amicontained gets stuck while running on gvisor

[ahmetb]

I'm testing the minikube gvisor addon (minikube 1.2) and I just ran amicontained (https://github.com/genuinetools/amicontained) on it. It prints some output and gets stuck forever (Ctrl+C doesn't work anymore).

ps aux says:

ps aroot@myapp-pod:/# ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.1   9076  2520 ?        Ss   17:47   0:00 /pause
root      2805  0.0  0.0      0     0 ?        Z    17:47   0:00 
root        33  0.0  0.1  12584  3856 ?        Ss   17:47   0:00 sleep 3600
root        46  0.0  0.2  26560  4944 ?        Ss   17:47   0:00 bash[amicontained] <defunct>

output:

root@myapp-pod:/# amicontained
Container Runtime: docker
Has Namespaces:
	pid: false
	user: false
AppArmor Profile: unconfined
Capabilities:
	BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap
Seccomp: disabled
Blocked Syscalls (35):
	SETSID SCHED_SETPARAM SCHED_RR_GET_INTERVAL VHANGUP MODIFY_LDT PIVOT_ROOT _SYSCTL ADJTIMEX ACCT SETTIMEOFDAY SWAPON SWAPOFF REBOOT SETHOSTNAME SETDOMAINNAME IOPL IOPERM CREATE_MODULE INIT_MODULE DELETE_MODULE QUOTACTL LOOKUP_DCOOKIE CLOCK_SETTIME MBIND KEXEC_LOAD ADD_KEY REQUEST_KEY KEYCTL IOPRIO_SET IOPRIO_GET MIGRATE_PAGES MOVE_PAGES CLOCK_ADJTIME KCMP FINIT_MODULE

• runsc -v: this flag does not work anymore. I ran runsc ps and saw it was built from commit 51900fe
• docker version or docker info: docker CE 18.09.6 – via minikube 1.2
• uname -a - git describe:
  • host OS: Linux minikube 4.15.0 #1 SMP Sun Jun 23 23:02:01 PDT 2019 x86_64 GNU/Linux
  • inside the pod: Linux myapp-pod2 4.4 #1 SMP Sun Jan 10 15:06:54 PST 2016 x86_64 x86_64 x86_64 GNU/Linux
• Detailed reproduction steps
  • install minikube 1.2
  • enable gvisor addon on minikube
  • run an ubuntu pod per minikube gvisor addon documentation (https://github.com/kubernetes/minikube/blob/v1.2.0/deploy/addons/gvisor/README.md)
  • install curl
  • install amicontained (https://github.com/genuinetools/amicontained/releases)
  • run amicontained, observe it's stuck.

[ianlewis]

Looking at the code for amicontained, it looks like it completes the actual work based on the output you gave. Strange that it gets stuck there.

I'm able to run it locally with the latest runsc using docker without an issue so I suppose it's an issue that's been fixed since the version that minikube is using.

$ docker run --runtime=gvisor --rm -it --pid host r.j3ss.co/amicontained
Unable to find image 'r.j3ss.co/amicontained:latest' locally
latest: Pulling from amicontained
e7c96db7181b: Already exists 
addc4f0482af: Pull complete 
6f2588dd1f01: Pull complete 
Digest: sha256:fdf9cf07eb5df8c6a29992340d5e67f683f2205a635d1b8d02ca4b6b66c24599
Status: Downloaded newer image for r.j3ss.co/amicontained:latest
Container Runtime: not-found
Has Namespaces:
        pid: false
        user: false
AppArmor Profile: unconfined
Capabilities:
        BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service sys_chroot mknod audit_write setfcap
Seccomp: disabled
Blocked Syscalls (36):
        SETSID SCHED_SETPARAM SCHED_RR_GET_INTERVAL VHANGUP MODIFY_LDT PIVOT_ROOT _SYSCTL ADJTIMEX ACCT SETTIMEOFDAY SWAPON SWAPOFF REBOOT SETHOSTNAME SETDOMAINNAME IOPL IOPERM CREATE_MODULE INIT_MODULE DELETE_MODULE QUOTACTL LOOKUP_DCOOKIE CLOCK_SETTIME KEXEC_LOAD ADD_KEY REQUEST_KEY KEYCTL IOPRIO_SET IOPRIO_GET MIGRATE_PAGES MOVE_PAGES CLOCK_ADJTIME KCMP FINIT_MODULE KEXEC_FILE_LOAD BPF

[amscanne]

I recall some changes to the way wait works for exec. I suspect this may be related.

[ianlewis]

This should be fixed for minikube when this issue is fixed kubernetes/minikube#4482 but it's blocked on kubernetes/minikube#3512

[ianlewis]

This should be resolved I think. Feel free to reopen if it's still an issue.