Skip to content
This repository has been archived by the owner on May 6, 2020. It is now read-only.

Latest CRI-O does not work for CC #552

Closed
chavafg opened this issue Sep 13, 2017 · 3 comments
Closed

Latest CRI-O does not work for CC #552

chavafg opened this issue Sep 13, 2017 · 3 comments
Assignees
@sameo
Labels
bug

Comments

@chavafg
Copy link
Contributor

chavafg commented Sep 13, 2017

I tried to update CRI-O to unblock our CI [1], but unfortunately I got this error from the runtime:
Logs can be found on [2].

# time="2017-09-13 21:46:04.038222562Z" level=debug msg="running conmon: /home/runner/workspace/src/github.com/kubernetes-incubator/cri-o/conmon/conmon" args=[-c 9d120eb5a6efb1b45740fc6b65d90adb466c8d597e9ef0253516eeb93aad42c8 -u 9d120eb5a6efb1b45740fc6b65d90adb466c8d597e9ef0253516eeb93aad42c8 -r /usr/local/bin/cc-runtime -b /tmp/tmp.ACHvv06bWw/crio-run/aufs-containers/9d120eb5a6efb1b45740fc6b65d90adb466c8d597e9ef0253516eeb93aad42c8/userdata -p /tmp/tmp.ACHvv06bWw/crio-run/aufs-containers/9d120eb5a6efb1b45740fc6b65d90adb466c8d597e9ef0253516eeb93aad42c8/userdata/pidfile -l /var/log/crio/pods/9d120eb5a6efb1b45740fc6b65d90adb466c8d597e9ef0253516eeb93aad42c8/9d120eb5a6efb1b45740fc6b65d90adb466c8d597e9ef0253516eeb93aad42c8.log --exit-dir /var/run/crio/exits] 
# time="2017-09-13 21:46:05.000801369Z" level=debug msg="Received container pid: -1" 
# time="2017-09-13 21:46:05.000828124Z" level=debug msg="Container creation error: cgroupsPath "/Burstable/pod_123-456/crio-9d120eb5a6efb1b45740fc6b65d90adb466c8d597e9ef0253516eeb93aad42c8" is absolute, cgroup mount MUST exist
# " 
# time="2017-09-13 21:46:06.514058420Z" level=info msg="Got pod network {Name:podsandbox1 Namespace:redhat.test.crio ID:9d120eb5a6efb1b45740fc6b65d90adb466c8d597e9ef0253516eeb93aad42c8 NetNS:/var/run/netns/k8s_podsandbox1_redhat.test.crio_redhat-test-crio_1-fff0d780 PortMappings:[]}" 
# time="2017-09-13 21:46:06.514090805Z" level=info msg="About to del CNI network crionet (type=bridge)" 
# Creating the pod sandbox failed: rpc error: code = 2 desc = container create failed: cgroupsPath "/Burstable/pod_123-456/crio-9d120eb5a6efb1b45740fc6b65d90adb466c8d597e9ef0253516eeb93aad42c8" is absolute, cgroup mount MUST exist
# rm: cannot remove ‘/tmp/tmp.ACHvv06bWw/crio/aufs’: Device or resource busy

CRI-O Log does not show anything.

[1] clearcontainers/tests#531
[2] http://cc-jenkins-ci.westus2.cloudapp.azure.com/job/clear-containers-tests-azure-ubuntu-16-04/111/consoleText
https://semaphoreci.com/clearcontainers/tests/branches/pull-request-531/builds/1
@chavafg chavafg added the bug label Sep 13, 2017
@amshinde
Copy link
Contributor

An initial look shows that the error is from our own runtime:

runtime/oci.go

Line 232 in 97aa6e6

return "", fmt.Errorf("cgroupsPath %q is absolute, cgroup mount MUST exist",

A cgroupsPath ("/Burstable/pod_123-456/crio-22ca6911d8830bead552e27c75065406a377155e2d3094e66fb1ce9832ef3f54") was passed in the spec file, but no cgroup mount was found in the list of mounts, hence the error. Could be crio is no longer passing cgroup mounts, but I need to look at this further.
The cgroup mount would typically look like

{
            "destination": "/sys/fs/cgroup",
            "type": "cgroup",
            "source": "cgroup",
            "options": [
                "nosuid",
                "noexec",
                "nodev",
                "relatime",
                "ro"
            ]
        }

@sameo Do we need to error out in case no cgroup mounts are found in the first place?
We could either not create the cgroup files altogether (which was being done for fixing a docker leak iirc)
or assume the path as "/sys/fs/cgroup" and proceed, similar to what is being done at

runtime/oci.go

Line 216 in 97aa6e6

return filepath.Join(cgroupsDirPath, resource, ociSpec.Linux.CgroupsPath), nil

@sameo
Copy link

sameo commented Sep 14, 2017
edited
Loading

@amshinde a couple of comments:

  • According to the OCI spec, an absolute cgroup path should be interpreted as relative to the system cgroup mount point. So not having a cgroup mount point is a valid case.

  • I don't think CRI-O ever passed a cgroup mount for pods, but only for pod containers.

So this:

	if !cgroupMountFound {
		if isPod {
			return "", fmt.Errorf("cgroupsPath %q is absolute, cgroup mount MUST exist",
				ociSpec.Linux.CgroupsPath)
		}

		// In case of container (CRI-O), if the mount point is not
		// provided, we assume this is a relative path.
		return filepath.Join(cgroupsDirPath, resource, ociSpec.Linux.CgroupsPath), nil
	}

is incorrect and should be:

	if !cgroupMountFound {
	        // According to the OCI spec, we should interpret absolute path as relative to the system
                //  cgroup mount point when there is no cgroup mount in the config.json      
		return filepath.Join(cgroupsDirPath, resource, ociSpec.Linux.CgroupsPath), nil
	}

@sameo
Copy link

sameo commented Sep 14, 2017

cc @runcom

sameo pushed a commit that referenced this issue Sep 14, 2017
oci: Follow the OCI spec for cgroup paths
159bd4e 
Getting an absolute path while not having a cgroup mount
from the OCI spec is a valid case. In that case the path
should be interpreted as a relative one to the system
cgroup mount point.

Fixes #552

Signed-off-by: Samuel Ortiz <[email protected]>
@sameo sameo mentioned this issue Sep 14, 2017
Merged
@sameo sameo self-assigned this Sep 14, 2017
sameo pushed a commit that referenced this issue Sep 14, 2017
oci: Follow the OCI spec for cgroup paths
6567493 
Getting an absolute path while not having a cgroup mount
from the OCI spec is a valid case. In that case the path
should be interpreted as a relative one to the system
cgroup mount point.

Fixes #552

Signed-off-by: Samuel Ortiz <[email protected]>
sameo pushed a commit that referenced this issue Sep 14, 2017
oci: Follow the OCI spec for cgroup paths
9de293c 
Getting an absolute path while not having a cgroup mount
from the OCI spec is a valid case. In that case the path
should be interpreted as a relative one to the system
cgroup mount point.

Fixes #552

Signed-off-by: Samuel Ortiz <[email protected]>
sameo pushed a commit that referenced this issue Sep 14, 2017
oci: Follow the OCI spec for cgroup paths
17cdf23 
Getting an absolute path while not having a cgroup mount
from the OCI spec is a valid case. In that case the path
should be interpreted as a relative one to the system
cgroup mount point.

Fixes #552

Signed-off-by: Samuel Ortiz <[email protected]>
sameo pushed a commit that referenced this issue Sep 14, 2017
oci: Follow the OCI spec for cgroup paths
d5fd9bd 
Getting an absolute path while not having a cgroup mount
from the OCI spec is a valid case. In that case the path
should be interpreted as a relative one to the system
cgroup mount point.

Fixes #552

Signed-off-by: Samuel Ortiz <[email protected]>
sameo pushed a commit that referenced this issue Sep 14, 2017
oci: Follow the OCI spec for cgroup paths
758ee9a 
Getting an absolute path while not having a cgroup mount
from the OCI spec is a valid case. In that case the path
should be interpreted as a relative one to the system
cgroup mount point.

Fixes #552

Signed-off-by: Samuel Ortiz <[email protected]>
@sameo sameo removed the in progress label Sep 14, 2017
mcastelino pushed a commit to mcastelino/runtime that referenced this issue Dec 6, 2018
@chavafg
versions: update openshift to 3.10.0
4fc3041 
Last week openshift origin v3.10.0 was released,
this PR updates our supported version from 3.9.0 to
3.10.0

This also updates the cri-o version that we use for
openshift, which is now cri-o 1.10.

Fixes: clearcontainers#552.

Signed-off-by: Salvador Fuentes <[email protected]>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@sameo sameo

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sameo @amshinde @chavafg