/gist:9150f379cdf1d41aac9ae233597c1f64
Secret
Last active Feb 9, 2017
| # Starting with the following plugs: | |
| - home | |
| - network | |
| - network-bind | |
| - docker | |
| - firewall-control | |
| - network-control | |
| # We hit this error: | |
| error: failed to run Kubelet: open /proc/self/cgroup: permission denied | |
| # Adding docker-support gets us past that, but we hit the following (grep for errors, failures): | |
| E0209 16:28:36.974458 28097 info.go:75] Failed to get disk map: open /sys/block: permission denied | |
| E0209 16:28:36.974832 28097 info.go:80] Failed to get network devices: open /sys/class/net/cni0/address: permission denied | |
| E0209 16:28:37.066489 28097 kubelet.go:1145] Image garbage collection failed: unable to find data for container / | |
| E0209 16:28:37.082301 28097 kubelet.go:1634] Failed to check if disk space is available for the runtime: failed to get fs info for "runtime": unable to find data for container / | |
| E0209 16:28:37.082501 28097 kubelet.go:1642] Failed to check if disk space is available on the root partition: failed to get fs info for "root": unable to find data for container / | |
| E0209 16:28:37.113436 28097 container_manager_linux.go:625] error opening pid file /var/run/docker.pid: open /var/run/docker.pid: permission denied | |
| E0209 16:28:37.173852 28097 container_manager_linux.go:426] [errors moving "docker" pid: failed to find pid namespace of init process, errors moving "docker-containerd" pid: failed to find pid namespace of init process] | |
| E0209 16:28:37.174200 28097 container_manager_linux.go:472] failed to find pid namespace of init process | |
| E0209 16:28:37.214745 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/cpu,cpuacct/cpu.shares": open /sys/fs/cgroup/cpu,cpuacct/cpu.shares: permission denied | |
| E0209 16:28:37.214770 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us": open /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us: permission denied | |
| E0209 16:28:37.214789 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us": open /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us: permission denied | |
| E0209 16:28:37.214839 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/memory/memory.limit_in_bytes": open /sys/fs/cgroup/memory/memory.limit_in_bytes: permission denied | |
| E0209 16:28:37.214864 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/memory/memory.soft_limit_in_bytes": open /sys/fs/cgroup/memory/memory.soft_limit_in_bytes: permission denied | |
| E0209 16:28:37.214977 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/cpu,cpuacct/cpu.shares": open /sys/fs/cgroup/cpu,cpuacct/cpu.shares: permission denied | |
| E0209 16:28:37.215005 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us": open /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us: permission denied | |
| E0209 16:28:37.215025 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us": open /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us: permission denied | |
| E0209 16:28:37.215074 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/memory/memory.limit_in_bytes": open /sys/fs/cgroup/memory/memory.limit_in_bytes: permission denied | |
| E0209 16:28:37.215097 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/memory/memory.soft_limit_in_bytes": open /sys/fs/cgroup/memory/memory.soft_limit_in_bytes: permission denied | |
| F0209 16:33:28.607995 31675 kubelet.go:1210] Failed to start cAdvisor open /sys/fs/cgroup/blkio: permission denied | |
| F0209 16:33:29.353283 31705 kubelet.go:1210] Failed to start cAdvisor open /sys/fs/cgroup/memory: permission denied | |
| F0209 16:33:30.182644 31735 kubelet.go:1210] Failed to start cAdvisor open /sys/fs/cgroup/cpuset: permission denied | |
| # Seems like we need read/write access to the following: | |
| /proc/self/cgroup | |
| /sys/block | |
| /sys/class/net/cni0/address (possibly /sys/class/net/*/address) | |
| /var/run/docker.pid | |
| /sys/fs/cgroup/cpu,cpuacct/cpu.shares | |
| /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us | |
| /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us | |
| /sys/fs/cgroup/memory/memory.limit_in_bytes | |
| /sys/fs/cgroup/memory/memory.soft_limit_in_bytes | |
| /sys/fs/cgroup/blkio | |
| /sys/fs/cgroup/memory | |
| /sys/fs/cgroup/cpuset | |
| ... or perhaps just /sys/fs/cgroup/** |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment