chroot not permitted with cri-o

[hlcianfagna]

Attempting to deploy CrateDB with the operator with https://cri-o.io/ results in

chroot: cannot change root directory to '/': Operation not permitted

Steps to reproduce:

sudo snap install microk8s --classic --channel=1.29/stable
export OS=xUbuntu_22.04
export CRIO_VERSION=1.22
echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /"| sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
echo "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$CRIO_VERSION/$OS/ /"|sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$CRIO_VERSION.list
curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$CRIO_VERSION/$OS/Release.key | sudo apt-key add -
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | sudo apt-key add -
sudo apt update
sudo apt install cri-o cri-o-runc -y
sudo systemctl start crio
sudo systemctl enable crio
sudo apt install -y containernetworking-plugins
sudo systemctl restart crio
sudo apt install -y cri-tools
sudo crictl --runtime-endpoint unix:///var/run/crio/crio.sock version
sudo nano /var/snap/microk8s/current/args/kubelet

Replace the container-runtime-endpoint line with:

--container-runtime-endpoint=unix:///var/run/crio/crio.sock
--runtime-request-timeout=10m
--cgroup-driver="systemd"

On the steps below replace hernan with your user name:

sudo microk8s stop
sudo microk8s start
sudo usermod -a -G microk8s hernan
sudo chown -R hernan ~/.kube
newgrp microk8s

microk8s kubectl create namespace crate-operator
microk8s kubectl create namespace crate

nano StorageClassMicrok8s.yaml

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: default
provisioner: microk8s.io/hostpath
reclaimPolicy: Delete
volumeBindingMode: Immediate

microk8s enable storage
microk8s kubectl apply -f StorageClassMicrok8s.yaml

microk8s helm repo add crate-operator https://crate.github.io/crate-operator
microk8s helm repo update
microk8s helm install crate-operator crate-operator/crate-operator --namespace crate-operator

nano dev-cluster.yaml

apiVersion: cloud.crate.io/v1
kind: CrateDB
metadata:
  name: my-cluster
  namespace: crate
spec:
  cluster:
    imageRegistry: crate
    name: crate-dev
    version: 5.7.1
  nodes:
    data:
    - name: my-cluster
      replicas: 1
      resources:
        limits:
          cpu: 1
          memory: 1024Mi
        disk:
          count: 1
          size: 2GiB
          storageClass: default
        heapRatio: 0.25

microk8s kubectl --namespace crate create -f dev-cluster.yaml
microk8s kubectl get cratedbs -n crate
microk8s kubectl get pods --namespace crate 
microk8s kubectl logs crate-data-my-cluster-my-cluster-0 crate -n crate

chroot: cannot change root directory to '/': Operation not permitted

sudo nano /etc/crio/crio.conf.d/01-crio-runc.conf

default_capabilities = ["SYS_CHROOT"]

sudo systemctl restart crio

--> same issue

[hlcianfagna]

Forgot to mention that deploying a StatefulSet with CrateDB without the operator there are no issues.