Skip to content

Instantly share code, notes, and snippets.

@Cynerva

Cynerva/gist:9150f379cdf1d41aac9ae233597c1f64 Secret

Last active February 9, 2017 16:45
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Cynerva/9150f379cdf1d41aac9ae233597c1f64 to your computer and use it in GitHub Desktop.
Save Cynerva/9150f379cdf1d41aac9ae233597c1f64 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
# Starting with the following plugs:
- home
- network
- network-bind
- docker
- firewall-control
- network-control
# We hit this error:
error: failed to run Kubelet: open /proc/self/cgroup: permission denied
# Adding docker-support gets us past that, but we hit the following (grep for errors, failures):
E0209 16:28:36.974458 28097 info.go:75] Failed to get disk map: open /sys/block: permission denied
E0209 16:28:36.974832 28097 info.go:80] Failed to get network devices: open /sys/class/net/cni0/address: permission denied
E0209 16:28:37.066489 28097 kubelet.go:1145] Image garbage collection failed: unable to find data for container /
E0209 16:28:37.082301 28097 kubelet.go:1634] Failed to check if disk space is available for the runtime: failed to get fs info for "runtime": unable to find data for container /
E0209 16:28:37.082501 28097 kubelet.go:1642] Failed to check if disk space is available on the root partition: failed to get fs info for "root": unable to find data for container /
E0209 16:28:37.113436 28097 container_manager_linux.go:625] error opening pid file /var/run/docker.pid: open /var/run/docker.pid: permission denied
E0209 16:28:37.173852 28097 container_manager_linux.go:426] [errors moving "docker" pid: failed to find pid namespace of init process, errors moving "docker-containerd" pid: failed to find pid namespace of init process]
E0209 16:28:37.174200 28097 container_manager_linux.go:472] failed to find pid namespace of init process
E0209 16:28:37.214745 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/cpu,cpuacct/cpu.shares": open /sys/fs/cgroup/cpu,cpuacct/cpu.shares: permission denied
E0209 16:28:37.214770 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us": open /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us: permission denied
E0209 16:28:37.214789 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us": open /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us: permission denied
E0209 16:28:37.214839 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/memory/memory.limit_in_bytes": open /sys/fs/cgroup/memory/memory.limit_in_bytes: permission denied
E0209 16:28:37.214864 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/memory/memory.soft_limit_in_bytes": open /sys/fs/cgroup/memory/memory.soft_limit_in_bytes: permission denied
E0209 16:28:37.214977 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/cpu,cpuacct/cpu.shares": open /sys/fs/cgroup/cpu,cpuacct/cpu.shares: permission denied
E0209 16:28:37.215005 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us": open /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us: permission denied
E0209 16:28:37.215025 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us": open /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us: permission denied
E0209 16:28:37.215074 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/memory/memory.limit_in_bytes": open /sys/fs/cgroup/memory/memory.limit_in_bytes: permission denied
E0209 16:28:37.215097 28097 helpers.go:138] readString: Failed to read "/sys/fs/cgroup/memory/memory.soft_limit_in_bytes": open /sys/fs/cgroup/memory/memory.soft_limit_in_bytes: permission denied
F0209 16:33:28.607995 31675 kubelet.go:1210] Failed to start cAdvisor open /sys/fs/cgroup/blkio: permission denied
F0209 16:33:29.353283 31705 kubelet.go:1210] Failed to start cAdvisor open /sys/fs/cgroup/memory: permission denied
F0209 16:33:30.182644 31735 kubelet.go:1210] Failed to start cAdvisor open /sys/fs/cgroup/cpuset: permission denied
# Seems like we need read/write access to the following:
/proc/self/cgroup
/sys/block
/sys/class/net/cni0/address (possibly /sys/class/net/*/address)
/var/run/docker.pid
/sys/fs/cgroup/cpu,cpuacct/cpu.shares
/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us
/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us
/sys/fs/cgroup/memory/memory.limit_in_bytes
/sys/fs/cgroup/memory/memory.soft_limit_in_bytes
/sys/fs/cgroup/blkio
/sys/fs/cgroup/memory
/sys/fs/cgroup/cpuset
... or perhaps just /sys/fs/cgroup/**
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment