[1.18] Ubuntu 20.04 + Kubernetes 1.31.2: Container creation error: writing file devices.allow: Operation not permitted #1589
Description
When upgrading crun from 1.17 to 1.1.8, on Ubuntu 20.04 + Kubernetes 1.31.2, CRI-O couldn't start container correctly with following log message (rolling back to 1.17 solve the problem):
Oct 24 06:37:22 kube71-sg crio[1675]: time="2024-10-24 06:37:22.288118821Z" level=error msg="Container creation error: writing file `devices.allow`: Operation not permitted\n" id=9f180776-5827-436e-bad7-4e7bee0c4bbc name=/runtime.v1.RuntimeService/CreateContainer
Oct 24 06:37:24 kube71-sg crio[1675]: time="2024-10-24 06:37:24.270590118Z" level=warning msg="Failed to open /etc/passwd: open /var/lib/containers/storage/overlay/cb7e52099d0a3c97f8d41a06a9d00ee3c9a711275d4e6b6d1a7e9f9ad7d5ddb1/merged/etc/passwd: no such file or directory"
Oct 24 06:37:24 kube71-sg crio[1675]: time="2024-10-24 06:37:24.270639749Z" level=warning msg="Failed to open /etc/group: open /var/lib/containers/storage/overlay/cb7e52099d0a3c97f8d41a06a9d00ee3c9a711275d4e6b6d1a7e9f9ad7d5ddb1/merged/etc/group: no such file or directory"
Oct 24 06:37:24 kube71-sg crio[1675]: time="2024-10-24 06:37:24.285312015Z" level=error msg="Container creation error: writing file `devices.allow`: Operation not permitted\n" id=d8c243fc-ff81-4758-8b8c-af242cfb6b10 name=/runtime.v1.RuntimeService/CreateContainer
Oct 24 06:37:27 kube71-sg crio[1675]: time="2024-10-24 06:37:27.270402292Z" level=warning msg="Failed to open /etc/passwd: open /var/lib/containers/storage/overlay/eb53b78f73ceccc44bc269c94daaba6dd872295c16a9ece48aeb66c37a10eb34/merged/etc/passwd: no such file or directory"
Oct 24 06:37:27 kube71-sg crio[1675]: time="2024-10-24 06:37:27.270470977Z" level=warning msg="Failed to open /etc/group: open /var/lib/containers/storage/overlay/eb53b78f73ceccc44bc269c94daaba6dd872295c16a9ece48aeb66c37a10eb34/merged/etc/group: no such file or directory"
Oct 24 06:37:27 kube71-sg crio[1675]: time="2024-10-24 06:37:27.284248544Z" level=error msg="Container creation error: writing file `devices.allow`: Operation not permitted\n" id=c7b8d2e7-f1c5-4c10-9f27-e5d7c0b237fd name=/runtime.v1.RuntimeService/CreateContainer
Oct 24 06:37:29 kube71-sg crio[1675]: time="2024-10-24 06:37:29.286943776Z" level=error msg="Container creation error: writing file `devices.allow`: Operation not permitted\n" id=37cf0c7b-7f6a-4462-90a0-a62d003b780c name=/runtime.v1.RuntimeService/CreateContainer
Oct 24 06:37:29 kube71-sg crio[1675]: time="2024-10-24 06:37:29.321086409Z" level=error msg="Container creation error: writing file `devices.allow`: Operation not permitted\n" id=524557d6-74fb-4854-99fb-ec338b115547 name=/runtime.v1.RuntimeService/CreateContainer
Oct 24 06:37:29 kube71-sg crio[1675]: time="2024-10-24 06:37:29.355156161Z" level=error msg="Container creation error: writing file `devices.allow`: Operation not permitted\n" id=991b0bfc-acf3-4743-a409-6f99347f3d23 name=/runtime.v1.RuntimeService/CreateContainer
Oct 24 06:37:35 kube71-sg crio[1675]: time="2024-10-24 06:37:35.284218901Z" level=error msg="Container creation error: writing file `devices.allow`: Operation not permitted\n" id=147b029f-b70c-432b-ac0a-c4a360a4659a name=/runtime.v1.RuntimeService/CreateContainer
Oct 24 06:37:35 kube71-sg crio[1675]: level=warning msg="Failed to connect to agent socket at unix:///var/run/cilium/cilium.sock." containerID=ddf412af5d1ed0d4d3dff0b9df13b553a5b5dc5b1c0736dae4f0d174a8dce5d3 error="failed to create cilium agent client after 10.000000 seconds timeout: Get \"http://localhost/v1/config\": dial unix /var/run/cilium/cilium.sock: connect: no such file or directory" eventUUID=ef9baef6-f8bf-4730-b908-b85d3327809d subsys=cilium-cni
Oct 24 06:37:35 kube71-sg crio[1675]: level=info msg="Agent is down, falling back to deletion queue directory" containerID=ddf412af5d1ed0d4d3dff0b9df13b553a5b5dc5b1c0736dae4f0d174a8dce5d3 eventUUID=ef9baef6-f8bf-4730-b908-b85d3327809d subsys=cilium-cni
Oct 24 06:37:35 kube71-sg crio[1675]: level=info msg="Queueing deletion request for endpoint" containerID=ddf412af5d1ed0d4d3dff0b9df13b553a5b5dc5b1c0736dae4f0d174a8dce5d3 endpointID="container-id:ddf412af5d1ed0d4d3dff0b9df13b553a5b5dc5b1c0736dae4f0d174a8dce5d3" eventUUID=ef9baef6-f8bf-4730-b908-b85d3327809d subsys=cilium-cni
Oct 24 06:37:35 kube71-sg crio[1675]: level=info msg="wrote queued deletion file" containerID=ddf412af5d1ed0d4d3dff0b9df13b553a5b5dc5b1c0736dae4f0d174a8dce5d3 eventUUID=ef9baef6-f8bf-4730-b908-b85d3327809d subsys=cilium-cni
Oct 24 06:37:36 kube71-sg crio[1675]: time="2024-10-24 06:37:36.271964712Z" level=warning msg="Failed to open /etc/passwd: open /var/lib/containers/storage/overlay/de8a45294b615a7817734ab6bdbe3bb336ca2d30f29d2d885a35d543ac0590fa/merged/etc/passwd: no such file or directory"
Oct 24 06:37:36 kube71-sg crio[1675]: time="2024-10-24 06:37:36.272270244Z" level=warning msg="Failed to open /etc/group: open /var/lib/containers/storage/overlay/de8a45294b615a7817734ab6bdbe3bb336ca2d30f29d2d885a35d543ac0590fa/merged/etc/group: no such file or directory"
Oct 24 06:37:36 kube71-sg crio[1675]: time="2024-10-24 06:37:36.286254185Z" level=error msg="Container creation error: writing file `devices.allow`: Operation not permitted\n" id=09a606f7-89b7-424b-b17a-d6cf7de53b96 name=/runtime.v1.RuntimeService/CreateContainer
Most likely should be #1574 related?