k8s: guest-pull: "Test readonly volume for pods" fails #9667

fidencio · 2024-05-19T16:21:24Z

# Events:
#   Type     Reason   Age   From     Message
#   ----     ------   ----  ----     -------
#   Normal   Pulling  82s   kubelet  Pulling image "busybox"
#   Normal   Pulled   81s   kubelet  Successfully pulled image "busybox" in 739ms (739ms including waiting)
#   Normal   Created  81s   kubelet  Created container busybox-file-volume-container
#   Warning  Failed   79s   kubelet  Error: failed to create containerd task: failed to create shim task: failed to handle layer: hasher sha256: channel: send failed SendError { .. }: unknown
# pod "test-file-volume" deleted

Well, the volume has to be exposed to the VM somehow ... and this is yet not supported.
This will be the very same case for all the tests related to volumes, in the same way we have the limitations for firecracker.

The tests affected by this limitation are:

k8s-credentials-secrets.bats
k8s-file-volume.bats
k8s-inotify.bats
k8s-nested-configmap-secret.bats
k8s-projected-volume.bats
k8s-volume.bats

The text was updated successfully, but these errors were encountered:

Fix tests: - k8s-credentials-secrets.bats - k8s-file-volume.bats - k8s-nested-configmap-secret.bats - k8s-projected-volume.bats - k8s-volume.bats Fixes: kata-containers#9664 kata-containers#9666 kata-containers#9667 kata-containers#9668 Signed-off-by: ChengyuZhu6 <[email protected]>

Revert Fix tests: - k8s-credentials-secrets.bats - k8s-file-volume.bats - k8s-nested-configmap-secret.bats - k8s-projected-volume.bats - k8s-volume.bats - k8s-shared-volume.bats - k8s-kill-all-process-in-container.bats - k8s-sysctls.bats Fixes: kata-containers#9664 kata-containers#9666 kata-containers#9667 kata-containers#9668 Signed-off-by: ChengyuZhu6 <[email protected]>

Revert code logic in 462051b Let me explain why: In our previous approach, we implemented guest pull by passing PullImageRequest to the guest. However, this method resulted in the loss of specifications essential for running the container, such as commands specified in YAML, during the CreateContainer stage. To address this, it is necessary to integrate the OCI specifications and process information from the image’s configuration with the container in guest pull. The snapshotter method does not care this issue. Nevertheless, a problem arises when two containers in the same pod attempt to pull the same image, like InitContainer. This is because the system searches for the existing configuration, which resides in the guest. The configuration, associated with <image name, cid>, is stored in the directory /run/kata-containers/<cid>. Consequently, when the InitContainer finishes its task and terminates, the directory ceases to exist. As a result, during the creation of the application container, the OCI spec and process information cannot be merged due to the absence of the expected configuration file. Fix tests: - k8s-credentials-secrets.bats - k8s-file-volume.bats - k8s-nested-configmap-secret.bats - k8s-projected-volume.bats - k8s-volume.bats - k8s-shared-volume.bats - k8s-kill-all-process-in-container.bats - k8s-sysctls.bats Fixes: kata-containers#9664 kata-containers#9666 kata-containers#9667 kata-containers#9668 Signed-off-by: ChengyuZhu6 <[email protected]>

Let me explain why: In our previous approach, we implemented guest pull by passing PullImageRequest to the guest. However, this method resulted in the loss of specifications essential for running the container, such as commands specified in YAML, during the CreateContainer stage. To address this, it is necessary to integrate the OCI specifications and process information from the image’s configuration with the container in guest pull. The snapshotter method does not care this issue. Nevertheless, a problem arises when two containers in the same pod attempt to pull the same image, like InitContainer. This is because the system searches for the existing configuration, which resides in the guest. The configuration, associated with <image name, cid>, is stored in the directory /run/kata-containers/<cid>. Consequently, when the InitContainer finishes its task and terminates, the directory ceases to exist. As a result, during the creation of the application container, the OCI spec and process information cannot be merged due to the absence of the expected configuration file. Fix tests: - k8s-credentials-secrets.bats - k8s-file-volume.bats - k8s-nested-configmap-secret.bats - k8s-projected-volume.bats - k8s-volume.bats - k8s-shared-volume.bats - k8s-kill-all-process-in-container.bats - k8s-sysctls.bats Fixes: kata-containers#9664 kata-containers#9666 kata-containers#9667 kata-containers#9668 Signed-off-by: ChengyuZhu6 <[email protected]>

Let me explain why: In our previous approach, we implemented guest pull by passing PullImageRequest to the guest. However, this method resulted in the loss of specifications essential for running the container, such as commands specified in YAML, during the CreateContainer stage. To address this, it is necessary to integrate the OCI specifications and process information from the image’s configuration with the container in guest pull. The snapshotter method does not care this issue. Nevertheless, a problem arises when two containers in the same pod attempt to pull the same image, like InitContainer. This is because the image service searches for the existing configuration, which resides in the guest. The configuration, associated with <image name, cid>, is stored in the directory /run/kata-containers/<cid>. Consequently, when the InitContainer finishes its task and terminates, the directory ceases to exist. As a result, during the creation of the application container, the OCI spec and process information cannot be merged due to the absence of the expected configuration file. Fix tests: - k8s-credentials-secrets.bats - k8s-file-volume.bats - k8s-nested-configmap-secret.bats - k8s-projected-volume.bats - k8s-volume.bats - k8s-shared-volume.bats - k8s-kill-all-process-in-container.bats - k8s-sysctls.bats Fixes: kata-containers#9664 kata-containers#9666 kata-containers#9667 kata-containers#9668 Signed-off-by: ChengyuZhu6 <[email protected]>

Revert code logic in 462051b Let me explain why: In our previous approach, we implemented guest pull by passing PullImageRequest to the guest. However, this method resulted in the loss of specifications essential for running the container, such as commands specified in YAML, during the CreateContainer stage. To address this, it is necessary to integrate the OCI specifications and process information from the image’s configuration with the container in guest pull. The snapshotter method does not care this issue. Nevertheless, a problem arises when two containers in the same pod attempt to pull the same image, like InitContainer. This is because the image service searches for the existing configuration, which resides in the guest. The configuration, associated with <image name, cid>, is stored in the directory /run/kata-containers/<cid>. Consequently, when the InitContainer finishes its task and terminates, the directory ceases to exist. As a result, during the creation of the application container, the OCI spec and process information cannot be merged due to the absence of the expected configuration file. Fix tests: - k8s-credentials-secrets.bats - k8s-file-volume.bats - k8s-nested-configmap-secret.bats - k8s-projected-volume.bats - k8s-volume.bats - k8s-shared-volume.bats - k8s-kill-all-process-in-container.bats - k8s-sysctls.bats Fixes: kata-containers#9664 kata-containers#9666 kata-containers#9667 kata-containers#9668 Signed-off-by: ChengyuZhu6 <[email protected]>

Revert code logic in 462051b Let me explain why: In our previous approach, we implemented guest pull by passing PullImageRequest to the guest. However, this method resulted in the loss of specifications essential for running the container, such as commands specified in YAML, during the CreateContainer stage. To address this, it is necessary to integrate the OCI specifications and process information from the image’s configuration with the container in guest pull. The snapshotter method does not care this issue. Nevertheless, a problem arises when two containers in the same pod attempt to pull the same image, like InitContainer. This is because the image service searches for the existing configuration, which resides in the guest. The configuration, associated with <image name, cid>, is stored in the directory /run/kata-containers/<cid>. Consequently, when the InitContainer finishes its task and terminates, the directory ceases to exist. As a result, during the creation of the application container, the OCI spec and process information cannot be merged due to the absence of the expected configuration file. Fix tests: - k8s-credentials-secrets.bats - k8s-file-volume.bats - k8s-nested-configmap-secret.bats - k8s-projected-volume.bats - k8s-volume.bats - k8s-shared-volume.bats - k8s-kill-all-process-in-container.bats - k8s-sysctls.bats Fixes: kata-containers#9664 Fixes: kata-containers#9666 Fixes: kata-containers#9667 Fixes: kata-containers#9668 Signed-off-by: ChengyuZhu6 <[email protected]>

Revert code logic in 462051b Let me explain why: In our previous approach, we implemented guest pull by passing PullImageRequest to the guest. However, this method resulted in the loss of specifications essential for running the container, such as commands specified in YAML, during the CreateContainer stage. To address this, it is necessary to integrate the OCI specifications and process information from the image’s configuration with the container in guest pull. The snapshotter method does not care this issue. Nevertheless, a problem arises when two containers in the same pod attempt to pull the same image, like InitContainer. This is because the image service searches for the existing configuration, which resides in the guest. The configuration, associated with <image name, cid>, is stored in the directory /run/kata-containers/<cid>. Consequently, when the InitContainer finishes its task and terminates, the directory ceases to exist. As a result, during the creation of the application container, the OCI spec and process information cannot be merged due to the absence of the expected configuration file. Fix tests: - k8s-credentials-secrets.bats - k8s-file-volume.bats - k8s-nested-configmap-secret.bats - k8s-projected-volume.bats - k8s-volume.bats - k8s-shared-volume.bats - k8s-sysctls.bats Fixes: kata-containers#9666 Fixes: kata-containers#9667 Fixes: kata-containers#9668 Signed-off-by: ChengyuZhu6 <[email protected]>

Refactor code in guest pull Fix tests: - k8s-credentials-secrets.bats - k8s-file-volume.bats - k8s-nested-configmap-secret.bats - k8s-projected-volume.bats - k8s-volume.bats - k8s-shared-volume.bats - k8s-sysctls.bats Fixes: kata-containers#9666 Fixes: kata-containers#9667 Fixes: kata-containers#9668 Signed-off-by: ChengyuZhu6 <[email protected]>

This test fails with qemu-coco-dev configuration and guest-pull image pull. Issue: kata-containers#9667 Signed-off-by: Wainer dos Santos Moschetta <[email protected]>

fidencio added bug Incorrect behaviour needs-review Needs to be assessed by the team. area/guest-pull labels May 19, 2024

katacontainersbot added this to To do in Issue backlog May 19, 2024

fidencio mentioned this issue May 19, 2024

[RFC] New tests for shared_fs=none #9652

Open

wainersm mentioned this issue May 20, 2024

Configure CoCo runtimes with shared_fs=none #9676

Open

4 tasks

ChengyuZhu6 mentioned this issue May 22, 2024

Revert agent/image: merge container spec for images pulled inside guest #9695

Draft

katacontainersbot moved this from To do to In progress in Issue backlog May 22, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

k8s: guest-pull: "Test readonly volume for pods" fails #9667

k8s: guest-pull: "Test readonly volume for pods" fails #9667

fidencio commented May 19, 2024 •

edited

k8s: guest-pull: "Test readonly volume for pods" fails #9667

k8s: guest-pull: "Test readonly volume for pods" fails #9667

Comments

fidencio commented May 19, 2024 • edited

fidencio commented May 19, 2024 •

edited