kubevirtv1.2.0 does not work on k8s v1.28.9, when creating a vm reported error message: {"component":"virt-launcher-monitor","level":"error","msg":"failed to run virt-launcher","pos":"virt-launcher-monitor.go:181","reason":"fork/exec /usr/bin/virt-launcher: operation not permitted","timestamp":"2024-04-24T11:53:56.790431Z"} #11784
Comments
|
/cc @xpivarc |
|
Hi @wingying would you be able to provide audit logs from a node that the VM failed to start? |
|
Hi, Some updates... we enable - ROOT in featureGates, all works!! Could you explain why we have to add - ROOT featureGate, looks like it gets the high privilege of k8s. we do not need it in kubevirtv1.1.1 and before... |
|
Hi, Please provide the logs and yamls in order to be able to investigate further. |
|
audit.log.20240424.not_work.txt Attached files. pls note I have to mask some sensitive info. These files are only use for issue analysis. |
|
update: |
|
Hi @wingying |
|
no customized build...just pull image from original registry, and retag and push to our internal harbor. no other changes for image itself. I curious that no one reported the issue for new released v1.2.0 version? It nearly failure on all latest k8s version... |
|
Would you be able to use the original image, just to be sure? |
|
virt-launcher-direcy-pull-image-nowork.txt no use.... |
|
Please add annotation |
|
no result? |
|
@wingying Great, we are getting somewhere. This means there is no file capability while it should be there. I verified that the file capability is there (locally) so this needs to be runtime/fs issue. Can you share what fs type are you using for your containers? Also can you find a backing source of the launcher image and see if the virt-launcher-monitor has the file capability there? |
|
Firstly, thank you for your continues support!! for fstype see below:
|
You can run Once you confirm there is no capability even on the underlay you can do following. |
|
@xpivarc looks only overlay found. |
|
@wingying Please also try the steps described previously with |
|
@xpivarc what id I should use? is the warning related? |
|
@xpivarc below step? |
|
@xpivarc nearly to the cause? see below.
|
Here it is enough to do |
|
@xpivarc see above reply. I hightlighted as red. In addition, I tried to log on previous working one v1.1.1 in k8s 1.25.16, getcap has no result as neither...but why it is working? 
|
I missed it. Ok so the capability is there.
Interesting. Are you running Root feature on the v1.1.1? Please run |
My fault. I tried to reset the kubevirt v1.1.1 on k8s 1.25.16 environment. now below is the correct result. Seems /usr/bin/virt-lanucher-monitor has cap while virt-launcher not |
|
while in kubevirt1.2.0 on k8s 1.28.9, still neither launcher or launcher-monitor has cap. |
The capability is expected only on the |
|
Also, I should point out at this point that the Kubevirt is not at fault but the environment is wrong here. |
|
@xpivarc In summary. kubevirtv1.1.1 is working on k8s 1.25.16 while kubevirtv1.2.0 not working on from k8s 1.25.16 + version (I tested several k8s versions) Below is other environment info: Again, in k8s 1.25.16, kubevirtv1.1.1 works while kubevirtv1.2.0 not work(unless configure - Root) other things are same... |
No, it is cri/runtime issue, in your case the Docker.
What is the docker and cri-dockerd version that is working? Would you be able to downgrade them on the new Kubernetes version?
I can suggest following step to figure out if this is docker or cri issue: |
Actually, I first upgraded new k8s version, while NO docker and cri-dockerd upgrade. But not work. |
|
Both 1.1.0 and 1.2.0 images contain the capability, so from Kubevirt side we can't do more. I suggest to try what I described in the last comment. |
Yes, I followed your suggestion, make a customized entrypoint, Dockerfile, rebuild both v1.2.0 and v1.1.1 image, run in same server with same docker version, magic thing happens below: v1.1.1 still work!! on pure docker container, while v1.2.0 does not work!! Dockerfile is simple enough as well. So next? |
|
@xpivarc After that, I tried to re-install kubevirt again, this time virt-handler pod does not start lol...., and STATUS always CreateContainerError. Below is related error message:
|
|
It works finally! after upgrade to k8s v1.26.5, I will record all related components versions: anything I missed? @xpivarc feel free give your comment. |
|
Great that it works, correct me if I misunderstood. I think it can be beneficial for others if you record how did you find that containerd is the issue, maybe bug link? It is still weird that one version did work and the other not but I guess it was bug in contianerd. |
|
Yes,I confirmed it works,because I tested mutiple docker version,cri-docker version,containerd version. finally used the method you provided to verify getcap works within some kind of combined version.
BTW,as you mentioned virt-launcher use file capacity,why virt-launcher-monitor has capacity when running getcap while virt-launcher not?or virt-launcher-monitor is sub binary or process of virt-launcher?
发自我的 iPhone
在 2024年4月29日,18:14,xpivarc ***@***.***> 写道:
Great that it works, correct me if I misunderstood. I think it can be beneficial for others if you record how did you find that containerd is the issue, maybe bug link? It is still weird that one version did work and the other not but I guess it was bug in contianerd.
—
Reply to this email directly, view it on GitHub<#11784 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMZGSARHHCMSQSGLPX2ABUTY7YMRDAVCNFSM6AAAAABGWZYEAGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOBSGM2TCOJZHE>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
/close
The Please reopen if any issues persists. |
|
@xpivarc: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What happened:
kubevirtv1.2.0 does not work on k8s v1.28.9, when creating a vm reported error message: {"component":"virt-launcher-monitor","level":"error","msg":"failed to run virt-launcher","pos":"virt-launcher-monitor.go:181","reason":"fork/exec /usr/bin/virt-launcher: operation not permitted","timestamp":"2024-04-24T11:53:56.790431Z"}
I also tested kubevirtv1.2.0+v1.27.11, same error message above.
Is it will related docker or containerd version? or anything else?
As I posted issue below: Only passed test is kubevirtv1.1.1 + k8s v1.25.6
Environment:
KubeVirt version: v1.2.0
Kubernetes version (use
kubectl version):Client Version: v1.28.9
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.9
OS (e.g. from /etc/os-release):
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
Kernel (e.g.
uname -a):Linux cdp 6.1.0-18-amd64 Add travis support #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux
Install tools: N/A
Client: Docker Engine - Community
Version: 24.0.7
API version: 1.43
Go version: go1.20.10
Git commit: afdd53b
Built: Thu Oct 26 09:08:02 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 24.0.7
API version: 1.43 (minimum version 1.12)
Go version: go1.20.10
Git commit: 311b9ff
Built: Thu Oct 26 09:08:02 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.27
GitCommit: a1496014c916f9e62104b33d1bb5bd03b0858e59
runc:
Version: 1.1.11
GitCommit: v1.1.11-0-g4bccb38
docker-init:
Version: 0.19.0
GitCommit: de40ad0
containerd containerd.io 1.6.27 a1496014c916f9e62104b33d1bb5bd03b0858e59
The text was updated successfully, but these errors were encountered: