73 Star 336 Fork 169

GVPopenEuler / iSulad

 / 详情

使用k8s+iSulad+kata container部署的kata容器网络异常

Backlog
Bug
Opened this issue  
2021-08-23 11:13

使用k8s+iSulad+kata container部署的kata容器网络异常

【环境信息】

  • virtualbox虚拟机,开启嵌套虚拟化
  • openEuler release 20.03 (LTS-SP2)
  • isulad 2.0.8
  • qemu 4.1.0-53.oe1
  • kata-runtime 1.11.1
  • kubeadm v1.21.4
  • kubelet v1.21.4
  • k8s网络插件使用flannel v0.14.0

【问题复现步骤】

  1. 基于以上环境搭建的k8s+isulad+kata-runtime环境。
  2. kata-runtime的internetworking_model使用macvtaptcfilter(在none模式下,通过k8s部署的kata容器无法启动,所以改为使用macvtaptcfilter
  3. 通过k8s使用kata-runtime部署nginx容器。

【预期结果】
启动的kata容器网络配置正常。
启动的kata容器服务可以通过pod ip,k8s service等正常访问。

【实际结果】
kata容器内部网络配置没有生效。
从主机或其他pod中能够ping通pod ip。
使用curl访问容器内的nginx服务,提示拒绝连接。
通过nodeport service访问nginx服务,提示拒绝连接。

【附件信息】
图为启动的kata容器内部网络接口
kata容器内网络

【额外信息】
从附件图中可以发现容器内的网络配置没有生效。
同样环境下使用containerd替代isulad作为CRI进行测试,部署的kata容器网络正常,能够正常访问。
使用containerd启动的kata容器内部网络接口如下:
输入图片说明

Comments (4)

Hey jianghang8421, Welcome to openEuler Community.
All of the projects in openEuler Community are maintained by @openeuler-ci-bot .
That means the developers can comment below every pull request or issue to trigger Bot Commands.
Please follow instructions at https://gitee.com/openeuler/community/blob/master/en/sig-infrastructure/command.md to find the details.

Hang Jiang created缺陷
Hang Jiang set related repository to openEuler/iSulad
openeuler-ci-bot added
 
sig/iSulad
label
Hang Jiang changed description
Hang Jiang changed description
Hang Jiang changed description
Hang Jiang changed description
Expand operation logs

isulad的配置能贴一下吗?

@haozi007 以下是isulad的配置文件

{
    "group": "isula",
    "default-runtime": "lcr",
    "graph": "/var/lib/isulad",
    "state": "/var/run/isulad",
    "engine": "lcr",
    "log-level": "ERROR",
    "pidfile": "/var/run/isulad.pid",
    "log-opts": {
        "log-file-mode": "0600",
        "log-path": "/var/lib/isulad",
        "max-file": "1",
        "max-size": "30KB"
    },
    "log-driver": "stdout",
    "container-log": {
        "driver": "json-file"
    },
    "hook-spec": "/etc/default/isulad/hooks/default.json",
    "start-timeout": "2m",
    "storage-driver": "overlay2",
    "storage-opts": [
        "overlay2.override_kernel_check=true"
    ],
    "registry-mirrors": [
        "docker.io"
    ],
    "insecure-registries": [
    ],
    "pod-sandbox-image": "k8s.gcr.io/pause:3.4.1",
    "native.umask": "normal",
    "network-plugin": "cni",
    "cni-bin-dir": "/opt/cni/bin",
    "cni-conf-dir": "/etc/cni/net.d",
    "image-layer-check": false,
    "use-decrypted-key": true,
    "insecure-skip-verify-enforce": false,
    "runtimes": {
      "kata-runtime": {
        "path": "/usr/bin/kata-runtime",
        "runtime-args": [
          "--kata-config",
          "/usr/share/defaults/kata-containers/configuration.toml"
        ]
      },
      "runc": {
        "path": "/usr/bin/runc"
      }
    }
}
gaohuatao set assignee to haozi007

@Hang Jiang 这个问题解决了吗?

Sign in to comment

Status
Assignees
Projects
Milestones
Pull Requests
Successfully merging a pull request will close this issue.
Branches
Planed to start   -   Planed to end
-
Top level
Priority
Duration (hours)
Confirm
参与者(3)
5329419 openeuler ci bot 1632792936 5595769 duguhaotian 1605235330
C
1
https://git.oschina.net/openeuler/iSulad.git
git@git.oschina.net:openeuler/iSulad.git
openeuler
iSulad
iSulad

Search