{
  "id": "kubernetes/volume-mount-readonly-filesystem",
  "signature": "Error: failed to start container: failed to create containerd task: mount /var/lib/kubelet/pods/.../volumes/...: operation not permitted",
  "signature_zh": "错误：启动容器失败：创建containerd任务失败：挂载 /var/lib/kubelet/pods/.../volumes/...：操作不允许",
  "regex": "failed to create containerd task: mount .* operation not permitted",
  "domain": "kubernetes",
  "category": "system_error",
  "subcategory": null,
  "root_cause": "Container runtime (containerd) cannot mount a volume because the underlying filesystem is read-only or the mount point is invalid, often due to SELinux enforcement or AppArmor profile.",
  "root_cause_type": "generic",
  "root_cause_zh": "容器运行时（containerd）无法挂载卷，因为底层文件系统是只读的或挂载点无效，通常由于SELinux强制或AppArmor配置文件。",
  "versions": [
    {
      "version": "Kubernetes 1.28",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Kubernetes 1.29",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "containerd 1.7.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Ubuntu 22.04",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "Restarting kubelet or containerd doesn't fix the underlying filesystem or SELinux issue; mounts will still fail.",
      "fail_rate": 0.7,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Re-creating the pod without fixing SELinux context or AppArmor profile results in the same mount error.",
      "fail_rate": 0.8,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Check SELinux status: `getenforce`. If enforcing, temporarily set to permissive: `setenforce 0`. Then verify mount succeeds. For persistent fix, adjust SELinux policy: `semanage fcontext -a -t container_file_t '/var/lib/kubelet/pods/.*/volumes/.*(/.*)?'`.",
      "success_rate": 0.9,
      "how": "Check SELinux status: `getenforce`. If enforcing, temporarily set to permissive: `setenforce 0`. Then verify mount succeeds. For persistent fix, adjust SELinux policy: `semanage fcontext -a -t container_file_t '/var/lib/kubelet/pods/.*/volumes/.*(/.*)?'`.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Check AppArmor status: `aa-status`. If a profile is blocking, unload it: `aa-remove-unknown` or create a custom profile allowing mount operations.",
      "success_rate": 0.8,
      "how": "Check AppArmor status: `aa-status`. If a profile is blocking, unload it: `aa-remove-unknown` or create a custom profile allowing mount operations.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "检查SELinux状态：`getenforce`。如果是强制模式，临时设置为宽松模式：`setenforce 0`。然后验证挂载是否成功。持久修复：调整SELinux策略：`semanage fcontext -a -t container_file_t '/var/lib/kubelet/pods/.*/volumes/.*(/.*)?'`。",
    "检查AppArmor状态：`aa-status`。如果有配置文件阻止，卸载它：`aa-remove-unknown`或创建允许挂载操作的自定义配置文件。"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.88,
  "fix_success_rate": 0.85,
  "resolvable": "true",
  "first_seen": "2024-01-10",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}