Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Localhost seccomp behavior failed to start container if pod seccomp is disabled #6498

New issue
New issue
Closed
Closed
Localhost seccomp behavior failed to start container if pod seccomp is disabled#6498
Labels
kind/bugCategorizes issue or PR as related to a bug.lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.
@orz-nil

Description

@orz-nil
orz-nil
opened on Jan 9, 2023

What happened?

When I use cri-o as runc, datadog agent system-probe container failed to be created.
Error log from describe:

Warning Failed 50s (x3 over 52s) kubelet Error: setup seccomp: from field: seccomp is not enabled, cannot run with custom profile

What did you expect to happen?

when pod seccomp is Unconfined and internal container seccomp set Localhost, this pod can be activated.

How can we reproduce it (as minimally and precisely as possible)?

k8s cluster disable seccomp feature
create pod with annotations:
container.seccomp.security.alpha.kubernetes.io/[container-name]: localhost/[log-name]

Anything else we need to know?

#4789
this pr fix container with RuntimeDefault when pod seccomp is Unconfined.

Please add a logical judgment to allow that:
pod seccomp is Unconfined, internal container seccomp can be Localhost

CRI-O and Kubernetes version

Details 
$ crio --version
# paste output here
crio version 1.22.4
Version:          1.22.4
GitCommit:        aa4f006374330171f8722fd26ca58a6314f226d6
GitTreeState:     clean
BuildDate:        2022-07-19T23:24:23Z
GoVersion:        go1.17.5
Compiler:         gc
Platform:         linux/amd64
Linkmode:         dynamic
BuildTags:        exclude_graphdriver_devicemapper, containers_image_openpgp, containers_image_ostree_stub
SeccompEnabled:   false
AppArmorEnabled:  false
$ kubectl version
# paste output here
Server Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.17", GitCommit:"a7736eaf34d823d7652415337ac0ad06db9167fc", GitTreeState:"clean", BuildDate:"2022-12-08T11:42:04Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"}

OS version

Details 
# On Linux:
$ cat /etc/os-release
# paste output here
NAME="Ubuntu"
VERSION="20.04.5 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.5 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

$ uname -a
# paste output here
Linux ip-172-19-7-88 5.15.0-1026-aws #30~20.04.2-Ubuntu SMP Fri Nov 25 14:53:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Additional environment details (AWS, VirtualBox, physical, etc.)

Details container.apparmor.security.beta.kubernetes.io/system-probe: unconfined container.seccomp.security.alpha.kubernetes.io/system-probe: runtime/default

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions