version are you using? | 19:38 |
| kata-irc-bot | <ydjainopensource> `go version go1.10.3 linux/s390x` | 19:38 |
| kata-irc-bot | <jose.carlos.venegas.m> well is the same we use the CI, I wonder if you could track what instruction in the code is triggering that error | 19:39 |
| kata-irc-bot | <jose.carlos.venegas.m> @niteshkonkar007 ^ | 19:40 |
| kata-irc-bot | <ydjainopensource> His error wasn't fixed either | 19:41 |
| kata-irc-bot | <ydjainopensource> https://github.com/kata-containers/runtime/issues/576 | 19:42 |
| kata-irc-bot | <ydjainopensource> but mine isn't related to vsocks | 19:42 |
| kata-irc-bot | <raravena80> Isn't that the error that you get when it can't run qemu? Did you the path to qemu in your kata config? | 19:43 |
| kata-irc-bot | <ydjainopensource> yup | 19:43 |
| kata-irc-bot | <jose.carlos.venegas.m> @ydjainopensource you mean `context deadline exceeded` ? | 19:45 |
| kata-irc-bot | <ydjainopensource> I get that one too but later | 19:46 |
| kata-irc-bot | <ydjainopensource> This one is the first one I get | 19:46 |
| *** annabelleB has quit IRC | 19:47 | |
| kata-irc-bot | <jose.carlos.venegas.m> that may happen for different reasons, VM not starting correctly, agent crashing for some reason, the boot time in the guess is really slow | 19:47 |
| kata-irc-bot | <ydjainopensource> i get this almost instantly | 19:48 |
| kata-irc-bot | <ydjainopensource> So agent booting slow does not seem like an issue | 19:49 |
| kata-irc-bot | <jose.carlos.venegas.m> agree | 19:50 |
| kata-irc-bot | <jose.carlos.venegas.m> can you enable kata debug | 19:50 |
| kata-irc-bot | <jose.carlos.venegas.m> https://github.com/kata-containers/documentation/blob/4f792312851f2aaccfc6104420189a93ea18cd83/Developer-Guide.md#enable-full-debug | 19:50 |
| kata-irc-bot | <ydjainopensource> I have enabled it let me create an issue with the collect-data output | 19:51 |
| kata-irc-bot | <jose.carlos.venegas.m> cool, thx | 19:51 |
| kata-irc-bot | <ydjainopensource> Weird now i tried running again I get stuck at a later stage | 19:54 |
| kata-irc-bot | <ydjainopensource> this is the output | 19:55 |
| kata-irc-bot | <ydjainopensource> | 19:55 |
| kata-irc-bot | <ydjainopensource> Here is the issue with the logs | 19:58 |
| kata-irc-bot | <ydjainopensource> https://github.com/kata-containers/runtime/issues/702 | 19:58 |
| kata-irc-bot | <jose.carlos.venegas.m> thank you | 20:00 |
| kata-irc-bot | <sebastien.boeuf> @ydjainopensource I think `ERRO[0301] Failed to check if grpc server is working: rpc error: code = DeadlineExceeded desc = context deadline exceeded arch=s390x command=create container=test name=kata-runtime pid=2283 source=runtime` is caused by the fact that your VM does not start properly since this error means the agent didn't answer to the `Check()` command. | 20:24 |
| kata-irc-bot | <ydjainopensource> I tried running the qemu cli genereated using `sudo qemu-system-s390x <the string generated by runtime>` | 20:29 |
| kata-irc-bot | <ydjainopensource> I get ``qemu-system-s390x: -qmp unix:/run/vc/vm/test/qmp.sock,server,nowait: Failed to bind socket to /run/vc/vm/test/qmp.sock: No such file or directory ``` | 20:29 |
| kata-irc-bot | <ydjainopensource> @sebastien.boeuf looks like the vm fails to boot | 20:30 |
| kata-irc-bot | <sebastien.boeuf> the path looks weird: `/run/vc/vm/test/qmp.sock`. It should be something like `/run/vc/sbs/<sandboxID>/qmp.sock` | 20:32 |
| kata-irc-bot | <ydjainopensource> Okay let me check where this went wrong | 20:52 |
| *** david-lyle has joined #kata-dev | 21:19 | |
| *** devimc_ has joined #kata-dev | 21:19 | |
| *** devimc has quit IRC | 21:22 | |
| *** dklyle has quit IRC | 21:22 | |
| *** fuentess has quit IRC | 21:53 | |
| *** devimc_ has quit IRC | 22:35 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!