Skip to content

configuring stargz-snapshotter in selinux enabled environments #1848

New issue
New issue
Open
Open
configuring stargz-snapshotter in selinux enabled environments#1848
@1602077

Description

@1602077
1602077
opened on Nov 1, 2024

Hey,

I attempting to configure stargz-snapshotter with selinux enabled and running into issues with pods that would otherwise run being rejected by selinux.

My containerd configuration is as follows:

# /etc/containerd/config.toml
version = 2
root = "/var/lib/containerd"

[plugins]

  [plugins."io.containerd.grpc.v1.cri"]
    sandbox_image = "registry-mirror.k8s.io/pause:3.10"
    enable_selinux = true

  [plugins."io.containerd.grpc.v1.cri".containerd]
    snapshotter = "stargz"
    disable_snapshot_annotations = false

  [proxy_plugins]
    [proxy_plugins.stargz]
      type = "snapshot"
      address = "/run/containerd-stargz-grpc/containerd-stargz-grpc.sock"

# /etc/containerd/stargz/config.toml
no_background_fetch = true
[cri_keychain]
enable_keychain = true
image_service_path = "/run/containerd/containerd.sock"

Attempting to run the following pod on a node with stargz configured results in the pod going into CrashLoopBackoff

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: test
  name: test
spec:
  containers:
  - image: registry.k8s.io/pause:3.10
    name: test

with the following error Error: failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to create new parent process: namespace path: lstat /proc/963577/ns/ipc: no such file or directory: unknown.

I understand that this is due to a selinux violation as when accessing the node I see the following:

$ ausearch -m AVC -ts recent -i
----
type=AVC msg=audit(11/01/24 11:53:18.263:12140) : avc:  denied  { read } for  pid=961692 comm=pause path=/pause dev="vda4" ino=30130280 scontext=system_u:system_r:container_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0

However deploying the same pod configuration without stargz enabled in containerd (but selinux enabled, config provided below) results in the pod being deployed all okay.

version = 2                                                                                                                                                       root = "/var/lib/containerd"                                                                                                                                      [plugins]                                                                                                                                                         
  [plugins."io.containerd.grpc.v1.cri"]                                                                                                                           
    sandbox_image = "registry-mirror.k8s.io/pause:3.10"                                                                                                       
    enable_selinux = true

Am I doing something obviously wrong when configuring containerd with estargz? Any pointers would be greatly appreciated!

If there is anything else I can provide to help please do let me know. I can give full dumps of the containerd config for example, but for now was trying to filter out any noise to make it as easy as possible for review

Cheers,
Jack

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions