Hey, I run a kubelet in a privileged LXD container. I launch the container as follows:
[...]
read -r -d '' raw_lxc <<RAW_LXC
lxc.aa_profile=unconfined
lxc.mount.auto=proc:rw sys:rw cgroup:rw
RAW_LXC
lxc launch \
--config security.privileged=true \
--config security.nesting=true \
--config linux.kernel_modules=ip_tables,ip6_tables,netlink_diag,nf_nat,overlay \
--config raw.lxc="${raw_lxc}" \
my-image my-container
When deploying flannel (kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
), I encounter the following error and the flannel pod doesn’t start:
Dec 13 09:41:40 my-container kubelet[772]: E1213 09:41:40.025941 772 pod_workers.go:182] Error syncing pod aaec5413-dfe9-11e7-b8cb-00163e799a0d ("kube-flannel-ds-26nlp_kube-system(aaec5413-dfe9-11e7-b8cb-00163e799a0d)"), skipping: failed to "StartContainer" for "kube-flannel" with RunContainerError: "failed to start container \"028b057e4f3de8891d0cfdff8c0483a3a52d7bdfd6fbfaf7a5b2aa944516995d\": Error response from daemon: oci runtime error: container_linux.go:265: starting container process caused \"process_linux.go:368: container init caused \\\"process_linux.go:340: setting cgroup config for procHooks process caused \\\\\\\"failed to write a *:* rwm to devices.allow: write /sys/fs/cgroup/devices/kubepods/podaaec5413-dfe9-11e7-b8cb-00163e799a0d/028b057e4f3de8891d0cfdff8c0483a3a52d7bdfd6fbfaf7a5b2aa944516995d/devices.allow: operation not permitted\\\\\\\"\\\"\""
What is missing here with regard to privileges?
Running pods doesn’t fail in general (e.g. nginx works). Flannel runs in privileged context.