Can't run Hello container if readonly: false in OCI spec

[Guillaume Seguin]

Starting from gVisor’s “OCI Quick start” steps, just switching the filesystem to "readonly: false" prevents the container from launching. It looks like it is failing before the Hello container writes anything, assuming it does. I was able to reproduce this behavior on Ubuntu (GCE instance) and WSL2.

This asciinema recording https://asciinema.org/a/GXDfAieGVhMQb1pE shows:

1. Create the bundle and rootfs directories
2. Export and run the Hello container using the default config.json (works)
3. Change readonly from true to false
4. Run again and it fails saying "failed to create filestore file inside "rootfs": no such file or directory"

Is this a bug? 

Full log attached, tail copied below:

D0326 20:25:46.208592    4950 container.go:266] Creating new sandbox for container, cid: hello
D0326 20:25:46.208638    4950 cgroup.go:428] New cgroup for pid: self, *cgroup.cgroupV2: &{Mountpoint:/sys/fs/cgroup Path:/hello Controllers:[cpuset cpu io memory hugetlb pids rdma misc] Own:[]}
D0326 20:25:46.208672    4950 cgroup_v2.go:131] Installing cgroup path "/sys/fs/cgroup/hello"
D0326 20:25:46.208894    4950 cgroup.go:115] Setting "/sys/fs/cgroup/hello/cgroup.procs" to "0"
I0326 20:25:46.228309    4950 namespace.go:198] Mapping host uid 0 to container uid 0 (size=4294967295)
I0326 20:25:46.228358    4950 namespace.go:206] Mapping host gid 0 to container gid 0 (size=4294967295)
D0326 20:25:46.228384    4950 donation.go:31] Donating FD 3: "/tmp/gvisor-onlyreadonly-problem.log"
D0326 20:25:46.228421    4950 donation.go:31] Donating FD 4: "/home/ixe013/src/spikes/bundle/config.json"
D0326 20:25:46.228431    4950 donation.go:31] Donating FD 5: "|1"
D0326 20:25:46.228437    4950 donation.go:31] Donating FD 6: "gofer-rpc"
D0326 20:25:46.228444    4950 donation.go:31] Donating FD 7: "gofer IO FD"
D0326 20:25:46.228450    4950 donation.go:31] Donating FD 8: "chroot sync gofer FD"
D0326 20:25:46.228458    4950 container.go:1547] Starting gofer: /proc/self/exe [runsc-gofer --debug=true --debug-log=/tmp/gvisor-onlyreadonly-problem.log --root=/var/run/runsc --debug-log-fd=3 gofer --bundle /home/ixe013/src/spikes/bundle --gofer-mount-confs=lisafs:self --spec-fd=4 --mounts-fd=5 --rpc-fd=6 --io-fds=7 --sync-chroot-fd=8]
I0326 20:25:46.230509    4950 container.go:1551] Gofer started, PID: 4956
D0326 20:25:46.230699    4950 cgroup_v2.go:227] Restoring cgroup "/sys/fs/cgroup/user.slice/user-1834957142.slice/session-4.scope"
D0326 20:25:46.230742    4950 cgroup.go:115] Setting "/sys/fs/cgroup/user.slice/user-1834957142.slice/session-4.scope/cgroup.procs" to "0"
D0326 20:25:46.230880    4950 container.go:842] Destroy container, cid: hello
D0326 20:25:46.230941    4950 container.go:1205] Killing gofer for container, cid: hello, PID: 4956
D0326 20:25:46.231429    4950 urpc.go:422] urpc: registering client with FD 14
W0326 20:25:46.231802    4950 container.go:889] failed to delete filestore file "rootfs/.gvisor.filestore.hello": remove rootfs/.gvisor.filestore.hello: no such file or directory
W0326 20:25:46.231837    4950 util.go:107] FATAL ERROR: running container: creating container: cannot create gofer process: creating gofer filestore files: failed to create filestore file inside "rootfs": no such file or directory
W0326 20:25:46.231881    4950 cli.go:319] Failure to execute command, err: 1

[Guillaume Seguin]

Gemini found the problem, I found the workaround:

The runtime spec documentation for the `root` element says that relative paths can be "either an absolute path or a relative path to the bundle", but if readonly is false, gVisor absolutely requires an absolute path.

Changing config.json at runtime is inconvenient (because the absolute path changes), but these workaround are low touch and work on my machines :

• sudo runsc run --bundle ${PWD} hello
• runsc --rootless --network=none run --bundle ${PWD} hello

--

Guillaume