| *** snir has quit IRC | 00:07 | |
| *** dklyle has quit IRC | 00:48 | |
| *** snir has joined #kata-dev | 01:51 | |
| *** crobinso has quit IRC | 02:09 | |
| *** fuentess has quit IRC | 04:32 | |
| *** pcaruana has joined #kata-dev | 07:29 | |
| *** pcaruana has quit IRC | 07:32 | |
| *** pcaruana has joined #kata-dev | 07:33 | |
| *** pcaruana has quit IRC | 07:40 | |
| *** amorenoz has joined #kata-dev | 07:47 | |
| *** pcaruana has joined #kata-dev | 07:51 | |
| *** sgarzare has joined #kata-dev | 08:07 | |
| *** fgiudici has joined #kata-dev | 08:36 | |
| *** jodh has joined #kata-dev | 08:42 | |
| *** davidgiluk has joined #kata-dev | 09:04 | |
| *** devimc has joined #kata-dev | 12:55 | |
| *** bumperSteff has quit IRC | 12:55 | |
| *** canyounot has joined #kata-dev | 13:28 | |
| *** canyounot has quit IRC | 13:29 | |
| *** pcaruana has quit IRC | 13:39 | |
| *** devimc has quit IRC | 13:52 | |
| *** pcaruana has joined #kata-dev | 13:56 | |
| *** devimc has joined #kata-dev | 14:00 | |
| *** fuentess has joined #kata-dev | 14:21 | |
| *** sameo has quit IRC | 14:38 | |
| *** sameo has joined #kata-dev | 14:56 | |
| *** crobinso has joined #kata-dev | 15:06 | |
| *** dklyle has joined #kata-dev | 15:29 | |
| *** devimc has quit IRC | 16:31 | |
| *** devimc has joined #kata-dev | 16:32 | |
| *** sgarzare has quit IRC | 16:51 | |
| *** bumperSteff has joined #kata-dev | 17:48 | |
| *** jodh has quit IRC | 18:03 | |
| *** fgiudici has quit IRC | 18:10 | |
| *** bumperSteff has quit IRC | 19:00 | |
| *** crobinso has quit IRC | 20:00 | |
| *** davidgiluk has quit IRC | 20:17 | |
| *** devimc has quit IRC | 20:38 | |
| *** devimc has joined #kata-dev | 20:39 | |
| *** snir has quit IRC | 21:43 | |
| *** devimc has quit IRC | 22:00 | |
| kata-irc-bot | <simon.kaegi> I'm trying to run KinD inside of our Kubernetes / Kata installation which in addition to dind apparently also needs some additional mounts... ``` volumeMounts: # not strictly necessary in all cases - mountPath: /lib/modules name: modules readOnly: true - mountPath: /sys/fs/cgroup name: cgroup volumes: - name: modules hostPath: path: /lib/modules type: | 22:32 |
|---|---|---|
| kata-irc-bot | Directory - name: cgroup hostPath: path: /sys/fs/cgroup type: Directory``` I really cannot consider mounting the real `hostPath` volumes and to be honest not sure that would work anyway, but wondering if there is maybe someway to expose these paths from the guest? | 22:32 |
| kata-irc-bot | <eric.ernst> hey @simon.kaegi - I think running privileged w/out host devices may help here? | 22:43 |
| kata-irc-bot | <eric.ernst> well, let me TAL @ this closer. What you really want is 'guest priv' | 22:43 |
| kata-irc-bot | <eric.ernst> @archana.m.shinde you recall? | 22:43 |
| kata-irc-bot | <eric.ernst> I think even privileged will do the wrong thing here. | 22:44 |
| kata-irc-bot | <simon.kaegi> oh yes we already run without host devices | 22:45 |
| kata-irc-bot | <archana.m.shinde> I think using privileged with the "without_host_devices" option should work. iirc for paths such as "/sys", kata mounts the guest sysfs as it does not make sense to mount the host one | 22:47 |
| kata-irc-bot | <archana.m.shinde> @simon.kaegi ^ | 22:48 |
| kata-irc-bot | <eric.ernst> Kind of a hack, but ... let's see. | 22:56 |
| kata-irc-bot | <eric.ernst> In the runtime, do we know the difference? Should the hostpath being sys/fs/cgroup do the right thing already then? | 22:57 |
| kata-irc-bot | <eric.ernst> I guess we'd have issue w/ lib/modules | 22:57 |
| kata-irc-bot | <archana.m.shinde> yes, it should do the right thing for sys/fs/cgroup iirc | 23:01 |
| kata-irc-bot | <archana.m.shinde> https://github.com/kata-containers/runtime/blob/99a372e9602eef8077ca5a5c7bba5e6b2e718d1a/virtcontainers/container.go#L521 | 23:01 |
| kata-irc-bot | <archana.m.shinde> We need to document that really | 23:02 |
| kata-irc-bot | <archana.m.shinde> We may have an issue wuth lib/modules though | 23:03 |
| kata-irc-bot | <eric.ernst> yeah. perhaps that can actually be passed in, and is the proper behavior anyway. | 23:04 |
| kata-irc-bot | <eric.ernst> wdyt @simon.kaegi? | 23:04 |
| kata-irc-bot | <eric.ernst> seems we should have a DinD doc that spells this out too? | 23:04 |
| kata-irc-bot | <archana.m.shinde> yup agree, I started it, but havent been disciplined enough to complete it in the past | 23:05 |
| kata-irc-bot | <archana.m.shinde> we do need a doc | 23:06 |
| kata-irc-bot | <eric.ernst> yea... <looks at my threadmodel doc> | 23:06 |
| kata-irc-bot | <archana.m.shinde> I'll try to set some time this week to work on it | 23:07 |
| kata-irc-bot | <simon.kaegi> yup I have some great hacks to share too. | 23:07 |
| kata-irc-bot | <simon.kaegi> Ok so that's... unexpected re: hostPath for cgroups actually goes to the guest. Let me try that out -- I was literally scared to ;) | 23:09 |
| kata-irc-bot | <simon.kaegi> any ideas for /lib/modules | 23:09 |
| kata-irc-bot | <eric.ernst> What is being used within lib/modules? | 23:11 |
| kata-irc-bot | <eric.ernst> Is kind insmod'ing something? | 23:11 |
| kata-irc-bot | <simon.kaegi> I'm really not sure -- but it's mounted read only so maybe just lookup. | 23:12 |
| kata-irc-bot | <eric.ernst> https://github.com/kubernetes-sigs/kind/issues/61#issuecomment-428392751 | 23:12 |
| kata-irc-bot | <eric.ernst> Yeah -- let's see what happens if you don't do this :) :) | 23:13 |
| kata-irc-bot | <simon.kaegi> ok 1 sec | 23:13 |
| kata-irc-bot | <eric.ernst> ie, do you have ability to change the podSpec? | 23:13 |
| kata-irc-bot | <simon.kaegi> oh ya | 23:13 |
| kata-irc-bot | <eric.ernst> ok. I think kubeadm will throw warnings but still be happy without access to this. | 23:14 |
| kata-irc-bot | <archana.m.shinde> yup | 23:15 |
| kata-irc-bot | <eric.ernst> not sure if we'd ever want to access the hosts modules inside the guest. | 23:15 |
| kata-irc-bot | <eric.ernst> I hate having one off/access-approve lists.... | 23:15 |
| kata-irc-bot | <eric.ernst> ie, should we expand and says /lib/moudules is similar to /sys | 23:16 |
| kata-irc-bot | <eric.ernst> we don't have any modules anyway... so i don't think it makes much sense... | 23:16 |
| kata-irc-bot | <archana.m.shinde> @eric.ernst I think it makes sense to have exceptions to system directories, thats the only interface that can we used to share guest side system directories, | 23:17 |
| kata-irc-bot | <simon.kaegi> Are `hostPath` volumes the only approach here? We use PSP to restrict that. | 23:20 |
| kata-irc-bot | <simon.kaegi> We can provide a set of permitted paths I guess but... a bit yuck | 23:21 |
| kata-irc-bot | <simon.kaegi> No change. But it's definitely possible I'm failing for other reasons here. I'll play around with it later on tonight. Have to go run an errand now, but ty ty | 23:24 |
| kata-irc-bot | <eric.ernst> ack. let me know. | 23:33 |
| *** fuentess has quit IRC | 23:59 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!