| *** EricRen has joined #kata-dev | 00:04 | |
| *** EricRen has quit IRC | 00:16 | |
| *** EricRen has joined #kata-dev | 01:04 | |
| *** eernst has joined #kata-dev | 01:20 | |
| *** eernst has quit IRC | 01:30 | |
| kata-irc-bot | <fupan> @eric.ernst yes | 01:40 |
|---|---|---|
| *** eernst has joined #kata-dev | 02:03 | |
| *** eernst has quit IRC | 02:34 | |
| *** eernst has joined #kata-dev | 02:34 | |
| *** eernst has quit IRC | 02:41 | |
| *** eernst has joined #kata-dev | 02:41 | |
| kata-irc-bot | <harshal.patil> ``` # ./bin/ctr run --snapshotter devmapper --runtime io.containerd.run.kata.v2 -t --rm docker.io/library/busybox:latest hello sh / # / # / # mount /dev/sda on / type ext4 (rw,relatime,stripe=64) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666) shm on /dev/shm type tmpfs | 03:13 |
| kata-irc-bot | (rw,nosuid,nodev,noexec,relatime,size=65536k) mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime) sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime) tmpfs on /run type tmpfs (rw,nosuid,size=65536k,mode=755) devpts on /dev/console type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666) proc on /proc/bus type proc (ro,relatime) proc on /proc/fs type proc (ro,relatime) proc on /proc/irq type proc (ro,relatime) proc | 03:13 |
| kata-irc-bot | on /proc/sys type proc (ro,relatime) tmpfs on /proc/acpi type tmpfs (ro,relatime) tmpfs on /proc/keys type tmpfs (rw,nosuid,size=65536k,mode=755) tmpfs on /proc/timer_list type tmpfs (rw,nosuid,size=65536k,mode=755) tmpfs on /proc/sched_debug type tmpfs (rw,nosuid,size=65536k,mode=755) tmpfs on /sys/firmware type tmpfs (ro,relatime) tmpfs on /proc/scsi type tmpfs (ro,relatime) / # ``` | 03:13 |
| kata-irc-bot | <harshal.patil> why does it still use 9pfs exactly? Can this dependency on 9pfs can be completely removed? | 03:15 |
| kata-irc-bot | <harshal.patil> @argon.l @gmmaharaj @graham.whaley | 03:15 |
| *** eernst has quit IRC | 03:17 | |
| kata-irc-bot | <gmmaharaj> Adding @archana.m.shinde I am still working my way around kata so will let more experienced folks comment on it. | 03:19 |
| *** tmhoang has joined #kata-dev | 06:45 | |
| *** sgarzare has joined #kata-dev | 06:55 | |
| *** sameo has joined #kata-dev | 07:31 | |
| *** lpetrut has joined #kata-dev | 07:41 | |
| *** gwhaley has joined #kata-dev | 07:56 | |
| *** davidgiluk has joined #kata-dev | 08:03 | |
| kata-irc-bot | <graham.whaley> @harshal.patil in you case, it looks like you don't get any 9p mounts when running with `ctr`, so you probably could drop 9p. But, in the case of docker and I think k8s (`kubectl`), other items get mounted into the container, like the `/etc/hosts` file and similar, to set up the container environment as requested by the orchestration. I don't have a system to hand, but if you boot into a kata container with `kubectl` or `docker | 08:05 |
| kata-irc-bot | run` and try the `mount`, I think you will see 9p is used for some other mounts that are individual files, and not whole filesystems - and hence cannot (or not trivially) be done with block device mounts. | 08:05 |
| kata-irc-bot | <graham.whaley> I'm going to guess we enable 9p on the qemu command line always, by default, because of this - as we know (normally) we will need to use it. | 08:06 |
| kata-irc-bot | <harshal.patil> @graham.whaley Oh I forgot about `/etc/hosts` thing. Now it makes sense. | 09:15 |
| kata-irc-bot | <harshal.patil> thanks | 09:16 |
| *** devimc has joined #kata-dev | 12:37 | |
| *** fuentess has joined #kata-dev | 12:38 | |
| *** lpetrut has quit IRC | 13:01 | |
| *** irclogbot_0 has joined #kata-dev | 13:02 | |
| *** altlogbot_1 has joined #kata-dev | 13:06 | |
| kata-irc-bot | <graham.whaley> hi @salvador.fuentes - the hard requirement to have 'required' CIs passing, is that new? Maybe it happened when I was offline last week. But, I have no complaints about the requirement :slightly_smiling_face: | 13:11 |
| *** EricRen has quit IRC | 13:13 | |
| kata-irc-bot | <salvador.fuentes> I am not sure, maybe around 2 weeks ago... remember that someone pushed directly to master by mistake, I think @james.o.hunt changed it | 13:14 |
| kata-irc-bot | <graham.whaley> ah, I wondered if it came in with that change - yeah, we disabled push to master. I guess merge requiring 'required' was a side effect. np. I noticed it blocked me doing a merge yesterday... well, I guess it will be good for us all, and we're going to have to invest a little more effort getting the CIs more stable ;) | 13:16 |
| *** dklyle has joined #kata-dev | 13:17 | |
| kata-irc-bot | <salvador.fuentes> yeah :slightly_smiling_face: | 13:41 |
| kata-irc-bot | <graham.whaley> @salvador.fuentes @jose.carlos.venegas.m - wrt that ` /tmp/jenkins/workspace/kata-containers-runtime-fedora-PR/go/src/github.com/kata-containers/tests/vendor/github.com/onsi/ginkgo/extensions/table/table_entry.go:46` type fail we are seeing - I just ran 'make functional' 110 times locally, with no fails. I'm going to make a guess, and try it in a nested VM...? | 13:48 |
| kata-irc-bot | <salvador.fuentes> @graham.whaley sorry, I am late on my github mails, where are you seeing it? | 13:49 |
| kata-irc-bot | <jose.carlos.venegas.m> @graham.whaley the one that has timeout with state? | 13:49 |
| kata-irc-bot | <jose.carlos.venegas.m> @graham.whaley I see you already commented on https://github.com/kata-containers/runtime/pull/1337#issuecomment-481677585 | 13:56 |
| kata-irc-bot | <jose.carlos.venegas.m> yeah looks like the same issue not good for the project stability | 13:56 |
| kata-irc-bot | <salvador.fuentes> ohhh, I know which one. yesterday night I updated the fedora image that we use for testing. It has kernel 5.0 and seems to be more stable now... but lets see during the day | 13:58 |
| kata-irc-bot | <salvador.fuentes> hmm, seems like it continues to happen... http://jenkins.katacontainers.io/job/kata-containers-runtime-fedora-PR/1868/consoleText | 14:00 |
| kata-irc-bot | <jose.carlos.venegas.m> @salvador.fuentes could you reference or add more coments in https://github.com/kata-containers/tests/issues/1449 ? | 14:00 |
| kata-irc-bot | <salvador.fuentes> I have already try to make it fail locally using nested VM from azure and cannot reproduce the issue... not sure why when running on jenkins it fails | 14:01 |
| kata-irc-bot | <salvador.fuentes> @jose.carlos.venegas.m sure | 14:01 |
| kata-irc-bot | <graham.whaley> :( So, I would say 'then we just have to debug it', but if we can't even make it happen..... sigh | 14:01 |
| kata-irc-bot | <jose.carlos.venegas.m> hahah yeah, I think we can log stderr at least | 14:05 |
| kata-irc-bot | <jose.carlos.venegas.m> https://github.com/kata-containers/tests/blob/master/functional/state_test.go#L51 | 14:05 |
| kata-irc-bot | <jose.carlos.venegas.m> before fail | 14:05 |
| *** devimc has quit IRC | 14:05 | |
| *** devimc has joined #kata-dev | 14:05 | |
| kata-irc-bot | <jose.carlos.venegas.m> also looking at the code may be a race that sometimes run the container takes more than 5 secs | 14:06 |
| *** EricRen has joined #kata-dev | 14:09 | |
| kata-irc-bot | <graham.whaley> 5s, on a cloud instance, and maybe if we are now doing parallel test, is maybe not a long time | 14:19 |
| kata-irc-bot | <salvador.fuentes> well, the timeout message is on the runtime side, not on the test side. also this functional test is run serial | 14:22 |
| brtknr | argh is it possible to mount a volume into a kata container via containerd cli? | 16:06 |
| brtknr | i can spin up a busybox container but mounting volume is failing sadly | 16:06 |
| kata-irc-bot | <eric.ernst> What commands are you running’s | 16:06 |
| kata-irc-bot | <eric.ernst> I haven’t had the pleasure of using their CLI. | 16:07 |
| brtknr | sudo ctr run --runtime io.containerd.run.kata.v2 -t --rm --mount type=bind,src=/home/centos/hello/,dst=test/ docker.io/library/busybox:latest hello sh | 16:08 |
| brtknr | If I omit the --mount type=bind,src=/home/centos/hello/,dst=test/ it works okay | 16:08 |
| brtknr | In the docs, I got the impression that containerd is preferred over cri-o, is that the case? | 16:09 |
| kata-irc-bot | <eric.ernst> We aren’t too opinionated in it. Both are good. | 16:10 |
| brtknr | Hmm, oaky... in your experience, is mounting a trivial operation? | 16:11 |
| brtknr | mounting from hostPath | 16:11 |
| *** altlogbot_1 has quit IRC | 16:46 | |
| kata-irc-bot | <eric.ernst> should be -- we use it in Docker CLI, and in Kubernetes extensively. | 16:55 |
| kata-irc-bot | <eric.ernst> My next question is if there are any logs, or perhaps it makes sense to throw an issue up so we can gather info there and figure out the problem. | 16:56 |
| *** gwhaley has quit IRC | 16:59 | |
| davidgiluk | eric.ernst: You asked in one of the replies on virtiofs about formal something - what formalisms did you have in mind? | 17:09 |
| *** tmhoang has quit IRC | 17:11 | |
| kata-irc-bot | <eric.ernst> hey david -- I just want to make sure we evauluate things like pen testing, etc. | 17:21 |
| kata-irc-bot | <eric.ernst> put a plan in place to review it thoroughly and have a threat profile thought out before moving out of experimental. | 17:21 |
| kata-irc-bot | <gmmaharaj> brtknr: have you tried that without kata? i just tried that for containerd and it seems that fails as well with this error ```sudo ./bin/ctr run -t --rm --mount type=bind,src=/home/ganeshma,dst=/test docker.io/library/busybox:latest hello sh ctr: OCI runtime create failed: container_linux.go:265: starting container process caused | 17:21 |
| kata-irc-bot | "process_linux.go:348: container init caused \"rootfs_linux.go:57: mounting \\\"/home/ganeshma\\\" to rootfs \\\"/run/containerd/io.containerd.runtime.v1.linux/default/hello/rootfs\\\" at \\\"/run/containerd/io.containerd.runtime.v1.linux/default/hello/rootfs/test\\\" caused \\\"no such device\\\"\"": unknown ``` | 17:21 |
| davidgiluk | eric.ernst: OK, I think we can run things like static code analysis, hmm not sure how to get pen testing done | 17:23 |
| *** sameo has quit IRC | 18:36 | |
| stefanha | davidgiluk: I think we can get an audit or pen test done | 18:52 |
| davidgiluk | stefanha: We'd probably better start gently :-) | 18:52 |
| stefanha | davidgiluk: Depends on the sandbox :). If the sandbox is good then even with an abundance of bugs, it's hard to do anything with them. | 18:53 |
| davidgiluk | stefanha: Well, there's two separate levels to think about; one is sandbox escapes, but another is that the behaviour within the guest is still secure | 18:55 |
| *** EricRen has quit IRC | 18:55 | |
| stefanha | davidgiluk: Yep, unprivileged guest applications should be able to elevate their privileges or break the guest kernel. | 18:55 |
| davidgiluk | ^ not :-) | 18:56 |
| stefanha | :-) | 18:56 |
| *** davidgiluk has quit IRC | 19:09 | |
| *** sgarzare has quit IRC | 19:20 | |
| *** igordc has joined #kata-dev | 20:08 | |
| *** devimc has quit IRC | 20:58 | |
| brtknr | Wohoo finally got kata installed on my kubernetes cluster... strangely, i was having problems using calico with cri-o... switched to flannel and it seems to be happy | 22:10 |
| brtknr | I'll test attaching volumes with crio and report on the progress tomorrow | 22:27 |
| brtknr | I was told by @graham.whaley that @archana.m.shinde @sebastien.boeuf @eric.ernst would be able to help me with ways to avoid 9pfs when doing volume mount to kata | 22:28 |
| kata-irc-bot | <archana.m.shinde> brtknr, what are you trying to run inside your container? | 22:32 |
| brtknr | I am trying to run fio for io benchmarking to a network volume mounted from hostPath | 22:32 |
| kata-irc-bot | <archana.m.shinde> there are a couple of ways to avoid 9p, used empty-dir volumes based on tmpfs | 22:32 |
| kata-irc-bot | <archana.m.shinde> or you could do this: https://gist.github.com/amshinde/2ab9b5a2f2e91694a7421b1e2b787b58 | 22:34 |
| *** david-lyle has joined #kata-dev | 23:36 | |
| *** dklyle has quit IRC | 23:36 | |
| *** david-lyle has quit IRC | 23:46 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!