cri-o: cri-o 1.20.1 fails to run privileged pods: unknown capability "CAP_PERFMON"

Events:
  Type     Reason     Age                From               Message
  ----     ------     ----               ----               -------
  Normal   Scheduled  15s                default-scheduler  Successfully assigned kube-system/kube-proxy-7j8zj to nas
  Warning  Failed     14s (x2 over 14s)  kubelet            Error: container create failed: time="2021-03-15T07:39:31+01:00" level=error msg="container_linux.go:370: starting container process caused: unknown capability \"CAP_PERFMON\""
  Normal   Pulled     1s (x3 over 14s)   kubelet            Container image "k8s.gcr.io/kube-proxy:v1.20.4" already present on machine
  Warning  Failed     1s                 kubelet            Error: container create failed: time="2021-03-15T07:39:44+01:00" level=error msg="container_linux.go:370: starting container process caused: unknown capability \"CAP_PERFMON\""

crio --version
INFO[0000] Starting CRI-O, version: 1.20.1, git: 0e6266bc8b26e7f8c1b85df3af7af1dcb50ce813(clean) 
crio version 1.20.1
Version:       1.20.1
GitCommit:     0e6266bc8b26e7f8c1b85df3af7af1dcb50ce813
GitTreeState:  clean
BuildDate:     2021-03-12T02:24:13Z
GoVersion:     go1.15.2
Compiler:      gc
Platform:      linux/amd64
Linkmode:      dynamic

And 1.20.0 release can’t be installed anymore because it was removed from repository: #4657

Problem seems to be related to #4466

1.20.1 release has different gocapability than 1.20.0: https://github.com/cri-o/cri-o/blob/v1.20.1/go.mod#L54

But cri-o-runc package wasn’t updated in the repos, still 1.0.0~rc92.3: https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/amd64/

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 27 (15 by maintainers)

Most upvoted comments

thanks for the patience folks! I will close this issue, someone yell at me if this sneaks in again 😆

+4
haircommander on Jun 25, 2021

sorry for the delay, I’ve just updated the 1.21 branch to have 1.21.1, which should have the fix

+4
haircommander on Jun 24, 2021

cri-o 1.20.2 will be packaged up tomorrow I believe also

+2
haircommander on Mar 18, 2021

sorry for the delay, I’ve just updated the 1.21 branch to have 1.21.1, which should have the fix

Thanks Peter! Successfully tested, you’re the best!

+1
kubealex on Jun 25, 2021

Cri-o 1.21.1 fixes the CAP_PERFMON issue for me. Thank you @haircommander

+1
ledroide on Jun 25, 2021

However, using cri-o 1.20.3 on a Kubernetes 1.21.1 cluster works fine for me, no CAP_PERFMON issue, and I did not experience side effects. Tried the last cri-o package cri-o-1.21.0-4.22 for centos:stream and the CAP_PERFMON issue is still there.

+1
ledroide on Jun 17, 2021

yeah I can work on a 1.20.2

+1
haircommander on Mar 16, 2021

Thank you for the issue report @lazystone, a fix is in flight in https://github.com/cri-o/cri-o/pull/4659

+1
saschagrunert on Mar 15, 2021
Read more comments on GitHub
← cri-o: cri-o 1.17.0 breaks ARM clusters
cri-o: cri-o does not execute hook placed to /etc/containers/oci/hooks.d if not restarted →