kata-containers: Unable to start container as privileged: ctr: failed to create shim: QMP command failed: The device is not writable: Permission denied: unknown

Description of problem

I want to use privileged to run docker:dind.

Unable to start container as privileged.

  1. Install kata-containers using snap
  1. setup containerd
  1. restart containerd
  2. run container with privileged flag

Actual result

# ctr run --runtime io.containerd.run.kata.v2 -t --rm  --privileged docker.io/library/busybox:latest hello sh
ctr: failed to create shim: QMP command failed: The device is not writable: Permission denied: unknown

Further information

kata-collect: https://gist.github.com/jclab-joseph/31fb6477f63a1bc339f5aa8a6d5fa083

Debug Log

Aug 20 01:01:42 microk8s-dev systemd[1]: tmp-containerd\x2dmount484168862.mount: Succeeded.
Aug 20 01:01:42 microk8s-dev virtiofsd[1674461]: virtio_session_mount: Waiting for vhost-user socket connection...
Aug 20 01:01:42 microk8s-dev virtiofsd[1674461]: virtio_session_mount: Received vhost-user socket connection
Aug 20 01:01:42 microk8s-dev virtiofsd[1]: virtio_loop: Entry
Aug 20 01:01:42 microk8s-dev virtiofsd[1]: fv_queue_set_started: qidx=0 started=1
Aug 20 01:01:42 microk8s-dev virtiofsd[1]: fv_queue_set_started: qidx=1 started=1
Aug 20 01:01:42 microk8s-dev virtiofsd[1]: fv_queue_thread: Start for queue 0 kick_fd 9
Aug 20 01:01:42 microk8s-dev virtiofsd[1]: fv_queue_thread: Start for queue 1 kick_fd 12
Aug 20 01:01:42 microk8s-dev kata[1674451]: time="2021-08-20T01:01:42.821507636Z" level=error msg="container create failed" error="QMP command failed: The device is not writable: Permission denied" name=containerd-shim-v2 pid=1674451 sandbox=hello source=virtcontainers subsystem=container
Aug 20 01:01:42 microk8s-dev kata[1674451]: time="2021-08-20T01:01:42.82165576Z" level=warning error="no such file or directory" name=containerd-shim-v2 pid=1674451 rootfs-dir=/run/kata-containers/shared/sandboxes/hello/mounts/hello/rootfs sandbox=hello source=virtcontainers subsystem=mount
Aug 20 01:01:42 microk8s-dev containerd[1673075]: time="2021-08-20T01:01:42.821507636Z" level=error msg="container create failed" error="QMP command failed: The device is not writable: Permission denied" name=containerd-shim-v2 pid=1674451 sandbox=hello source=virtcontainers subsystem=container
Aug 20 01:01:42 microk8s-dev containerd[1673075]: time="2021-08-20T01:01:42.821655760Z" level=warning error="no such file or directory" name=containerd-shim-v2 pid=1674451 rootfs-dir=/run/kata-containers/shared/sandboxes/hello/mounts/hello/rootfs sandbox=hello source=virtcontainers subsystem=mount
Aug 20 01:01:42 microk8s-dev kata[1674451]: time="2021-08-20T01:01:42.823081853Z" level=warning msg="sandbox cgroups path is empty" name=containerd-shim-v2 pid=1674451 sandbox=hello source=virtcontainers subsystem=sandbox
Aug 20 01:01:42 microk8s-dev containerd[1673075]: time="2021-08-20T01:01:42.823081853Z" level=warning msg="sandbox cgroups path is empty" name=containerd-shim-v2 pid=1674451 sandbox=hello source=virtcontainers subsystem=sandbox
Aug 20 01:01:42 microk8s-dev virtiofsd[1]: fv_queue_set_started: qidx=0 started=0
Aug 20 01:01:42 microk8s-dev systemd[1848]: run-netns-cnitest\x2da4761be0\x2d314d\x2de9ac\x2ddd54\x2d0823b86a855f.mount: Succeeded.
Aug 20 01:01:42 microk8s-dev systemd[1]: run-kata\x2dcontainers-shared-sandboxes-hello-shared.mount: Succeeded.
Aug 20 01:01:42 microk8s-dev systemd[1]: run-netns-cnitest\x2da4761be0\x2d314d\x2de9ac\x2ddd54\x2d0823b86a855f.mount: Succeeded.
Aug 20 01:01:42 microk8s-dev kata[1674451]: time="2021-08-20T01:01:42.825920154Z" level=warning msg="failed to cleanup netns" error="failed to get netns /var/run/netns/cnitest-a4761be0-314d-e9ac-dd54-0823b86a855f: failed to Statfs \"/var/run/netns/cnitest-a4761be0-314d-e9ac-dd54-0823b86a855f\": no such file or directory" name=containerd-shim-v2 path=/var/run/netns/cnitest-a4761be0-314d-e9ac-dd54-0823b86a855f pid=1674451 sandbox=hello source=katautils
Aug 20 01:01:42 microk8s-dev containerd[1673075]: time="2021-08-20T01:01:42.825920154Z" level=warning msg="failed to cleanup netns" error="failed to get netns /var/run/netns/cnitest-a4761be0-314d-e9ac-dd54-0823b86a855f: failed to Statfs \"/var/run/netns/cnitest-a4761be0-314d-e9ac-dd54-0823b86a855f\": no such file or directory" name=containerd-shim-v2 path=/var/run/netns/cnitest-a4761be0-314d-e9ac-dd54-0823b86a855f pid=1674451 sandbox=hello source=katautils
Aug 20 01:01:42 microk8s-dev systemd[1848]: run-kata\x2dcontainers-shared-sandboxes-hello-shared.mount: Succeeded.
Aug 20 01:01:42 microk8s-dev containerd[1673075]: time="2021-08-20T01:01:42.829075518Z" level=info msg="shim disconnected" id=hello
Aug 20 01:01:42 microk8s-dev containerd[1673075]: time="2021-08-20T01:01:42.829123171Z" level=warning msg="cleaning up after shim disconnected" id=hello namespace=default
Aug 20 01:01:42 microk8s-dev containerd[1673075]: time="2021-08-20T01:01:42.829131904Z" level=info msg="cleaning up dead shim"
Aug 20 01:01:42 microk8s-dev virtiofsd[1]: fv_queue_thread: kill event on queue 0 - quitting
Aug 20 01:01:42 microk8s-dev virtiofsd[1]: fv_remove_watch: TODO! fd=9
Aug 20 01:01:42 microk8s-dev virtiofsd[1]: fv_queue_set_started: qidx=1 started=0
Aug 20 01:01:42 microk8s-dev virtiofsd[1]: fv_queue_thread: kill event on queue 1 - quitting
Aug 20 01:01:42 microk8s-dev virtiofsd[1]: fv_remove_watch: TODO! fd=12
Aug 20 01:01:42 microk8s-dev virtiofsd[1]: virtio_loop: Unexpected poll revents 11
Aug 20 01:01:42 microk8s-dev virtiofsd[1]: virtio_loop: Exit
Aug 20 01:01:42 microk8s-dev containerd[1673075]: time="2021-08-20T01:01:42.860331285Z" level=error msg="failed to delete" cmd="/usr/local/bin/containerd-shim-kata-v2 -namespace default -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id hello -bundle /run/containerd/io.containerd.runtime.v2.task/default/hello delete" error="exit status 1"
Aug 20 01:01:42 microk8s-dev containerd[1673075]: time="2021-08-20T01:01:42.860389733Z" level=warning msg="failed to clean up after shim disconnected" error="time=\"2021-08-20T01:01:42Z\" level=warning msg=\"failed to cleanup container\" container=hello error=\"open /run/vc/sbs/hello: no such file or directory\" name=containerd-shim-v2 pid=1674481 sandbox=hello source=containerd-kata-shim-v2\nio.containerd.kata.v2: open /run/vc/sbs/hello: no such file or directory\n: exit status 1" id=hello namespace=default
Aug 20 01:01:42 microk8s-dev containerd[1673075]: time="2021-08-20T01:01:42.860430489Z" level=error msg="copy shim log" error="read /proc/self/fd/22: file already closed"
Aug 20 01:01:42 microk8s-dev systemd[1848]: run-containerd-io.containerd.runtime.v2.task-default-hello-rootfs.mount: Succeeded.
Aug 20 01:01:42 microk8s-dev systemd[1]: run-containerd-io.containerd.runtime.v2.task-default-hello-rootfs.mount: Succeeded.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 25 (7 by maintainers)

Most upvoted comments

@egernst Thanks for the reply. However, I added privileged_without_host_devices = true and it was the same.

+1
jclab-joseph on Aug 20, 2021
Read more comments on GitHub
← kata-containers: Unable to run any pods in kubernetes using Kata Runtime.
kata-containers: Use of qemu PCIe to PCI bridges on x86 causes multiple problems →