-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sysbox k8s directory mounted as nobody #800
Comments
Hi @raphaelfff, Happy to help, though you should also reach out to Coder.
What type of PVC is it? Also, how does I ask because the PVC is bind-mounted into the Sysbox pod, and Sysbox uses "ID-mapped-mounts" or "shiftfs" (see here) on top of that bind-mount in order for the files to show up with proper ownership inside the rootless Sysbox container. If files show up as
Interesting ... not sure what's going on. But if you can pin-it to specific K8s nodes, that's a good clue. |
I think coder is out of the picture here, its a pure sysbox problem imo, coder was just general context
Its a GKE PD
Atm i dont have a broken env at hand... i will update when i have one, this issu was about starting investigation... Do you have any command you would recommend running ? |
Okay another ws broke:
|
Bump @ctalledo What is the next step ? |
Hi @raphaelfff, So per your description above, this is the mount that is showing up with
And I can see in the pod.yaml that it's backed by a PVC. Don't know exactly why it's showing up with When a Sysbox container starts, it maps the root in the container to an unprivileged user at host level (e.g., 0 -> 100000). Furthermore, when Sysbox sees that the container has a bind-mount of a host dir into the container's This process must be failing somehow. In the past, before ID-map mounts were supported in the kernel, Sysbox would use chown and the process would sometimes fail (or be too slow) if the host dir had too many files (which is sometimes the case on With ID-mapped mounts it's much better (no more chowing), but it requires "overlayfs-over-ID-mapped-mounts" support which landed in kernel 5.19+. Questions:
Also: make sure the host dir (PVC) that is mounted into the pod's That's all that comes to mind. Again, I think Coder should be helping you here too (even if it turns out to be a Sysbox problem). |
Thanks for your answer Here are some more deets:
So that means that its not actually benefiting from id mapped amounts...
One question: since The mount is |
Hi @raphaelfff,
Correct, at least not for the volumes mounted at
That's exactly right ... which is why chown is not a good solution (though it was the only one before ID-mapped-mounts on overlayfs appeared in kernel 5.19+). Sounds like you need a K8s node with kernel 5.19+ in order for this to work reliably. With ID-mapped-mounts, the "chown" is basically instant (it's done via user-id/group-id mapping in the kernel), so it works much better.
OK that's perfect. |
I m gonna have to wait for GKE to upgrade their Ubuntu Containerd image kernel... |
Hi @raphaelfff, Apologies for the belated response.
Yes, I am afraid that's the only option; I am amazed GKE is still in kernel 5.15 when Linux is at 6.9 already (!). You would think they would at least offer an option to customize the kernel, but there isn't an easy one as far as I can tell.
The problem with chown failing usually occurs when the contents of |
Here is the situation, we are running sysbox in GKE (to run Coder), we have a mount for docker backed by a PVC, sometimes when a pod restarts,
/var/lib/docker
ens up being owned bynobody:nogroup
in the pod:restarting the pod a bunch of times end up fixing the issue, but not able to figure out why/how
I suspect that this issue happen when the pod gets scheduled in a different node ?
This is quite disruptive as the only way out is to delete that pod and make a new one, loosing the PVC, and the data associated...
pod.yaml
The text was updated successfully, but these errors were encountered: