Summary
Sysbox-CE 0.7.0 fails to create K8s pods on Ubuntu 22.04 with the error mount through procfd: operation not permitted. The failure is identical across two K8s distributions (k3s and RKE2), two kernel versions (5.15 stock and 6.8 HWE), shiftfs present and absent, and AppArmor enabled and disabled.
Sysbox 0.7.0 with the same binary works correctly when invoked by Docker on the same host (docker run --runtime=sysbox-runc produces full sysboxfs FUSE mounts). The failure is specific to invocation via containerd's CRI path.
Environment
Host: Vultr Cloud Compute VM, 4 vCPU / 8 GB RAM
OS: Ubuntu 22.04.5 LTS
Kernels tested (both fail):
5.15.0-176-generic (Vultr stock, with shiftfs)
6.8.0-111-generic (HWE, no shiftfs)
Sysbox-CE: 0.7.0 (commit bff3721f86e737cfa129dfe9fe2e7933692aba26, built 2026-03-03)
K8s distros tested (both fail identically):
k3s v1.30.5+k3s1 with containerd 1.7
RKE2 v1.35.4+rke2r1 with containerd 2.2.3
Sysbox install method: kubectl apply -f https://raw.githubusercontent.com/nestybox/sysbox/master/sysbox-k8s-manifests/sysbox-install.yaml (sysbox-deploy-k8s daemonset reports "Sysbox installation completed")
Reproduction
Install RKE2 v1.35.4 on Ubuntu 22.04
Apply the sysbox-install daemonset
Verify daemonset completes and kubectl get runtimeclass sysbox-runc returns the runtime class
Verify containerd config has sysbox-runc registered (confirmed via crictl info)
Apply this pod manifest:
yamlapiVersion: v1
kind: Pod
metadata:
name: sysbox-smoke
namespace: default
spec:
runtimeClassName: sysbox-runc
restartPolicy: Never
containers:
- name: test
image: ubuntu:22.04
command: ["sleep", "120"]
resources:
limits:
memory: "256Mi"
cpu: "200m"
Error
Failed to create pod sandbox: rpc error: code = Unknown desc =
failed to start sandbox: failed to create containerd task:
failed to create shim task: OCI runtime create failed:
container_linux.go:439: starting container process caused:
process_linux.go:608: container init caused:
rootfs_linux.go:76: setting up rootfs mounts caused:
rootfs_linux.go:1276: mounting "sysfs" to rootfs
"/run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io//rootfs"
at "sys" caused: mount through procfd: operation not permitted
On kernel 5.15 with shiftfs, the rootfs path is /var/lib/sysbox/shiftfs//sys — same error. On kernel 6.8 without shiftfs (chown fallback), the rootfs path is the standard containerd path shown above — same error.
What I tried (none fixed it)
Migrated k3s → RKE2 (RKE2 is officially supported by Sysbox)
Added containerd config tweaks (SystemdCgroup, privileged_without_host_devices = false)
Switched kernel 5.15 → 6.8 HWE (shiftfs no longer present, sysbox falls back to chown mode)
Pod annotation container.apparmor.security.beta.kubernetes.io/test: unconfined
systemctl stop apparmor && aa-teardown (full AppArmor disable) — error persists
Verified cri-containerd.apparmor.d is loaded but no AppArmor denied events appear in dmesg or journalctl -k during pod creation attempts
Key diagnostic: Docker works, K8s/containerd does not
On the same host with Sysbox 0.7.0 installed:
bashdocker run --rm --runtime=sysbox-runc ubuntu:22.04 mount | grep sysboxfs
Output: 5 sysboxfs FUSE mounts as expected
But pods with runtimeClassName: sysbox-runc fail with the procfd error every time.
This suggests the issue is in how containerd's CRI plugin prepares the rootfs and namespace for sysbox-runc, vs. how dockerd does it.
Related
This may be related to #928 (Ubuntu 20.04 + RKE2 1.31.7) but the Ubuntu version, kernel, and K8s version are all different here.
Sysbox docs list RKE2 as officially supported, so this should work.
Happy to provide additional diagnostics. Will mirror updates here if I find a workaround.
Summary
Sysbox-CE 0.7.0 fails to create K8s pods on Ubuntu 22.04 with the error mount through procfd: operation not permitted. The failure is identical across two K8s distributions (k3s and RKE2), two kernel versions (5.15 stock and 6.8 HWE), shiftfs present and absent, and AppArmor enabled and disabled.
Sysbox 0.7.0 with the same binary works correctly when invoked by Docker on the same host (docker run --runtime=sysbox-runc produces full sysboxfs FUSE mounts). The failure is specific to invocation via containerd's CRI path.
Environment
Host: Vultr Cloud Compute VM, 4 vCPU / 8 GB RAM
OS: Ubuntu 22.04.5 LTS
Kernels tested (both fail):
5.15.0-176-generic (Vultr stock, with shiftfs)
6.8.0-111-generic (HWE, no shiftfs)
Sysbox-CE: 0.7.0 (commit bff3721f86e737cfa129dfe9fe2e7933692aba26, built 2026-03-03)
K8s distros tested (both fail identically):
k3s v1.30.5+k3s1 with containerd 1.7
RKE2 v1.35.4+rke2r1 with containerd 2.2.3
Sysbox install method: kubectl apply -f https://raw.githubusercontent.com/nestybox/sysbox/master/sysbox-k8s-manifests/sysbox-install.yaml (sysbox-deploy-k8s daemonset reports "Sysbox installation completed")
Reproduction
Install RKE2 v1.35.4 on Ubuntu 22.04
Apply the sysbox-install daemonset
Verify daemonset completes and kubectl get runtimeclass sysbox-runc returns the runtime class
Verify containerd config has sysbox-runc registered (confirmed via crictl info)
Apply this pod manifest:
yamlapiVersion: v1
kind: Pod
metadata:
name: sysbox-smoke
namespace: default
spec:
runtimeClassName: sysbox-runc
restartPolicy: Never
containers:
image: ubuntu:22.04
command: ["sleep", "120"]
resources:
limits:
memory: "256Mi"
cpu: "200m"
Error
Failed to create pod sandbox: rpc error: code = Unknown desc =
failed to start sandbox: failed to create containerd task:
failed to create shim task: OCI runtime create failed:
container_linux.go:439: starting container process caused:
process_linux.go:608: container init caused:
rootfs_linux.go:76: setting up rootfs mounts caused:
rootfs_linux.go:1276: mounting "sysfs" to rootfs
"/run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io//rootfs"
at "sys" caused: mount through procfd: operation not permitted
On kernel 5.15 with shiftfs, the rootfs path is /var/lib/sysbox/shiftfs//sys — same error. On kernel 6.8 without shiftfs (chown fallback), the rootfs path is the standard containerd path shown above — same error.
What I tried (none fixed it)
Migrated k3s → RKE2 (RKE2 is officially supported by Sysbox)
Added containerd config tweaks (SystemdCgroup, privileged_without_host_devices = false)
Switched kernel 5.15 → 6.8 HWE (shiftfs no longer present, sysbox falls back to chown mode)
Pod annotation container.apparmor.security.beta.kubernetes.io/test: unconfined
systemctl stop apparmor && aa-teardown (full AppArmor disable) — error persists
Verified cri-containerd.apparmor.d is loaded but no AppArmor denied events appear in dmesg or journalctl -k during pod creation attempts
Key diagnostic: Docker works, K8s/containerd does not
On the same host with Sysbox 0.7.0 installed:
bashdocker run --rm --runtime=sysbox-runc ubuntu:22.04 mount | grep sysboxfs
Output: 5 sysboxfs FUSE mounts as expected
But pods with runtimeClassName: sysbox-runc fail with the procfd error every time.
This suggests the issue is in how containerd's CRI plugin prepares the rootfs and namespace for sysbox-runc, vs. how dockerd does it.
Related
This may be related to #928 (Ubuntu 20.04 + RKE2 1.31.7) but the Ubuntu version, kernel, and K8s version are all different here.
Sysbox docs list RKE2 as officially supported, so this should work.
Happy to provide additional diagnostics. Will mirror updates here if I find a workaround.