-
Notifications
You must be signed in to change notification settings - Fork 324
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCI runtime error: crun: mount proc
to /proc
: Too many levels of symbolic links
#1121
Comments
This may or may not be connected:
|
Hi @satmandu, I've found out the issue and it completely unrelated to crun. The reason why it's happening is because chromeos kernel has additional patches. This particular security measure is controlled by Here is a bit more directives and explanations: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/HEAD/security/chromiumos/Kconfig So I assume that fixing this issue is just a matter of building custom kernel with eased security settings. |
Hmm... Thanks for this. Is there a way to work around it for
|
I think so... since run_oci (the only runtime bundled with chromeos) is actually works. I think a possible fix is to make a bind mount to the rootfs instead of symlink. |
But something tells me it goes a bit beyond crun/runc + it would require root priveledge to do a bind mount |
Root privileges aren't a problem with ChromeOS dev mode. Replacing the kernel is much harder for most people... Just creating a crosvm stub for using stuff like docker so one doesn't have to open crostini to do nested kvm would also be nice... |
But that exactly what I did :) Alpine with docker/podman is running under just crosvm
and here is how I build rootfs for the vm
|
I've just added podman and it doesn't require KVM for sure. Actually I'm not even sure if docker requires one as it containers work perfectly fine just on linux namespaces. https://gist.github.com/s1gnate-sync/2b17ffb4cfc21a764f784370c61c4fb2 here is an updated version without autostart of docker + basic podman setup. I'll try to dig into nested KVM thing |
Yeah docker engine works without nested kvm, only docker destktop requires one |
Not sure if this is helpful, but I found a workaround for this :) Turns out that the All you need to do is make use of |
(Continuation of discussion from #1115 )
Do you see the same error if you run something like
$ sudo unshare -muinp -f --mount-proc=/proc echo hello
?Could you strace the command to see where it fails?
$ sudo strace -Z -f -s 1000 podman run -tid --net host busybox sh
Originally posted by @giuseppe in #1115 (comment)
crun_strace.output.txt
The text was updated successfully, but these errors were encountered: