| kata-irc-bot2 | <harshal.patil> Hi, is there a way for a kata agent to download a blob before starting a container? I am experimenting with kata agent to download a trusted blob before the container is spawned (in this CreateContainer function, https://github.com/kata-containers/agent/blob/master/grpc.go#L606). When I try to fetch a simple blob from a http server I get `Connection Refused` @archana.m.shinde @xu @eric.ernst? | 03:12 |
|---|---|---|
| kata-irc-bot2 | <xu> I think there is no network set up at that time. Need others confirm that cc @bergwolf | 03:32 |
| *** noahm has quit IRC | 03:56 | |
| kata-irc-bot2 | <bergwolf> @harshal.patil guest network interface is configured when creating sandbox in the guest, IOW it is before creating containers. Maybe the interface is not fully up yet? You can check the guest log and look for sth. like interface up etc. | 04:05 |
| *** noahm has joined #kata-dev | 04:48 | |
| kata-irc-bot2 | <harshal.patil> thanks @bergwolf. In my case the interface name is `eth0`, I am using initrd (not the boot disk) on x64. I even added a 10sec delay. But it still says connection refused. I am suspecting something is blocking the traffic going out. for my test I am doing os.exec of the binary present in initrd to that's trying to pull an image from docker hub ``` time="2019-04-29T10:09:45.695734754+05:30" level=info | 04:54 |
| kata-irc-bot2 | msg="time=\"2019-04-29T04:39:45.667320137Z\" level=debug msg=\"test\" XXXXXXXXXXXXX=\"exec: already started\" name=kata-agent pid=1 sandbox=038be1eae98849e500eedddf08823e1a84f67e29d6dc05a0301830074988a086 source=agent\n" name=kata-proxy pid=12140 sandbox=038be1eae98849e500eedddf08823e1a84f67e29d6dc05a0301830074988a086 source=agent time="2019-04-29T10:09:45.695947235+05:30" level=info msg="time=\"2019-04-29T04:39:45.667694882Z\" level=debug | 04:54 |
| kata-irc-bot2 | msg=\"test\" MMMMMMMMMMMM=\"time=\\\"2019-04-29T04:39:45Z\\\" level=fatal msg=\\\"Error determining manifest MIME type for docker://busybox:latest: pinging docker registry returned: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on [::1]:53: read udp [::1]:49740->[::1]:53: read: connection refused\\\" \\n\" name=kata-agent pid=1 sandbox=038be1eae98849e500eedddf08823e1a84f67e29d6dc05a0301830074988a086 source=agent\n" | 04:54 |
| kata-irc-bot2 | name=kata-proxy pid=12140 sandbox=038be1eae98849e500eedddf08823e1a84f67e29d6dc05a0301830074988a086 source=agent time="2019-04-29T10:09:45.696344968+05:30" level=info msg="time=\"2019-04-29T04:39:45.6680791Z\" level=info msg=\"ignoring unexpected signal\" name=kata-agent pid=1 sandbox=038be1eae98849e500eedddf08823e1a84f67e29d6dc05a0301830074988a086 signal=\"child exited\" source=agent\n" name=kata-proxy pid=12140 | 04:54 |
| kata-irc-bot2 | sandbox=038be1eae98849e500eedddf08823e1a84f67e29d6dc05a0301830074988a086 source=agent 111 | 04:54 |
| kata-irc-bot2 | <harshal.patil> ah, it's a name resolution issue. From agent, the dns server is not accessible | 05:53 |
| kata-irc-bot2 | <harshal.patil> I just wrote `nameserver 8.8.8.8` in /etc/resolv.conf of the agent, and it started working. | 05:59 |
| kata-irc-bot2 | <bergwolf> yeah, we do not setting sandbox dns right now. Ideally it can be set together with IP and routes. containerd writes it to `resolv.conf` in the sandbox root dir. We can pick it up and pass it to the guest. | 06:06 |
| kata-irc-bot2 | <harshal.patil> If you are fine by it, I can send the PR for it. what do you say? | 06:09 |
| kata-irc-bot2 | <bergwolf> sure, please go for it. thx! | 06:11 |
| kata-irc-bot2 | <bergwolf> @harshal.patil I created https://github.com/kata-containers/runtime/issues/1603 to track it | 06:12 |
| kata-irc-bot2 | <bergwolf> Please note that kata-agent doesn’t really use the dns field yet. So both runtime and agent need to be fixed. | 06:13 |
| kata-irc-bot2 | <harshal.patil> sure | 06:14 |
| kata-irc-bot2 | <harshal.patil> thanks | 06:14 |
| *** tmhoang has joined #kata-dev | 06:32 | |
| *** dhellmann has quit IRC | 06:37 | |
| *** dhellmann has joined #kata-dev | 06:37 | |
| *** pcaruana has joined #kata-dev | 06:44 | |
| *** sgarzare has joined #kata-dev | 07:01 | |
| *** jodh has joined #kata-dev | 07:10 | |
| *** dklyle has quit IRC | 07:14 | |
| *** dklyle has joined #kata-dev | 07:14 | |
| *** kashyap` has joined #kata-dev | 07:49 | |
| *** kashyap` is now known as kashyap | 07:49 | |
| *** davidgiluk has joined #kata-dev | 07:56 | |
| *** gwhaley has joined #kata-dev | 08:05 | |
| *** ur5us has quit IRC | 09:46 | |
| *** pcaruana has quit IRC | 09:55 | |
| *** pcaruana has joined #kata-dev | 10:38 | |
| *** gwhaley has quit IRC | 11:02 | |
| *** gwhaley has joined #kata-dev | 12:15 | |
| *** fuentess has joined #kata-dev | 12:29 | |
| *** devimc has joined #kata-dev | 12:42 | |
| *** dklyle has quit IRC | 12:44 | |
| *** dklyle has joined #kata-dev | 12:44 | |
| *** dklyle has quit IRC | 12:49 | |
| *** altlogbot_2 has quit IRC | 13:23 | |
| *** altlogbot_1 has joined #kata-dev | 13:25 | |
| kata-irc-bot2 | <julio.montes> @graham.whaley you don't want to include CONFIG_SWAP*, right? | 14:31 |
| kata-irc-bot2 | <graham.whaley> devimc: I'd rather not, but right now I believe libcontainer writes to the swap cgroup files even if they don't exist, despite it doing an early existence check :( | 14:31 |
| kata-irc-bot2 | <graham.whaley> I guess the bigger question is - do we want to enable swap inside Kata containers? | 14:31 |
| kata-irc-bot2 | <graham.whaley> I know somebody I know recently had some of their devops using swap in their containers in deployment - :cough: - by accident, as they had not restricted their containers not to, and had given them too little memory | 14:32 |
| kata-irc-bot2 | <graham.whaley> (and probably wondered why things were running so slow....) | 14:32 |
| kata-irc-bot2 | <graham.whaley> @julio.montes | 14:32 |
| kata-irc-bot2 | <julio.montes> @graham.whaley uhmm good question | 14:34 |
| kata-irc-bot2 | <graham.whaley> it's not like we are going to swap to the host swap partition eh? :slightly_smiling_face: | 14:35 |
| kata-irc-bot2 | <julio.montes> well according with gentoo (imo the bets distro) swap cgroup is required | 14:35 |
| kata-irc-bot2 | <julio.montes> https://wiki.gentoo.org/wiki/Docker | 14:35 |
| kata-irc-bot2 | <julio.montes> (*best distro) | 14:35 |
| kata-irc-bot2 | <julio.montes> @graham.whaley | 14:36 |
| kata-irc-bot2 | <graham.whaley> Here is the funny thing - when I run a runc docker locally with `-m 2048m` for instance on one of my machines, it says ``` | 14:37 |
| kata-irc-bot2 | <graham.whaley> ```WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.``` | 14:37 |
| kata-irc-bot2 | <graham.whaley> but, still runs the container | 14:37 |
| kata-irc-bot2 | <graham.whaley> but, we die if we don't have SWAP enabled in our kernel :( | 14:38 |
| kata-irc-bot2 | <julio.montes> :S | 14:39 |
| kata-irc-bot2 | <graham.whaley> maybe `runc` spots there is no swap, and modifes the json so libcontainer does not try to set it up. maybe that is something our agent should be doing? | 14:39 |
| kata-irc-bot2 | <julio.montes> @graham.whaley yes, I think so | 14:39 |
| kata-irc-bot2 | <julio.montes> https://github.com/kata-containers/agent/blob/master/grpc.go#L1141 | 14:39 |
| kata-irc-bot2 | Action: graham.whaley waits to see if julio.montes has found the equiv. code in `runc` ;-) | 14:40 |
| kata-irc-bot2 | <julio.montes> @graham.whaley not yet | 14:42 |
| kata-irc-bot2 | <julio.montes> but yes, I agree, swap should be optional | 14:43 |
| kata-irc-bot2 | Action: graham.whaley goes to play bisect on the CONFIG_EMBEDDED change.... | 14:56 |
| *** khyr0n has joined #kata-dev | 15:21 | |
| *** devimc has quit IRC | 15:43 | |
| *** devimc has joined #kata-dev | 15:45 | |
| *** igordc has joined #kata-dev | 16:06 | |
| *** dklyle has joined #kata-dev | 16:43 | |
| *** dklyle has quit IRC | 16:57 | |
| *** gwhaley has quit IRC | 17:02 | |
| *** jodh has quit IRC | 17:09 | |
| *** dklyle has joined #kata-dev | 17:19 | |
| *** tmhoang has quit IRC | 17:24 | |
| *** dklyle has quit IRC | 17:55 | |
| *** dklyle has joined #kata-dev | 18:03 | |
| *** sgarzare has quit IRC | 18:36 | |
| *** dklyle has quit IRC | 18:46 | |
| *** davidgiluk has quit IRC | 19:08 | |
| kata-irc-bot2 | <salvador.fuentes> @gmmaharaj hey, I was trying to follow https://virtio-fs.gitlab.io/howto-kata.html with the difference of using nemu. but when trying to run a container I get a grpc error. ``` $ sudo docker run --runtime kata-runtime -ti busybox sh docker: Error response from daemon: OCI runtime create failed: Failed to check if grpc server is working: rpc error: code = Unavailable desc = transport is closing: unknown. ``` have you | 19:25 |
| kata-irc-bot2 | successfully run a container with virtiofs enabled? | 19:25 |
| kata-irc-bot2 | <gmmaharaj> @salvador.fuentes i am debugging this right now. seems like stuff doesn't work. can you put this on hold for now until you hear from me. | 19:26 |
| kata-irc-bot2 | <gmmaharaj> ? | 19:26 |
| kata-irc-bot2 | <gmmaharaj> would that be ok ? | 19:26 |
| kata-irc-bot2 | <gmmaharaj> atleast around virtio-fs | 19:26 |
| kata-irc-bot2 | <salvador.fuentes> @gmmaharaj sure, no problem :slightly_smiling_face: | 19:27 |
| *** dklyle has joined #kata-dev | 19:40 | |
| *** dklyle has quit IRC | 20:00 | |
| kata-irc-bot2 | <archana.m.shinde> @harshal.patil Can I ask why you need to send out an htttp request at this point? Wanted to get a sense of what you are trying to do. As @bergwolf mentioned we do not have DNS setup at this point. | 20:01 |
| *** dklyle has joined #kata-dev | 20:14 | |
| kata-irc-bot2 | <eric.ernst> @gmmaharaj anything new on the kernel PR(s)? | 20:22 |
| kata-irc-bot2 | <eric.ernst> And, did you hear back from RH? | 20:22 |
| kata-irc-bot2 | <gmmaharaj> @eric.ernst naa.. graham is still being beaten by fragments. | 20:22 |
| kata-irc-bot2 | <gmmaharaj> yes, they have a tree based on 5.x will check it out later. | 20:22 |
| kata-irc-bot2 | <gmmaharaj> i am not able to rebase stefan's tree to 4.19.28 and that crashes.. tracking down the kernel that is the rootcause | 20:23 |
| kata-irc-bot2 | <gmmaharaj> i will have an email out to stefan on that shortly and since he in denver i am guessing he can knock it out soon. | 20:24 |
| kata-irc-bot2 | <gmmaharaj> and i can get virtiofs bits in soon. | 20:24 |
| kata-irc-bot2 | <gmmaharaj> so i think the plan should still hold as is? | 20:25 |
| kata-irc-bot2 | <gmmaharaj> 4.19.28 + vrtiofs, then fragments, then stefan and team can make a relase of virito-fs based on 5.x and we move there? | 20:25 |
| kata-irc-bot2 | <gmmaharaj> what say? | 20:25 |
| kata-irc-bot2 | <gmmaharaj> @stefanha ^^ | 20:25 |
| kata-irc-bot2 | <gmmaharaj> @eric.ernst 4.19.15 broke virtio-fs for us. stefan knows. will drop an email to make sure i get everyone on page. | 20:37 |
| *** dklyle has quit IRC | 21:03 | |
| *** pcaruana has quit IRC | 21:07 | |
| *** devimc has quit IRC | 21:08 | |
| *** dklyle has joined #kata-dev | 22:06 | |
| *** fuentess has quit IRC | 22:19 | |
| *** dklyle has quit IRC | 22:28 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!