`hostUsers: false` and `VOLUME [ "/run" ]` lead to `create mountpoint for /var/run/secrets/kubernetes.io/serviceaccount mount: mkdirat /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/test-volume/rootfs/run/secrets: permission denied`

[adelton]

Description

When an image defines VOLUME [ "/run" ], attempt to run a user-namespaced container with hostUsers: false via K3s fails with message

Error: failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/var/lib/kubelet/pods/9587ef35-67eb-4fcb-9b57-a28fc23bd1fb/volumes/kubernetes.io~projected/kube-api-access-94hrt" to rootfs at "/var/run/secrets/kubernetes.io/serviceaccount": create mountpoint for /var/run/secrets/kubernetes.io/serviceaccount mount: mkdirat /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/test-volume/rootfs/run/secrets: permission denied

It is necessary to specify the /run as an emptyDir volume mount.

The problem is present with the containerd and runc shipped in stock K3c (v2.0.4-k3s2). Also reproduced with containerd 2.1 and runc 1.3.0 and crun 1.21.

Steps to reproduce the issue

1. Have an Ubuntu 24.04 machine (VM).
2. export INSTALL_K3S_EXEC="--kubelet-arg feature-gates=UserNamespacesSupport=true --kube-apiserver-arg feature-gates=UserNamespacesSupport=true --kube-controller-manager-arg feature-gates=UserNamespacesSupport=true --kube-scheduler-arg feature-gates=UserNamespacesSupport=true"
3. curl -sfL https://get.k3s.io | sh -s - --write-kubeconfig ~/.kube/config
4. sudo chown -R $( id -u ):$( id -g ) ~/.kube
5. sudo apt update ; sudo apt install -y buildah
6. Have a Dockerfile with

FROM docker.io/library/alpine:latest
VOLUME [ "/run" ]

7. buildah build -t docker-archive:/tmp/test-volume.tar:localhost/test-volume
8. sudo k3s ctr images import - < /tmp/test-volume.tar
9. Have a test-volume.yaml with

apiVersion: v1
kind: Pod
metadata:
  name: test-volume
spec:
  restartPolicy: Never
  hostUsers: false
  containers:
  - name: test-volume
    image: localhost/test-volume
    imagePullPolicy: Never
    command: [ "cat", "/proc/self/uid_map" ]

10. kubectl apply -f test-volume.yaml
11. kubectl logs test-volume
12. kubectl describe pod/test-volume | tail -2

Describe the results you received and expected

Expected:

Something like

         0  383975424      65536

indicating that the container is running user-namespaced, and

  Normal  Created    5s    kubelet            Created container: test-volume
  Normal  Started    5s    kubelet            Started container test-volume

with no error.

Actual:

No output from kubectl logs test-volume. The describe showing

  Normal   Created    5s    kubelet            Created container: test-volume
  Warning  Failed     5s    kubelet            Error: failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/var/lib/kubelet/pods/9587ef35-67eb-4fcb-9b57-a28fc23bd1fb/volumes/kubernetes.io~projected/kube-api-access-94hrt" to rootfs at "/var/run/secrets/kubernetes.io/serviceaccount": create mountpoint for /var/run/secrets/kubernetes.io/serviceaccount mount: mkdirat /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/test-volume/rootfs/run/secrets: permission denied

What version of containerd are you using?

containerd github.com/containerd/containerd/v2 v2.1.0 061792f

Any other relevant information

I originally filed this issue in K3s as k3s-io/k3s#12332 and was suggested to file with containerd. So this is essentially a copy of that issue.

I am able to make things work by adding

    volumeMounts:
    - mountPath: /run
      name: run-volume
  volumes:
  - name: run-volume
    emptyDir: {}

to test-volume.yaml.

But I would expect that VOLUME [ "/run" ] to do effectively the same, and user-namespaced containers not choking on that image.

This is a minimized example of an issue we've seen with https://github.com/freeipa/freeipa-container and K3s and containerd. The reason why we have VOLUME [ "/run" ] in the image is to make the usage of that systemd-based image easier with

    securityContext:
      readOnlyRootFilesystem: true

Show configuration if it is related to CRI plugin.

version = 3

[plugins.'io.containerd.cri.v1.runtime'.cni]
  bin_dirs = [ "/var/lib/rancher/k3s/data/cni" ]
  conf_dir = "/var/lib/rancher/k3s/agent/etc/cni/net.d"

[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc]
  cgroup_writable = true

[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc.options]
  SystemdCgroup = true

[adelton]

When I tested the same K3s setup but with CRI-O instead of containerd, it passed. So it seems that containerd is the component that introduces the difference in behaviour.

[Routhinator]

Cross-posting from the original issue here, as these two issues were the only ones I found..

on Jul 15, 2025

I'm just going to flag here that I am testing this in Kube 1.33.2 with CRI-O and I am having the same exact behaviour with no containerd in sight and no k3s (kubeadm manually built cluster with cri-o on Deb12) - this smells like it's either Kube, or maybe something related to a kernel version and particular modules.

Update: Unfortunately - the emptyDir backed run volumemount does not workaround the issue on CRI-O

EDIT: In my case it was having Kernel 6.1 (mainline) in Debian, needed to load the backports kernel to get 6.3+ for supporting this.

[rata]

Oh, I just see this issue.

The issue seems to be that containerd is not setting the permission in some directory correctly (or marking something ro before it should).

@Routhinator Hmm, that sounds weird, it seem you are not using a volume directive in the dockerfile and using that for the /run directory? What you describe seems to be that you were lacking idmap mounts support for the fs used in that kernel or something like that.

I can repro here with runc. Runc can't create the directory, and it's containerd role to set the permissions correctly so runc can do that. Not sure what is missing, though, as volume directives should work with userns and we have CI for that.

In fact, if the dockerfile does this instead:

VOLUME ["/rata"]

All works fine. There is something with /run, that is used for /var/run and the kubernetes service account token that is making this fail

[Routhinator]

@rata I think you may have tagged the wrong person here, I hit this early on into my testing of usernamespaces and realized I needed to upgrade my kernel, which solved this issue for me.

[rata]

I've debugged this, I have a fix already already. I'll polish it and open a PR tomorrow.

There is also a workaround: make sure the directory you are using in the VOLUME directory doesn't exist on the rootfs (or maybe in other mounts too). For example, this Dockerfile works fine:

FROM docker.io/library/alpine:latest
RUN rm -rf /run
VOLUME [ "/run" ]

The alpine rootfs has a /run directory, but if you remove it, you can workaround this bug on any containerd version.

Thanks again for the report! :)

[rata]

Opened a PR: #12218. I need to check the integration tests properly.