Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nsenter: Permission denied on K8s containerd w/ Gitlab Runners #350

Open
ChuckNoxis opened this issue Nov 4, 2021 · 2 comments
Open

nsenter: Permission denied on K8s containerd w/ Gitlab Runners #350

ChuckNoxis opened this issue Nov 4, 2021 · 2 comments

Comments

@ChuckNoxis
Copy link

ChuckNoxis commented Nov 4, 2021
edited
Loading

Hello,

I'm actually trying to run img on a Gitlab Runners chart (0.34.0) deployed with Helm on a Kubernetes 1.22.3 cluster w/ Containerd.

img:
 version     : v0.5.11
 git hash    : 3667c6a0
 go version  : go1.13.15
 go compiler : gc
 platform    : linux/amd64
runc:
 version     : 1.0.0-rc10+dev
 commit      : 56aca5aa50d07548d5db8fd33e9dc562f70f3208
 spec        : 1.0.2

When I do an img pull, I got the following error :
nsenter: cannot change root filesystem propagation: Permission denied

I saw issues #115 #266 #284 and also the Running with Kubernetes part in the Readme.md.

In the Gitlab Runner Helm Chart, I have set the following settings as suggested :

# Run all containers with the privileged flag enabled
# This will allow the docker:dind image to run if you need to run Docker 
# commands. Please read the docs before turning this on:  
# ref: https://docs.gitlab.com/runner/executors/kubernetes.html#using-dockerdind 
runners:
  privileged: true

  ## Specify pod labels for CI job pods
  ## Even if deprecated, it's still working
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  podLabels:
    container.apparmor.security.beta.kubernetes.io/img: unconfined
    container.seccomp.security.alpha.kubernetes.io/img: unconfined

## Configure securitycontext 
## ref: http://kubernetes.io/docs/user-guide/security-context/
##       
securityContext:
  runAsUser: 100
  # runAsGroup: 65533
  fsGroup: 65533
  # supplementalGroups: [65533]
  privileged: true
  procMount: Unmasked

But I still got this Permission denied error when I'm trying to pull a Docker image.
@towolf
Copy link

towolf commented Nov 29, 2021

I have this and it works with 1.21 on GKE with COS_CONTAINERD.

Could be, that you need pod annotations and not labels?

runners:

  # template configuration, which is merged into the config.toml
  config: |
    [[runners]]
      [runners.kubernetes]

        service_account = "default"
        service_account_overwrite_allowed = ".*"

        [runners.kubernetes.pod_annotations]
          # Annotations needed for https://github.com/genuinetools/img#running-with-kubernetes
          "container.apparmor.security.beta.kubernetes.io/build" = "unconfined"
          "container.seccomp.security.alpha.kubernetes.io/build" = "unconfined"

@towolf
Copy link

towolf commented Nov 29, 2021

BTW, procMount: Unmasked is set on the Runner pod, not on the spawned job pods.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@towolf @ChuckNoxis