Bug 2038827
Summary: | should add user containers in /etc/subuid and /etc/subgid to support run pods in user namespaces | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | MinLi <minmli> |
Component: | Node | Assignee: | Peter Hunt <pehunt> |
Node sub component: | CRI-O | QA Contact: | MinLi <minmli> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | medium | ||
Priority: | medium | CC: | aos-bugs, gscrivan, pehunt |
Version: | 4.10 | Flags: | pehunt:
needinfo-
|
Target Milestone: | --- | ||
Target Release: | 4.10.0 | ||
Hardware: | All | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | 1.23.0-105.rhaos4.10.gita975152 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-03-10 16:38:09 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
MinLi
2022-01-10 09:21:16 UTC
great point! I opened a PR to fix not fixed, there are duplicate lines including "containers" $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.10.0-0.nightly-2022-02-07-162517 True False 9m25s Cluster version is 4.10.0-0.nightly-2022-02-07-162517 $ oc debug node/ip-10-0-145-70.us-east-2.compute.internal Starting pod/ip-10-0-145-70us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` Pod IP: 10.0.145.70 If you don't see a command prompt, try pressing enter. sh-4.4# chroot /host sh-4.4# cat /etc/subuid core:100000:65536 containers:165536:65536 containers:200000:16000000 sh-4.4# sh-4.4# cat /etc/subgid core:100000:65536 containers:165536:65536 containers:200000:16000000 that is expected, the key is that at least the line containers:200000:16000000 is present. any extra are a bonus Hi, Peter Can you confirm the crio will pick the line containers:200000:16000000 but not the line containers:165536:65536 when running pods in usernamespace? And the duplicate line won't lead to any conflict or consistency issue in some scenario? (Though I'm not sure the specific scenario) when multiple lines are found, they are merged. So the additional IDs assigned to "containers" should be 165536:65536 and 200000:16000000 according to Comment 12 , the bug is fixed! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056 |