sysbox icon indicating copy to clipboard operation
sysbox copied to clipboard
verified publisher icon nestybox

sysbox-deploy-k8s: detect k8s nodes with secure-boot enabled and generate error message

Open ctalledo opened this issue 4 years ago • 0 comments

The sysbox-deploy-k8s daemonset installs Sysbox on Kubernetes clusters. As part of the installation, it installs and loads the shiftfs kernel module.

Turns out that on GKE, we found out that the shiftfs installation failed on K8s nodes configured with "Secure Boot" enabled. Secure boot caused the loading of the shiftfs module to be blocked. This in turn caused the sysbox-deploy-k8s to fail, though the reason for the failure was not obvious.

We should improve the sysbox-deploy-k8s daemonset as follows:

  • When the installation fails due to a failure to load shiftfs, a clear error should be logged.

  • If the sysbox-deploy-k8s detects that the node has secure boot enabled, it should also log a warning message indicating that it should be disabled.

Note that the requirement to disable secure-boot should go away when we add support for ID-mapped mounts to sysbox (i.e., the alternative to shiftfs landing in kernels 5.12+).

ctalledo avatar Jul 26 '21 16:07 ctalledo