Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

privileged container's disk attribute is ro because the namespace of pause is added #1747

Open
fengwei0328 opened this issue Jan 14, 2025 · 0 comments
Open

privileged container's disk attribute is ro because the namespace of pause is added #1747

fengwei0328 opened this issue Jan 14, 2025 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/node Categorizes an issue or PR as relevant to SIG Node.

Comments

@fengwei0328
Copy link

fengwei0328 commented Jan 14, 2025
edited
Loading

What happened:

When I create the container, privileged is turned on, but since the pause container sysfs is ro, my privileged container is also ro

What you expected to happen:

Hopefully, in the case of non-bind, the sysfs of the privileged container is rw

How to reproduce it (as minimally and precisely as possible):

pod.json

{
    "metadata": {
        "name": "privileged-pod",
	"namespace": "k8s.io",
	"uid": "hdishd83djaidwnduwk28bcsb"
    },
    "command": [
        "top"
    ],
    "log_directory": "/var/log/pods",
    "linux": {
	    "security_context": {
            	"privileged": true
            }

container.json

{
    "metadata": {
        "name": "busybox-200-3"
    },
    "image": {
        "image": "docker.io/library/busybox"
    },
    "command": [
        "top"
    ],

    "tty": true,
    "stdin": true,
    "log_path": "busybox-200-3.log",
    "mounts":[
    	{
	    "container_path": "/sys",
            "host_path": "/sys"
	}
    ],
    "linux": {
	    "security_context": {
            	"privileged": true

In container

/ # mount | grep  sysfs
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)

container's config.json:

{
            "destination": "/sys",
            "type": "sysfs",
            "source": "sysfs",
            "options": [
                "nosuid",
                "noexec",
                "nodev",
                "rw"
            ]
        },

because pod's config.json:

{
            "destination": "/sys",
            "type": "sysfs",
            "source": "sysfs",
            "options": [
                "nosuid",
                "noexec",
                "nodev",
                "ro"
            ]
        },

Anything else we need to know?:

Environment:

  • Container runtime or hardware configuration:
  • OS (e.g: cat /etc/os-release):
  • Kernel (e.g. uname -a):
  • Others:
@fengwei0328 fengwei0328 added kind/bug Categorizes issue or PR as related to a bug. sig/node Categorizes an issue or PR as relevant to SIG Node. labels Jan 14, 2025
@fengwei0328 fengwei0328 mentioned this issue Jan 17, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/node Categorizes an issue or PR as relevant to SIG Node.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fengwei0328