| kata-irc-bot | <fidencio> @ssheribe, hey can you add https://github.com/kata-containers/kata-containers/pull/2222 as part of your backport PRs? That would make things simpler to test. | 06:04 |
|---|---|---|
| kata-irc-bot | <fidencio> Hey Wilson! | 06:53 |
| kata-irc-bot | <fidencio> Kata Containers, since its 2.0.0 release won't work together with Docker anymore | 06:53 |
| kata-irc-bot | <fidencio> Please, take a look at https://github.com/kata-containers/kata-containers/blob/main/docs/design/architecture.md and let us know in case that doesn't help you. | 06:54 |
| kata-irc-bot | <fidencio> Specifically on https://github.com/kata-containers/kata-containers/blob/main/docs/design/architecture.md#networking | 06:54 |
| kata-irc-bot | <david_hay> Morning, really really dumb question in the context of the `CreateContainer` endpoint in Kata 2.0 and container.rs I'm trying/failing to work out for what `exec_file` is used ? :thread: | 10:46 |
| kata-irc-bot | <david_hay> I'm debugging the output, and can see: - ```{"msg":"exec_file is: \"sh\"","level":"INFO","ts":"2021-08-02T10:28:52.268315204+00:00","pid":"57","action":"child process log","cid":"0123456789012345678901234567890123456789","eid":"0123456789012345678901234567890123456789","source":"agent","name":"kata-agent","subsystem":"container","version":"0.1.0","module":"rustjail"} {"msg":"temporary parent process exit:child exit: the file sh is not | 10:47 |
| kata-irc-bot | exist","level":"INFO","ts":"2021-08-02T10:28:52.268370784+00:00","eid":"0123456789012345678901234567890123456789","source":"agent","version":"0.1.0","name":"kata-agent","module":"rustjail","subsystem":"container","action":"child process log","cid":"0123456789012345678901234567890123456789","pid":"57"}``` ( having added a debug statement for `exec_file` ) | 10:47 |
| kata-irc-bot | <david_hay> For reference, I'm using the `CreateContainer` endpoint via `kata-agent-ctl` Also, this is in the context of my PoC to pull/verify/unpack an image *inside* the Pod Sandbox, and have `kata-agent` create a container from the bundle My gut feel is that there's something else I need to be doing to reference the `config.json` from the bundle that's been unpacked inside the Sandbox | 10:49 |
| kata-irc-bot | <david_hay> e.g. that's referencing the `args` from `config.json` | 10:49 |
| kata-irc-bot | <david_hay> ```"args": [ "/docker-entrypoint.sh", "nginx", "-g", "daemon off;"``` | 10:49 |
| kata-irc-bot | <jakob.naucke> not sure how much that helps you in your context, but in principle, when you do e.g. `ctr run ... /bin/sh`, `exec_file` is for executing the file you told it to, so `/bin/sh` in this example are you sure your image has that file? might try absolute path first | 10:50 |
| kata-irc-bot | <david_hay> Yeah, will double-check ... | 10:53 |
| kata-irc-bot | <david_hay> It may well be as simple as that :$ | 10:54 |
| kata-irc-bot | <david_hay> Thanks @jakob.naucke will report back shortly | 10:54 |
| kata-irc-bot | <david_hay> Today I Learn! | 10:54 |
| kata-irc-bot | <david_hay> It was a great idea, @jakob.naucke but, alas, I don't think that's the problem - I'm building the image myself, and can see `docker-entrypoint.sh` Also, I'm not overriding that with `CMD` etc. If I start a container manually from that image using `docker run` all appears normal ``` /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration /docker-entrypoint.sh: Looking for shell scripts in | 11:56 |
| kata-irc-bot | /docker-entrypoint.d/ /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh 10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh /docker-entrypoint.sh: Configuration complete; ready for start up``` | 11:56 |
| kata-irc-bot | <david_hay> I also tried a different image - `docker.io/library/ubuntu:latest` - and saw the same from the Kata Runtime console: - ```{"msg":"exec_file is: \"sh\"","level":"INFO","ts":"2021-08-02T12:01:58.403552035+00:00","module":"rustjail","eid":"0123456789012345678901234567890123456789","action":"child process | 12:03 |
| kata-irc-bot | log","cid":"0123456789012345678901234567890123456789","source":"agent","name":"kata-agent","subsystem":"container","pid":"57","version":"0.1.0"} {"msg":"temporary parent process exit:child exit: the file sh is not exist","level":"INFO","ts":"2021-08-02T12:01:58.403610225+00:00","action":"child process | 12:03 |
| kata-irc-bot | log","module":"rustjail","name":"kata-agent","eid":"0123456789012345678901234567890123456789","subsystem":"container","pid":"57","cid":"0123456789012345678901234567890123456789","source":"agent","version":"0.1.0"}``` when I use the `CreateContainer` endpoint :S | 12:03 |
| kata-irc-bot | <jakob.naucke> and no luck with `/bin/sh` instead? | 12:03 |
| kata-irc-bot | <david_hay> In terms of passing `/bin/sh` as an argument to the `CreateContainer` endpoint ? Hadn't tried that ...... | 12:04 |
| kata-irc-bot | <jakob.naucke> hmm the logs say `exec_file is: "sh"`, where does that `sh` come from? | 12:05 |
| kata-irc-bot | <david_hay> Yeah, and that's what I'm trying to work out :confounded: | 12:05 |
| kata-irc-bot | <david_hay> Right now, I'm merely passing in the CID parameter as input, which reflects the location under `/run/kata-containers` where I've unpacked the bundle | 12:05 |
| kata-irc-bot | <david_hay> Interestingly, at one point I did see ```{"msg":"exec_file is: \"/docker-entrypoint.sh\"","level":"INFO","ts":"2021-08-02T12:01:40.542370023+00:00","pid":"57","action":"child process log","name":"kata-agent","source":"agent","version":"0.1.0","cid":"5ce9b08ec6137f8c58fd31b7deab25b1beff0baa4c7772b0970ed3f6729cd434","subsystem":"container","module":"rustjail","eid":"5ce9b08ec6137f8c58fd31b7deab25b1beff0baa4c7772b0970ed3f6729cd434"}``` | 12:07 |
| kata-irc-bot | in the debug ..... | 12:07 |
| kata-irc-bot | <david_hay> Going to tinker further .... | 12:07 |
| kata-irc-bot | <david_hay> FYI @jakob.naucke I'm trying a way smaller image - `docker.io/library/busybox:latest` - which *does* have `sh` installed - but see the same issue when I try to start a container using `CreateContainer` and that image .... :S | 15:49 |
| kata-irc-bot | <david_hay> ```{"msg":"temporary parent process exit:child exit: the file sh is not exist","level":"INFO","ts":"2021-08-02T15:34:13.671473131+00:00","eid":"0123456789012345678901234567890123456789","version":"0.1.0","source":"agent","action":"child process log","cid":"0123456789012345678901234567890123456789","pid":"57","subsystem":"container","module":"rustjail","name":"kata-agent"}``` | 15:49 |
| kata-irc-bot | <david_hay> which is WIERD ! | 15:49 |
| kata-irc-bot | <david_hay> Also, I checked that the binary is available in the unpacked root file-system inside the Pod Sandbox `ls -al /run/kata-containers/0123456789012345678901234567890123456789/rootfs/bin/sh` ```-rwxr-xr-x 400 root root 1149184 Jun 7 17:34 /run/kata-containers/0123456789012345678901234567890123456789/rootfs/bin/sh``` | 15:51 |
| kata-irc-bot | <david_hay> ```-rwxr-xr-x 400 root root 1149184 Jun 7 17:34 /bin/sh``` | 15:51 |
| kata-irc-bot | <david_hay> :face_with_head_bandage: | 15:52 |
| kata-irc-bot | <david_hay> So now exploring the `config.json` for that `busybox` image .... | 16:10 |
| kata-irc-bot | <david_hay> ```cat config.json | jq { "ociVersion": "1.0.2-dev", "process": { "terminal": true, "user": { "uid": 0, "gid": 0 }, "args": [ "sh" ], "cwd": "/", "capabilities": {}, "noNewPrivileges": true, "oomScoreAdj": 0 }, "root": { "path": "/run/kata-containers/0123456789012345678901234567890123456789/rootfs", "readonly": true }, "linux": { "resources": { | 16:10 |
| kata-irc-bot | "devices": [ { "allow": false, "type": "b", "major": 259, "minor": 1, "access": "rw" } ] }, "namespaces": [ { "type": "pid" } ] } }``` | 16:10 |
| kata-irc-bot | <david_hay> Noting that the `args` == `sh` | 16:10 |
| kata-irc-bot | <david_hay> which feels relevant ....... | 16:11 |
| kata-irc-bot | <david_hay> and looking at the spec ... https://github.com/opencontainers/runtime-spec/blob/master/config.md | 16:11 |
| kata-irc-bot | <jakob.naucke> I'll be honest, I'm not sure whether we're digging in the right place with the path. But maybe PATH isn't picked up. Just to rule it out, can you rebuild the image to point towards `/bin/sh`? I think it's possible with `ctr image {ex,im}port`. | 17:08 |
| kata-irc-bot | <wilson.wang> thanks! | 17:28 |
| kata-irc-bot | <david_hay> Yeah, that's my next step .... :slightly_smiling_face: | 18:08 |
| kata-irc-bot | <david_hay> Thanks mate :slightly_smiling_face: | 18:08 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!