kubernetes
system_error
ai_generated
true
错误:启动容器失败:创建containerd任务失败:挂载 /var/lib/kubelet/pods/.../volumes/...:操作不允许
Error: failed to start container: failed to create containerd task: mount /var/lib/kubelet/pods/.../volumes/...: operation not permitted
ID: kubernetes/volume-mount-readonly-filesystem
85%修复率
88%置信度
1证据数
2024-01-10首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Kubernetes 1.28 | active | — | — | — |
| Kubernetes 1.29 | active | — | — | — |
| containerd 1.7.0 | active | — | — | — |
| Ubuntu 22.04 | active | — | — | — |
根因分析
容器运行时(containerd)无法挂载卷,因为底层文件系统是只读的或挂载点无效,通常由于SELinux强制或AppArmor配置文件。
English
Container runtime (containerd) cannot mount a volume because the underlying filesystem is read-only or the mount point is invalid, often due to SELinux enforcement or AppArmor profile.
官方文档
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/解决方案
-
检查SELinux状态:`getenforce`。如果是强制模式,临时设置为宽松模式:`setenforce 0`。然后验证挂载是否成功。持久修复:调整SELinux策略:`semanage fcontext -a -t container_file_t '/var/lib/kubelet/pods/.*/volumes/.*(/.*)?'`。
-
检查AppArmor状态:`aa-status`。如果有配置文件阻止,卸载它:`aa-remove-unknown`或创建允许挂载操作的自定义配置文件。
无效尝试
常见但无效的做法:
-
70% 失败
Restarting kubelet or containerd doesn't fix the underlying filesystem or SELinux issue; mounts will still fail.
-
80% 失败
Re-creating the pod without fixing SELinux context or AppArmor profile results in the same mount error.