Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1986239

Summary: crictl create fails with "PID namespace requested, but sandbox infra container invalid"
Product: OpenShift Container Platform Reporter: Prashanth Sundararaman <psundara>
Component: NodeAssignee: Peter Hunt <pehunt>
Node sub component: CRI-O QA Contact: pmali
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: aos-bugs, dwalsh, miabbott, tsweeney
Version: 4.9   
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: aarch64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 16:04:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
podspec
none
sleepcontainer none

Description Prashanth Sundararaman 2021-07-27 03:31:30 UTC 
Created attachment 1806161 [details]
podspec

Description of problem:
crictl create of a container fails with "PID namespace requested, but sandbox infra container invalid" in  cri-o-1.22.0-12.rhaos4.9.git0fc6d47.el8.aarch64. this issue is not seen in cri-o-1.22.0-10.rhaos4.9.gite06cce2.el8.arch64 

Version-Release number of selected component (if applicable):
cri-o-1.22.0-12.rhaos4.9.git0fc6d47.el8.aarch64

How reproducible:
all the time

Steps to Reproduce:
This issue was found in RHCOS kola tests running in the ARM pipeline.The kola test in question
1. creates a pod spec and a container spec 
2. does a "sudo crictl runp <pod-spec>"
3. does a "sudo crictl create --no-pull <podID> <container-spec> <pod-spec>"

The container and pod spec are attached

Actual results:
creates container successfully.

Expected results:


Additional info:
Comment 1 Prashanth Sundararaman 2021-07-27 03:32:05 UTC 
Created attachment 1806162 [details]
sleepcontainer
Comment 3 Peter Hunt 2021-08-11 17:34:48 UTC 
The problem here is your pod and container spec don't match in the pid namespace they've requested. The pod spec has:
```
"namespace_options": {        
    "pid": 1        
},        
```
and the container spec does not have anything specified for namespace options. A namespace option of "1" means the request is requesting a container level pid namespace, so the pod does not create an infra container (which is only needed for a pod level pid namespace). However, when the container creation request comes around, the container fails because it is requesting a pod level pid namespace (value "0"), which does not exist.

I recommend either dropping namespace_options from the pod spec, or adding it to the container spec.
Comment 4 Peter Hunt 2021-08-11 18:22:56 UTC 
I've opened a PR to improve the error message
Comment 5 Prashanth Sundararaman 2021-08-12 15:05:22 UTC 
Adding the namespace_option to the container spec fixed the issue. Thanks!!
Comment 6 Prashanth Sundararaman 2021-08-12 15:06:10 UTC 
https://github.com/coreos/coreos-assembler/pull/2359 to fix the coreos-assembler test.
Comment 7 Peter Hunt 2021-08-24 17:38:49 UTC 
both linked PRs have been merged, so this should be fixed (better error message, fixed test)
Comment 13 errata-xmlrpc 2022-03-10 16:04:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056