kubernetes: Cannot use hostAliases when mounting files in /etc

What happened?

I have a file that I mount in /etc and if I use hostAliases feature then pod goes into RunContainerError state.

What did you expect to happen?

I expected the pod to be deployed without errors.

How can we reproduce it (as minimally and precisely as possible)?

Here is a sample config that causes this condition:

---
apiVersion: v1
data:
  nsswitch.conf: |
    hosts: files dns
kind: ConfigMap
metadata:
  name: nss
---
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: web
  name: web
spec:
  containers:
  - image: nginx
    name: web
    volumeMounts:
    - name: nss
      mountPath: /etc
  volumes:
  - name: nss
    configMap:
      name: nss
      items:
      - key: nsswitch.conf
        path: nsswitch.conf
  hostAliases:
  - hostnames:
    - kubernetes
    ip: 10.0.0.1
  dnsPolicy: ClusterFirst
  restartPolicy: Always
---

Once you deploy the above pod you will get the following error:

$ kubectl get pods
NAME   READY   STATUS              RESTARTS      AGE
web    0/1     RunContainerError   4 (18s ago)   2m2s

$ kubectl describe pod web
...
  Warning  Failed     12s                kubelet            Error: failed to start container "web": Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/var/lib/docker/containers/160ad34a2ab1ed1288fa3037041f03ce89992b84d9363838df051de454398892/resolv.conf" to rootfs at "/etc/resolv.conf" caused: open /var/lib/docker/overlay2/47ab95865cd7e626e48e098b6db7f46d0d4a0011d92bfc9599e06975fa399d5d/merged/etc/resolv.conf: read-only file system: unknown
  Normal   Created    9s (x2 over 12s)   kubelet            Created container web
  Normal   Pulled     9s                 kubelet            Successfully pulled image "nginx" in 2.704984959s
  Warning  Failed     9s                 kubelet            Error: failed to start container "web": Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/var/lib/docker/containers/160ad34a2ab1ed1288fa3037041f03ce89992b84d9363838df051de454398892/resolv.conf" to rootfs at "/etc/resolv.conf" caused: open /var/lib/docker/overlay2/fdbff16e45635a8a837b48ad757100e47cb3d34b2428a0c81e097e9262a9ad9d/merged/etc/resolv.conf: read-only file system: unknown

Anything else we need to know?

No response

Kubernetes version

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5", GitCommit:"c285e781331a3785a7f436042c65c5641ce8a9e9", GitTreeState:"clean", BuildDate:"2022-03-16T15:51:05Z", GoVersion:"go1.17.8", Compiler:"gc", Platform:"darwin/arm64"}
Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.3", GitCommit:"816c97ab8cff8a1c72eccca1026f7820e93e0d25", GitTreeState:"clean", BuildDate:"2022-01-25T21:19:12Z", GoVersion:"go1.17.6", Compiler:"gc", Platform:"linux/arm64"}

The problem exists on the master as well.

# kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"24+", GitVersion:"v1.24.0-beta.0.102+820247a3aec7d7-dirty", GitCommit:"820247a3aec7d7d1e65cd5ad34b0f07adb16e907", GitTreeState:"dirty", BuildDate:"2022-04-06T03:29:24Z", GoVersion:"go1.18", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"24+", GitVersion:"v1.24.0-beta.0.102+820247a3aec7d7-dirty", GitCommit:"820247a3aec7d7d1e65cd5ad34b0f07adb16e907", GitTreeState:"dirty", BuildDate:"2022-04-06T03:29:24Z", GoVersion:"go1.18", Compiler:"gc", Platform:"linux/amd64"}

Cloud provider

minikube and local-up-cluster.sh

OS version

# On Linux:
$ cat /etc/os-release
NAME="Fedora Linux"
VERSION="35 (Cloud Edition)"
ID=fedora
VERSION_ID=35
VERSION_CODENAME=""
PLATFORM_ID="platform:f35"
PRETTY_NAME="Fedora Linux 35 (Cloud Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:35"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f35/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=35
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=35
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Cloud Edition"
VARIANT_ID=cloud

$ uname -a
Linux fedora 5.14.10-300.fc35.x86_64 #1 SMP Thu Oct 7 20:48:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Install tools

No response

Container runtime (CRI) and version (if applicable)

No response

Related plugins (CNI, CSI, …) and versions (if applicable)

No response

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Comments: 15 (10 by maintainers)

Most upvoted comments

/remove-lifecycle stale

+1
invidian on Nov 18, 2022

/remove-lifecycle rotten

+1
invidian on Aug 20, 2022
Read more comments on GitHub
← kubernetes: Cannot use dash in environment variable names in a pod definition
kubernetes: cannot use the vip to access the nodeport →