When the overlay volatile feature is enabled, creating a pod with an image configured with anonymous volumes will fail

[wgeeker]

Description

When the overlay volatile feature is enabled, creating a pod with an image configured with anonymous volumes will fail. error logs:

containerd[2347130]: time="2024-05-14T14:57:15.539317523+08:00" level=error msg="StartContainer for \"01a7b8fe53ec1626010723c109f154e9f2aedfae68a4b7cbc44e5b8edfea18d6\" failed" error="failed to create containerd task: failed to create shim task: failed to mount rootfs component &{overlay overlay [volatile index=off workdir=/media/disk1/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/22257/work upperdir=/media/disk1/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/22257/fs lowerdir=/media/disk1/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/7417/fs:/media/disk1/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/7416/fs:/media/disk1/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/7415/fs:/media/disk1/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/7414/fs:/media/disk1/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/7413/fs:/media/disk1/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/7412/fs:/media/disk1/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/7411/fs:/media/disk1/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/7410/fs:/media/disk1/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/7409/fs]}: invalid argument: unknown"

the key info is:

failed to create containerd task: failed to create shim task: failed to mount rootfs component ... invalid argument: unknown

Steps to reproduce the issue

1. enable the overlay volatile feature:

  [plugins."io.containerd.snapshotter.v1.overlayfs"]
    root_path = ""
    upperdir_label = false
    mount_options = ["volatile"]

3. Build a image with anonymous volume:

# The problem persists when using other base images as well.
FROM centos:centos7.9.2009
# The problem persists when switching other directories as well.
VOLUME ["/home/volatile"]

4. Create pod using the image, following is pod yaml:

apiVersion: v1
kind: Pod
metadata:
  name: volatile-test
  labels:
    app: volatile-test
spec:
  hostNetwork: true
  nodeName: public-bjzey-c8-kce-node472.idchb1az3.hb1.kwaidc.com
  containers:
    - name: volatile-test
      args:
      - /bin/sh
      - -c
      - sleep 600
      image: registry.corp.kuaishou.com/docker-test/volatile:test-5
      #image: registry.corp.kuaishou.com/ksp/public/private_clouds/node-problem-detector:1.0.281-master-c

Describe the results you received and expected

When the overlay volatile feature is enabled, creating a pod with an image configured with anonymous volumes will success.

What version of containerd are you using?

containerd github.com/containerd/containerd v1.6.24

Any other relevant information

# runc --version:
runc version 1.1.2
commit: dc2d880
spec: 1.0.2-dev
go: go1.18.10
libseccomp: 2.3.1

# crictl info
{
  "status": {
    "conditions": [
      {
        "type": "RuntimeReady",
        "status": true,
        "reason": "",
        "message": ""
      },
      {
        "type": "NetworkReady",
        "status": true,
        "reason": "",
        "message": ""
      }
    ]
  },
  "cniconfig": {
    "PluginDirs": [
      "/opt/cni/bin"
    ],
    "PluginConfDir": "/etc/cni/net.d",
    "PluginMaxConfNum": 1,
    "Prefix": "eth",
    "Networks": [
      {
        "Config": {
          "Name": "cni-loopback",
          "CNIVersion": "0.3.1",
          "Plugins": [
            {
              "Network": {
                "type": "loopback",
                "ipam": {},
                "dns": {}
              },
              "Source": "{\"type\":\"loopback\"}"
            }
          ],
          "Source": "{\n\"cniVersion\": \"0.3.1\",\n\"name\": \"cni-loopback\",\n\"plugins\": [{\n  \"type\": \"loopback\"\n}]\n}"
        },
        "IFName": "lo"
      },
      {
        "Config": {
          "Name": "kflax",
          "CNIVersion": "0.3.1",
          "Plugins": [
            {
              "Network": {
                "type": "kflax",
                "capabilities": {
                  "io.kubernetes.cri.pod-annotations": true,
                  "portMappings": true
                },
                "ipam": {},
                "dns": {}
              },
              "Source": "{\"args\":{\"cloud\":\"kflax_non_cloud\"},\"capabilities\":{\"io.kubernetes.cri.pod-annotations\":true,\"portMappings\":true},\"sysctl\":{\"net/core/somaxconn\":\"auto\",\"net/ipv4/tcp_fin_timeout\":\"auto\",\"net/ipv4/tcp_keepalive_time\":\"auto\",\"net/ipv4/tcp_max_syn_backlog\":\"auto\",\"net/ipv4/tcp_max_tw_buckets\":\"auto\",\"net/ipv4/tcp_no_metrics_save\":\"auto\",\"net/ipv4/tcp_slow_start_after_idle\":\"auto\",\"net/ipv4/tcp_syn_retries\":\"auto\",\"net/ipv4/tcp_synack_retries\":\"auto\",\"net/ipv4/tcp_timestamps\":\"auto\",\"net/ipv4/tcp_tw_reuse\":\"auto\"},\"type\":\"kflax\"}"
            }
          ],
          "Source": "{\n  \"name\": \"kflax\",\n  \"cniVersion\": \"0.3.1\",\n  \"plugins\": [\n    {\n      \"type\": \"kflax\",\n      \"capabilities\": {\n        \"portMappings\": true,\n        \"io.kubernetes.cri.pod-annotations\": true\n      },\n      \"sysctl\": {\n        \"net/ipv4/tcp_syn_retries\": \"auto\",\n        \"net/ipv4/tcp_synack_retries\": \"auto\",\n        \"net/ipv4/tcp_max_syn_backlog\": \"auto\",\n        \"net/ipv4/tcp_keepalive_time\": \"auto\",\n        \"net/ipv4/tcp_fin_timeout\": \"auto\",\n        \"net/ipv4/tcp_slow_start_after_idle\": \"auto\",\n        \"net/ipv4/tcp_max_tw_buckets\": \"auto\",\n        \"net/ipv4/tcp_no_metrics_save\": \"auto\",\n        \"net/ipv4/tcp_timestamps\": \"auto\",\n        \"net/ipv4/tcp_tw_reuse\": \"auto\",\n        \"net/core/somaxconn\": \"auto\"\n      },\n      \"args\": {\n        \"cloud\": \"kflax_non_cloud\"\n      }\n    }\n  ]\n}\n"
        },
        "IFName": "eth0"
      }
    ]
  },
  "config": {
    "containerd": {
      "snapshotter": "overlayfs",
      "defaultRuntimeName": "runc",
      "defaultRuntime": {
        "runtimeType": "",
        "runtimePath": "",
        "runtimeEngine": "",
        "PodAnnotations": [],
        "ContainerAnnotations": [],
        "runtimeRoot": "",
        "options": {},
        "privileged_without_host_devices": false,
        "baseRuntimeSpec": "",
        "cniConfDir": "",
        "cniMaxConfNum": 0
      },
      "untrustedWorkloadRuntime": {
        "runtimeType": "io.containerd.runtime.v1.linux",
        "runtimePath": "",
        "runtimeEngine": "/opt/kata/bin/kata-runtime",
        "PodAnnotations": [],
        "ContainerAnnotations": [],
        "runtimeRoot": "",
        "options": null,
        "privileged_without_host_devices": true,
        "baseRuntimeSpec": "",
        "cniConfDir": "",
        "cniMaxConfNum": 0
      },
      "runtimes": {
        "runc": {
          "runtimeType": "io.containerd.runc.v2",
          "runtimePath": "",
          "runtimeEngine": "",
          "PodAnnotations": [],
          "ContainerAnnotations": [],
          "runtimeRoot": "",
          "options": {
            "BinaryName": "",
            "CriuImagePath": "",
            "CriuPath": "",
            "CriuWorkPath": "",
            "IoGid": 0,
            "IoUid": 0,
            "NoNewKeyring": false,
            "NoPivotRoot": false,
            "Root": "",
            "ShimCgroup": "",
            "SystemdCgroup": true
          },
          "privileged_without_host_devices": false,
          "baseRuntimeSpec": "",
          "cniConfDir": "",
          "cniMaxConfNum": 0
        },
        "untrusted": {
          "runtimeType": "io.containerd.runtime.v1.linux",
          "runtimePath": "",
          "runtimeEngine": "/opt/kata/bin/kata-runtime",
          "PodAnnotations": [],
          "ContainerAnnotations": [],
          "runtimeRoot": "",
          "options": null,
          "privileged_without_host_devices": true,
          "baseRuntimeSpec": "",
          "cniConfDir": "",
          "cniMaxConfNum": 0
        }
      },
      "noPivot": false,
      "disableSnapshotAnnotations": true,
      "discardUnpackedLayers": false,
      "ignoreRdtNotEnabledErrors": false
    },
    "cni": {
      "binDir": "/opt/cni/bin",
      "confDir": "/etc/cni/net.d",
      "maxConfNum": 1,
      "confTemplate": "",
      "ipPref": ""
    },
    "registry": {
      "configPath": "/etc/containerd/certs.d",
      "mirrors": {},
      "configs": {},
      "auths": {},
      "headers": {}
    },
    "imageDecryption": {
      "keyModel": "node"
    },
    "disableTCPService": true,
    "streamServerAddress": "127.0.0.1",
    "streamServerPort": "0",
    "streamIdleTimeout": "4h0m0s",
    "enableSelinux": false,
    "selinuxCategoryRange": 1024,
    "sandboxImage": "registry.corp.kuaishou.com/cloud_admin/pause:3.1",
    "statsCollectPeriod": 10,
    "systemdCgroup": false,
    "enableTLSStreaming": false,
    "x509KeyPairStreaming": {
      "tlsCertFile": "",
      "tlsKeyFile": ""
    },
    "maxContainerLogSize": 16384,
    "disableCgroup": false,
    "disableApparmor": false,
    "restrictOOMScoreAdj": false,
    "maxConcurrentDownloads": 10,
    "disableProcMount": false,
    "unsetSeccompProfile": "",
    "tolerateMissingHugetlbController": true,
    "disableHugetlbController": true,
    "device_ownership_from_security_context": false,
    "ignoreImageDefinedVolumes": false,
    "netnsMountsUnderStateDir": false,
    "enableUnprivilegedPorts": false,
    "enableUnprivilegedICMP": false,
    "containerdRootDir": "/media/disk1/containerd",
    "containerdEndpoint": "/run/containerd/containerd.sock",
    "rootDir": "/media/disk1/containerd/io.containerd.grpc.v1.cri",
    "stateDir": "/run/containerd/io.containerd.grpc.v1.cri"
  },
  "golang": "go1.20.8",
  "lastCNILoadStatus": "OK",
  "lastCNILoadStatus.default": "OK"
}

kubernetes version: 1.17/1.22

Show configuration if it is related to CRI plugin.

No response