Share and learn in the Docker community.
I would need to mount /sys inside the container with rw access, in the privileged mode it is by default mounting with rw access but with unprivileged mode it is mounting with ro access.
any idea how to get /sys mounted with rw access on the unprivileged mode?
Belated answer but hope it helps.
For unprivileged containers (i.e., those without the --privileged flag), Docker mounts /sys in the container as read-only. I don’t believe there is a way to change this behavior.
Having said this, take a look at Sysbox. It’s a new type of runc that integrates with Docker and creates “VM-like” containers. It mount /sys as read-write because the containers are rootless and is capable of emulating portions of /sys (as well as /proc).
For example:
$ docker run --runtime=sysbox-runc -it ubuntu
root@0553826001e3:/# mount | grep sysfs
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
root@0553826001e3:/# cat /proc/self/uid_map
0 165536 65536
The first instruction shows sysfs is mounted as read-write, and the second shows the container is in rootless mode.
Hope that helps!
Steps to reproduce the issue:
Apply pod yaml as specified later
See the container has sysfs mounted as read-only despite being privileged
Describe the results you received:
sysfs mounted as ro
Describe the results you expected:
sysfs mounted as rw
Output of containerd --version:
containerd github.com/containerd/containerd 1.2.5 bb71b10fd8f58240ca47fbb579b9d1028eea7c84
** uname -a **
device in question in beaglebone black.
Linux ads0903 4.19.25-ti-r11 #1bionic SMP PREEMPT Wed Feb 27 10:18:01 UTC 2019 armv7l armv7l armv7l GNU/Linux
Here are provided pod yaml, the result of crictl inspect and running mount command within the container.
Pod Yaml:
apiVersion: v1
kind: Pod
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{“apiVersion”:“v1”,“kind”:“Pod”,“metadata”:{“annotations”:{},“labels”:{“app”:“modbus”},“name”:“ads0903-modbus”,“namespace”:“ascalia-prod”,“ownerReferences”:[{“apiVersion”:“ascalia.io/v1alpha1",“blockOwnerDeletion”:true,“controller”:true,“kind”:“Modbus”,“name”:“ads0903”,“uid”:“502a8764-5c46-11e9-a41a-525400d4e658”}]},“spec”:{“containers”:[{“args”:["-c","/app/config.yaml"],“image”:“git.krakensystems.co:4567/ascalia/drone-modbus:master-0c9935e6”,“imagePullPolicy”:“IfNotPresent”,“name”:“modbus”,“resources”:{“limits”:{“cpu”:“100m”,“memory”:“100M”},“requests”:{“cpu”:“10m”,“memory”:“10M”}},“securityContext”:{“privileged”:true},“terminationMessagePath”:"/dev/termination-log",“terminationMessagePolicy”:“File”,“volumeMounts”:[{“mountPath”:"/app/config.yaml",“name”:“config”,“readOnly”:true,“subPath”:“config.yaml”},{“mountPath”:"/dev/ttyO1",“name”:“tty”}]}],“dnsPolicy”:“ClusterFirst”,“enableServiceLinks”:true,“imagePullSecrets”:[{“name”:“git”}],“nodeName”:“ads0903”,“priority”:0,“restartPolicy”:“Always”,“schedulerName”:“default-scheduler”,“securityContext”:{“runAsNonRoot”:false},“serviceAccount”:“default”,“serviceAccountName”:“default”,“terminationGracePeriodSeconds”:30,“tolerations”:[{“effect”:“NoExecute”,“key”:“node.kubernetes.io/not-ready”,“operator”:“Exists”,“tolerationSeconds”:300},{“effect”:“NoExecute”,“key”:“node.kubernetes.io/unreachable”,“operator”:“Exists”,“tolerationSeconds”:300}],“volumes”:[{“hostPath”:{“path”:"/dev/ttyO1",“type”:“CharDevice”},“name”:“tty”},{“configMap”:{“defaultMode”:420,“name”:“ads0903-modbus”},“name”:“config”}]},“status”:{“conditions”:[{“lastProbeTime”:null,“lastTransitionTime”:“2019-04-17T13:03:11Z”,“status”:“True”,“type”:“Initialized”},{“lastProbeTime”:null,“lastTransitionTime”:“2019-04-17T13:03:21Z”,“status”:“True”,“type”:“Ready”},{“lastProbeTime”:null,“lastTransitionTime”:“2019-04-17T13:03:21Z”,“status”:“True”,“type”:“ContainersReady”},{“lastProbeTime”:null,“lastTransitionTime”:“2019-04-17T13:03:11Z”,“status”:“True”,“type”:“PodScheduled”}],“containerStatuses”:[{“containerID”:“containerd://327517806331baacd7b318ceeaa3857e872788ceb73f26f21956d98a0d19e48c”,“image”:“git.krakensystems.co:4567/ascalia/drone-modbus:master-0c9935e6”,“imageID”:“git.krakensystems.co:4567/ascalia/drone-modbus@sha256:e962486857cd12a99a58e7218464090b07a4d8db5505e22d1d61ee328bacff98”,“lastState”:{},“name”:“modbus”,“ready”:true,“restartCount”:0,“state”:{“running”:{“startedAt”:“2019-04-17T13:03:20Z”}}}],“hostIP”:“10.100.0.6”,“phase”:“Running”,“podIP”:“10.101.6.29”,“qosClass”:“Burstable”,“startTime”:"2019-04-17T13:03:11Z”}}
kubernetes.io/psp: privileged
creationTimestamp: “2019-04-17T13:27:39Z”
labels:
app: modbus
name: ads0903-modbus
namespace: ascalia-prod
ownerReferences: