-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[question] Right value for capabilities.FSIsolation in containerd-driver #9790
Comments
Hi @shishir-a412ed! The From the plugin docs (ref):
|
@tgross Thanks for the clarification. So when I switch The secrets mountpoint is setup |
@shishir-a412ed I'm looking at this line containerd.go#L169 and I think the issue is that the source for the bind mount doesn't exist. The client creates the allocation working directory and the various child directories (secrets, task, alloc), and then those directories are used as the source of the bind by the driver. It's worth comparing the containerd implementation to how it's done for the |
@tgross I see, maybe some more changes are needed in the
Just switching the flag results in the error
|
Just to be clear 🙂 It works perfectly fine when the mode is set to From within the allocation (container)
|
I can verify I see the same error building from current HEAD of diff --git a/containerd/driver.go b/containerd/driver.go
index 336452b..22a3e10 100644
--- a/containerd/driver.go
+++ b/containerd/driver.go
@@ -26,7 +26,6 @@ import (
"github.com/containerd/containerd"
"github.com/containerd/containerd/namespaces"
"github.com/hashicorp/consul-template/signals"
- "github.com/hashicorp/go-hclog"
log "github.com/hashicorp/go-hclog"
"github.com/hashicorp/nomad/client/stats"
"github.com/hashicorp/nomad/drivers/shared/eventer"
@@ -118,7 +117,7 @@ var (
capabilities = &drivers.Capabilities{
SendSignals: true,
Exec: true,
- FSIsolation: drivers.FSIsolationNone,
+ FSIsolation: drivers.FSIsolationImage,
NetIsolationModes: []drivers.NetIsolationMode{drivers.NetIsolationModeGroup, drivers.NetIsolationModeTask},
}
)
@@ -363,7 +362,7 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
driverConfig.setVolumeMounts(cfg)
- d.logger.Info("starting task", "driver_cfg", hclog.Fmt("%+v", driverConfig))
+ d.logger.Info("starting task", "driver_cfg", log.Fmt("%+v", driverConfig))
handle := drivers.NewTaskHandle(taskHandleVersion)
handle.Config = cfg But the paths that the driver gets are different for Unrelated, but I notice that secrets, local, and alloc directories are being bind-mounted read-only? Is that intentional? |
@tgross Thanks for all the explanation and the links!
However, when
I am using the
This seems to be a bug, and it should not be |
Good to hear. I'm going to close this issue but please let us know if you run into any more issues! |
I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues. |
Hi,
We recently received a
request
on ourcontainerd-driver
repo to change filesystem isolation fromNone
toImage
It seems like if I change
FSIsolation
fromFSIsolationNone
toFSIsolationImage
, I start running into thiserror
I believe the reason for that is
containerd-driver
is responsible for mounting/alloc
,/local
and/secrets
from the host filesystem into the container rootfs. If I changeFSIsolation
fromFSIsolationNone
toFSIsolationImage
,containerd-driver
no longer has access to host filesystem and I start seeing this error:Questions:
Is
FSIsolationNone
the right value? It seems to be working fine for us, and IIUC only thecontainerd-driver
will have access to the host filesystem and not the allocations (containers). Is my understanding correct?The docker driver seems to be setting it to
FSIsolationImage
. How does the docker driver have access to the host filesystem?TIA
The text was updated successfully, but these errors were encountered: