| *** zerocoolback has joined #kata-dev | 03:51 | |
| *** sjas_ has joined #kata-dev | 04:30 | |
| *** sjas has quit IRC | 04:32 | |
| *** jodh has joined #kata-dev | 06:36 | |
| *** gwhaley has joined #kata-dev | 08:00 | |
| *** davidgiluk has joined #kata-dev | 08:01 | |
| *** tonyb has quit IRC | 08:50 | |
| *** tonyb has joined #kata-dev | 09:53 | |
| *** mugsie has joined #kata-dev | 10:48 | |
| *** gwhaley has quit IRC | 11:03 | |
| kata-irc-bot | <xu> there is a CRI API we hadn’t addressed much before. What do you think on how to support it? | 11:04 |
|---|---|---|
| *** zerocoolback has quit IRC | 11:07 | |
| *** zerocool_ has joined #kata-dev | 11:08 | |
| *** zerocool_ has quit IRC | 11:33 | |
| *** dims has joined #kata-dev | 12:13 | |
| *** gwhaley has joined #kata-dev | 12:14 | |
| *** zerocoolback has joined #kata-dev | 12:23 | |
| *** jbryce has joined #kata-dev | 12:37 | |
| kata-irc-bot | <niteshkonkar007> Sometimes the initrd image with lib-seccomp support fails to start. On running the qemu command it generates, it shows the following . ``` console [netcon0] enabled netconsole: network logging started rtc-generic rtc-generic: setting system clock to 2018-09-04 12:35:38 UTC (1536064538) Freeing unused kernel memory: 2652K This architecture does not have kernel memory protection. /init: error while loading shared libraries: | 12:41 |
| kata-irc-bot | libseccomp.so.2: cannot open shared object file: No such file or directory Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00 ``` I googled and tried a fix that suggests to install `lxc` as well. However that too didnt work. | 12:41 |
| kata-irc-bot | <niteshkonkar007> The rootfs image has `libseccomp` and `libseccomp-devel` installed. | 12:42 |
| gwhaley | @niteshkonkar007 - the 'sometimes' in your sentance worries me.... sporadic bugs, hmm, nasty. That looks particularly weird - the agent as the init process has failed to load due to a libray load failure? that is so 'early' in the boot it is hard to even think how we might race anything. | 12:46 |
| kata-irc-bot | <niteshkonkar007> @graham.whaley: I say sometimes because when I tested my seccomp PR before sending it upstream, it worked fine. But today I am unable to boot with `libseccomp` and `libseccomp-devel` packages installed as part of my fedora initrd rootfs built. (checked out upstream osbuilder with merged PR) | 12:50 |
| kata-irc-bot | <niteshkonkar007> So adding a `RUN /sbin/ldconfig -v` in the fedora dockerfile, also didnt help. | 13:13 |
| xzr | hmm.. so.. trying my hand at https://github.com/kata-containers/packaging/tree/master/kernel . Looks like the script expects the kernel sources to already be present (although I see there's an option for downloading the sources, just not able to trigger it | 13:23 |
| xzr | getting: ERROR: failed to find /home/xzr/go/src/github.com/kata-containers/packaging/kernel/patches//../kata_config_version when I try to run build.sh setup | 13:23 |
| kata-irc-bot | <graham.whaley> @atte.pellikka - you probably need some input from @jose.carlos.venegas.m on that one for kernel pull. | 13:38 |
| kata-irc-bot | <james.o.hunt> @niteshkonkar007 - I'd unpack the initrd, chroot to the root directory and then try `/sbin/init --version` or `/usr/bin/kata-agent --version` (and/or use `ldd`) | 13:39 |
| *** annabelleB has joined #kata-dev | 13:42 | |
| kata-irc-bot | <niteshkonkar007> @james.o.hunt: I unpacked the initrd image, cd into it and got the init version ``` /test# ./sbin/init --version kata-agent version 1.2.0-fcfa054a757e7c17afba47b0b4d7e91cbb8688ed-dirty /test# ./sbin/ldconfig -v | grep libseccomp ./sbin/ldconfig: Can't stat /usr/lib64: No such file or directory libseccomp.so.2 -> libseccomp.so.2.3.1 ``` | 13:48 |
| kata-irc-bot | <james.o.hunt> @niteshkonkar007 - the above suggests you have not run `sudo chroot /path/to/unpack/directory sh` ...? | 13:52 |
| kata-irc-bot | <niteshkonkar007> Ahh , got your point ``` chroot /test sh sh-4.2# ls bin boot devetc home init lib lib64 media mnt opt proc root run sbin srv sys tmp usr var sh-4.2# ./sbin/init --version ./sbin/init: error while loading shared libraries: libseccomp.so.2: cannot open shared object file: No such file or directory ``` | 13:54 |
| kata-irc-bot | <james.o.hunt> @niteshkonkar007 - yep - that's why it isn't booting :slightly_smiling_face: | 13:55 |
| kata-irc-bot | <niteshkonkar007> @james.o.hunt: Does this mean I missed adding my custom agent into the initrd? | 13:57 |
| *** zerocoolback has quit IRC | 14:06 | |
| *** zerocool_ has joined #kata-dev | 14:06 | |
| xzr | hmm okay now it's downloading, had to create the directory structure it was expecting and drop the config there | 14:06 |
| xzr | I must be missing some setup steps or the docs/script could use a bit of work :p | 14:06 |
| kata-irc-bot | <james.o.hunt> @niteshkonkar007 - I think the problem is that although your osbuilder PR added the seccomp packages to the *docker* environment, it did not add them to the generated image - you need to update the `PACKAGES=` variables I think. | 14:07 |
| kata-irc-bot | <james.o.hunt> @atte.pellikka - if you could raise an issue, that would be great so we can look at fixing that. | 14:08 |
| kata-irc-bot | <atte.pellikka> @james.o.hunt will do | 14:09 |
| kata-irc-bot | <james.o.hunt> @atte.pellikka - thanks! :slightly_smiling_face: | 14:12 |
| kata-irc-bot | <niteshkonkar007> @james.o.hunt: Okay, let me try that approach. But then how did it even come to know about seccomp ? | 14:13 |
| kata-irc-bot | <atte.pellikka> https://github.com/kata-containers/packaging/issues/178 | 14:16 |
| *** annabelleB has quit IRC | 14:26 | |
| *** annabelleB has joined #kata-dev | 14:31 | |
| *** annabelleB has quit IRC | 14:42 | |
| kata-irc-bot | <james.o.hunt> @niteshkonkar007 - sorry, I don't follow? I'm assuming you build a custom image containing your agent. But the agent (linked to libseccomp) gets built outside the image you copy it into and the resulting image doesn't appear to have libseccomp.so available. | 14:46 |
| *** annabelleB has joined #kata-dev | 14:51 | |
| *** dklyle has joined #kata-dev | 14:58 | |
| *** fuentess has quit IRC | 15:12 | |
| *** dklyle has quit IRC | 15:13 | |
| *** dklyle has joined #kata-dev | 15:14 | |
| kata-irc-bot | <niteshkonkar007> @james.o.hunt: Adding `libseccomp libseccomp-devel` to https://github.com/kata-containers/osbuilder/blob/67dba890cd9b458094634ad8af36a70cfb90fab7/rootfs-builder/clearlinux/config.sh#L18 worked! Indeed the packages were not getting added to the image. But then how did it work before? @ydjainopensource too tried with just my PR and it seem to work fine. I had built my custom image which pulled the code from agent with tag seccomp | 15:16 |
| kata-irc-bot | enabled. ``` Complete! INFO: Pull Agent source code INFO: Build agent ~/nitesh/split_patch/src/github.com/kata-containers/agent / [OK] Pull Agent source code rm -f kata-agent kata-agent.service go build -tags "seccomp" -o kata-agent -ldflags "-X main.version=1.2.0-fcfa054a757e7c17afba47b0b4d7e91cbb8688ed-dirty" install -D kata-agent /rootfs/usr/bin/kata-agent / [OK] Agent installed INFO: Install /rootfs/usr/bin/kata-agent as init process [OK] | 15:16 |
| kata-irc-bot | Agent is installed as init process [OK] init is installed INFO: Check init is installed INFO: Creating summary file INFO: Created summary file '/var/lib/osbuilder/osbuilder.yaml' inside rootfs Script done, file is typescript ``` I am not manually copying the agent into it. | 15:16 |
| kata-irc-bot | <ydjainopensource> Yup it did | 15:18 |
| kata-irc-bot | <james.o.hunt> @niteshkonkar007 - nice! :) I'm not sure what you did before but we need libseccomp added to `PACKAGES=` for all the distros. I'm not sure we need it in the docker image itself though tbh as we only need that image to actually install the libseccomp package - we're not "using" it. | 15:19 |
| xzr | quick q, kata picks up the vmlinuz and vmlinux images from /usr/share/kata-containers/ when you spin a new container up? | 15:51 |
| gwhaley | xzr: yep - well, technically I think those paths are in the configuration.toml | 15:52 |
| gwhaley | and, if you are running k8s, I think you can specify on a per-pod basis for some of them (but, I don't have a link to where that is documented...) | 15:53 |
| xzr | I'm just tinkering with docker currently | 15:55 |
| xzr | rebuilt a kernel with selinux enabled and trying to figure out how to get sestatus to return enabled within the container :p | 15:55 |
| xzr | basically just moved those symlinks to point to the new ones I built | 15:56 |
| xzr | I reckon I might have cut through some corner | 15:56 |
| *** annabelleB has quit IRC | 16:00 | |
| *** annabelleB has joined #kata-dev | 16:04 | |
| gwhaley | xzr - symlinks moving will work. I normally sudo edit the configuration.toml and stick in a path to my test image or kernel | 16:10 |
| gwhaley | watch out though, when you 'sudo make install' the runtime, it then wipes your config :-( | 16:10 |
| *** annabelleB has quit IRC | 16:19 | |
| xzr | I must be missing something, will keep tinkering | 16:20 |
| *** annabelleB has joined #kata-dev | 16:20 | |
| gwhaley | xzr: you can also see what the runtime thinks it is going to use with a 'kata-runtime kata-env' - that can maybe help ensure your configs are right - and I think it resolves symlinks to tell you the real file it will load | 16:27 |
| kata-irc-bot | <james.o.hunt> @graham.whaley, @atte.pellikka - yes, it does. | 16:30 |
| kata-irc-bot | <niteshkonkar007> @graham.whaley: @atte.pellikka: You can store your configuration in `/runtime/cli/config/configuration.toml.in` so that when u `make install` the runtime, it does not wipe your config. | 16:39 |
| gwhaley | ooh, /me tries to store that in his head :-) | 16:41 |
| kata-irc-bot | <james.o.hunt> @niteshkonkar007, @atte.pellikka - or you can `sudo mkdir -p /etc/kata-containers/ && sudo cp /usr/share/defaults/kata-containers/configuration.toml /etc/kata-containers/` as `make install` won't touch `/etc/`. | 16:41 |
| *** gwhaley has quit IRC | 17:00 | |
| *** jodh has quit IRC | 17:03 | |
| *** annabelleB has quit IRC | 17:38 | |
| *** zerocool_ has quit IRC | 17:41 | |
| *** gwhaley has joined #kata-dev | 17:49 | |
| davidgiluk | so the denver f2f is cancelled based on the calendar entry ? I've passed that on to someone who was going | 17:54 |
| gwhaley | davidgiluk: I believe not enough folks could attend to get a quorum/forum... @anne can confirm/deny/elucidate.... | 18:00 |
| gwhaley | also, probably worth putting out a call for if anybody is still going to Denver... | 18:00 |
| gwhaley | btw, if anybody is going to be in ContainerConUK in London on Friday, then let me know ;-) | 18:00 |
| davidgiluk | gwhaley: Nod; I'm not going to Denver, but we'd talked a colleague in Fort Collins into going; so I passed on he doesnt need ti | 18:04 |
| *** davidgiluk has quit IRC | 19:11 | |
| *** annabelleB has joined #kata-dev | 19:12 | |
| annabelleB | davidgiluk: were they coming for the QEMU bit or general kata info? | 19:13 |
| *** gwhaley has quit IRC | 19:31 | |
| *** eernst has joined #kata-dev | 19:41 | |
| kata-irc-bot | <anne> and sorry jess--looks like the problem reset when the bridge did :( | 19:44 |
| *** eernst has quit IRC | 19:47 | |
| *** annabelleB has quit IRC | 19:55 | |
| *** annabelleB has joined #kata-dev | 20:33 | |
| *** annabelleB has quit IRC | 20:50 | |
| *** annabelleB has joined #kata-dev | 20:52 | |
| *** annabelleB has quit IRC | 22:15 | |
| *** jugs has quit IRC | 22:26 | |
| *** jugs has joined #kata-dev | 22:27 | |
| *** eernst has joined #kata-dev | 23:34 | |
| *** eernst has quit IRC | 23:38 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!