Bug 1986239 - crictl create fails with "PID namespace requested, but sandbox infra container invalid"
Summary: crictl create fails with "PID namespace requested, but sandbox infra containe...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node
Version: 4.9
Hardware: aarch64
OS: Linux
medium
medium
Target Milestone: ---
: 4.10.0
Assignee: Peter Hunt
QA Contact: pmali
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-07-27 03:31 UTC by Prashanth Sundararaman
Modified: 2022-03-10 16:05 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:04:47 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
podspec (1.51 KB, text/plain)
2021-07-27 03:31 UTC, Prashanth Sundararaman 		no flags Details
sleepcontainer (2.20 KB, text/plain)
2021-07-27 03:32 UTC, Prashanth Sundararaman 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github cri-o cri-o pull 5191 0 None None None 2021-08-24 17:38:17 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:05:06 UTC

Description Prashanth Sundararaman 2021-07-27 03:31:30 UTC 
Created attachment 1806161 [details]
podspec

Description of problem:
crictl create of a container fails with "PID namespace requested, but sandbox infra container invalid" in  cri-o-1.22.0-12.rhaos4.9.git0fc6d47.el8.aarch64. this issue is not seen in cri-o-1.22.0-10.rhaos4.9.gite06cce2.el8.arch64 

Version-Release number of selected component (if applicable):
cri-o-1.22.0-12.rhaos4.9.git0fc6d47.el8.aarch64

How reproducible:
all the time

Steps to Reproduce:
This issue was found in RHCOS kola tests running in the ARM pipeline.The kola test in question
1. creates a pod spec and a container spec 
2. does a "sudo crictl runp <pod-spec>"
3. does a "sudo crictl create --no-pull <podID> <container-spec> <pod-spec>"

The container and pod spec are attached

Actual results:
creates container successfully.

Expected results:


Additional info:
Comment 1 Prashanth Sundararaman 2021-07-27 03:32:05 UTC 
Created attachment 1806162 [details]
sleepcontainer
Comment 3 Peter Hunt 2021-08-11 17:34:48 UTC 
The problem here is your pod and container spec don't match in the pid namespace they've requested. The pod spec has:
```
"namespace_options": {        
    "pid": 1        
},        
```
and the container spec does not have anything specified for namespace options. A namespace option of "1" means the request is requesting a container level pid namespace, so the pod does not create an infra container (which is only needed for a pod level pid namespace). However, when the container creation request comes around, the container fails because it is requesting a pod level pid namespace (value "0"), which does not exist.

I recommend either dropping namespace_options from the pod spec, or adding it to the container spec.
Comment 4 Peter Hunt 2021-08-11 18:22:56 UTC 
I've opened a PR to improve the error message
Comment 5 Prashanth Sundararaman 2021-08-12 15:05:22 UTC 
Adding the namespace_option to the container spec fixed the issue. Thanks!!
Comment 6 Prashanth Sundararaman 2021-08-12 15:06:10 UTC 
https://github.com/coreos/coreos-assembler/pull/2359 to fix the coreos-assembler test.
Comment 7 Peter Hunt 2021-08-24 17:38:49 UTC 
both linked PRs have been merged, so this should be fixed (better error message, fixed test)
Comment 13 errata-xmlrpc 2022-03-10 16:04:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056
Note You need to log in before you can comment on or make changes to this bug.