{"id":16191214,"url":"https://github.com/simonbaeumer/crio-in-kind","last_synced_at":"2025-11-11T22:07:32.583Z","repository":{"id":250687734,"uuid":"832025531","full_name":"SimonBaeumer/crio-in-kind","owner":"SimonBaeumer","description":null,"archived":false,"fork":false,"pushed_at":"2024-08-02T10:49:32.000Z","size":12,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-06-03T21:36:04.113Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SimonBaeumer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-22T07:51:45.000Z","updated_at":"2024-08-02T10:49:35.000Z","dependencies_parsed_at":"2025-04-07T14:39:02.293Z","dependency_job_id":"6a1d3e64-6af2-4939-99b6-6e3cef007872","html_url":"https://github.com/SimonBaeumer/crio-in-kind","commit_stats":null,"previous_names":["simonbaeumer/crio-in-kind"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/SimonBaeumer/crio-in-kind","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SimonBaeumer%2Fcrio-in-kind","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SimonBaeumer%2Fcrio-in-kind/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SimonBaeumer%2Fcrio-in-kind/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SimonBaeumer%2Fcrio-in-kind/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SimonBaeumer","download_url":"https://codeload.github.com/SimonBaeumer/crio-in-kind/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SimonBaeumer%2Fcrio-in-kind/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":283937602,"owners_count":26919514,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-11-11T02:00:06.610Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-10T07:45:23.671Z","updated_at":"2025-11-11T22:07:32.563Z","avatar_url":"https://github.com/SimonBaeumer.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cri-o in kind\n\nhttps://kubernetes.io/blog/2022/12/05/forensic-container-checkpointing-alpha/\nhttps://sysdig.com/blog/forensic-container-checkpointing-dfir-kubernetes/\nhttps://criu.org/Main_Page\nInspired by: https://gist.github.com/aojea/bd1fb766302779b77b8f68fa0a81c0f2\n\nEnable the feature gate: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/\n\n```\n# Create cluster\nkind create cluster --image kindnode/crio:1.18 --name container-checkpoiting --config feature-gates.yaml\n\n# Join host node\ndocker exec -it container-checkpointing-control-plane /bin/bash\n\n# Check feature gate is enabled.\nroot@container-checkpointing-control-plane:/# ps aux | grep Checkpoint\nroot         487  1.3  0.1 1308588 106428 ?      Ssl  08:07   0:02 kube-controller-manager --allocate-node-cidrs=true \u003c...\u003e --feature-gates=ContainerCheckpoint=true,KubeletInUserNamespace=true \u003c...\u003e\n\n# View kubelet logs\n$ journalctl -u kubelet\n$ journalctl -u crio\n\n$ crictl --runtime-endpoint unix:///run/crio/crio.sock pull registry.k8s.io/kube-apiserver:v1.30.0\nE0726 13:40:42.726916     714 remote_image.go:180] \"PullImage from image service failed\" err=\u003c\n\trpc error: code = Unknown desc = copying system image from manifest list: writing blob: adding layer with blob \"sha256:0c6c1ee970856d051398b9bdfbd829083b7fa79aeb59435f4dafae3837ba8948\": processing tar file(time=\"2024-07-26T13:40:42Z\" level=warning msg=\"Failed to read CAP_SYS_ADMIN presence for the current process\"\n\ttime=\"2024-07-26T13:40:42Z\" level=warning msg=\"Failed to read current user namespace mappings\"\n\toperation not permitted): exit status 1\n \u003e image=\"registry.k8s.io/kube-apiserver:v1.30.0\"\nFATA[0002] pulling image: copying system image from manifest list: writing blob: adding layer with blob \"sha256:0c6c1ee970856d051398b9bdfbd829083b7fa79aeb59435f4dafae3837ba8948\": processing tar file(time=\"2024-07-26T13:40:42Z\" level=warning msg=\"Failed to read CAP_SYS_ADMIN presence for the current process\"\ntime=\"2024-07-26T13:40:42Z\" level=warning msg=\"Failed to read current user namespace mappings\"\noperation not permitted): exit status 1 \n\nroot@container-checkpointing-control-plane:/# echo 1 \u003e /proc/self/oom_score_adj \nbash: echo: write error: Permission denied\n\n❯ docker run --rm -it --entrypoint /bin/bash --privileged quay.io/sbaumer/kindest-node-crio:1.30.0\nroot@0a2a40b4197d:/# exit\nexit\n❯ docker run --rm --security-opt seccomp=unconfined -it --entrypoint /bin/bash --privileged quay.io/sbaumer/kindest-node-crio:1.30.0\nroot@bb6ab4c43a43:/# echo 1 \u003e /proc/self/oom_score_adj\nbash: echo: write error: Permission denied\nroot@bb6ab4c43a43:/# \n\n# set ENV _CRIO_ROOTLESS=1 in Dockerfile\n# crio starts\n\n    \n```\n\n### Debug\n\n- Has the current process the required capabilities (`CAP_SYS_ADMIN`)?\n\n```\n$ cat /proc/$$/status | grep Cap\nCapInh:\t0000000000000000\nCapPrm:\t000001ffffffffff\nCapEff:\t000001ffffffffff\nCapBnd:\t000001ffffffffff\nCapAmb:\t0000000000000000\n\n$ capsh --decode=000001ffffffffff\n0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore\n```\n\nResult: Has `cap_sys_admin` set.\n\n- Is the user mapped correctly? (user namespace) https://www.schutzwerk.com/en/blog/linux-container-namespaces04-user/\n\n\nhttps://github.com/cri-o/cri-o/issues/4902\nhttps://github.com/containers/podman/issues/13449","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimonbaeumer%2Fcrio-in-kind","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsimonbaeumer%2Fcrio-in-kind","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimonbaeumer%2Fcrio-in-kind/lists"}