Welcome to the Linux Foundation Forum!

Lab 4.1, exec'ing into etcd container fails due to lack of shell

josefassad
josefassad Posts: 9
edited December 2025 in LFS258 Class Forum

Way at the top of the lab, there's this:
student@cp:˜$ kubectl -n kube-system exec -it etcd-<Tab> -- sh
On my end, I'm getting this complaint back:

username@control-plane:~$ kubectl exec -it --namespace kube-system etcd-cp -- sh 
error: Internal error occurred: Internal error occurred: error executing command in container: failed to exec in container: failed to start exec "<REDACTED_ID>": OCI runtime exec failed: exec failed: unable to start container process: exec: "sh": executable file not found in $PATH

Of course there's no such error if I try to call -- etcdctl instead of -- sh. I figure at some point that container went toolless? Is that right?

Answers

  • ucd4evr
    ucd4evr Posts: 1

    Did you try /bin/sh ?

  • josefassad
    josefassad Posts: 9

    Yes. Same error. I'll note though, I'm upgrading 1.34.2 to 1.34.3. So a bit newer than the versions specified in the lab.

    I also checked for other ultra-common tools such as ls, even echo * gives the same error.

    I mean I've worked around it, I'm just wondering if it's PEBKAC or if it's the course materials.

  • chrispokorni
    chrispokorni Posts: 2,605

    Hi @josefassad,

    I just verified on both Kubernetes v1.33.1 (etcd 3.5.21) and v1.34.1 (etcd 3.6.4) the command behaves as presented in the lab guide.
    -- sh allowed me to execute pwd, cd, and even echo * inside the etcd container of the etcd-cp pod.
    -- sh -c 'echo *' also worked.
    -- sh -c 'etcdctl' and -- etcdctl also worked.

    I recommend checking the official etcd.io site for any known issues or bugs and suggested workarounds or fixes.

    Regards,
    -Chris

  • josefassad
    josefassad Posts: 9

    Hi Chris,

    Thanks for checking! What an odd thing.

    At any rate I have an effective workaround so I'm not too bothered. I appreciate the time you took to try to reproduce.

  • josefassad
    josefassad Posts: 9
    edited December 2025

    Hang on, let me be a bit more persistent. Looking at the etcd source I see from the Dockerfile the image is built on Distroless and contains little else than etcd, etcdctl, and etcdutl.

    On the one hand that explains why I can only run those in a kubectl exec. On the other hand, now I'm wondering why @chrispokorni 's image has more things in it.

    I'm still thinking PEBKAC but I'm intrigued.

  • chriswood123
    chriswood123 Posts: 2

    I have the same issue.

    @josefassad what did you do as a workaround? I'm thinking of creating an etcdctl deployment for running these commands, or maybe just installing it directly on the control plane host.

  • josefassad
    josefassad Posts: 9

    @chriswood123 my workaround is a lot simpler, I just call etcdctl directly. So if the lab says something like

    kubectl -n kube-system exec -it etcd-cp -- sh \
-c "ETCDCTL_API=3 \
ETCDCTL_CACERT=/etc/kubernetes/pki/etcd/ca.crt \ 
ETCDCTL_CERT=/etc/kubernetes/pki/etcd/server.crt \ 
ETCDCTL_KEY=/etc/kubernetes/pki/etcd/server.key \
etcdctl endpoint health"

    I'm calling

    kubectl exec -ti -n kube-system etcd-cp -- etcdctl \
--cacert=/etc/kubernetes/pki/etcd/ca.crt \
--cert=/etc/kubernetes/pki/etcd/server.crt \
--key=/etc/kubernetes/pki/etcd/server.key \
endpoint health

    I figured this out when I looked at the current etcd image's Dockerfile. They're using distroless and copying the etcd binaries over. So I just configured the etcdctl invocation using flags instead of environment variables.

    Hope this works for you!

  • chrispokorni
    chrispokorni Posts: 2,605

    Hi @josefassad and @chriswood123,

    Would you mind providing the etcd version that you are reporting about? This would help the course maintainer determine if these are isolated incidents or perhaps more generic across multiple etcd releases, requiring a permanent solution within the lab exercises.

    You can find the version with either one of the two commands below:

    kubectl -n kube-system exec etcd-cp -- etcdctl version
kubectl -n kube-system describe pod etcd-cp | grep Image:

    As I posted earlier, when I tried to reproduce the issue, all commands worked as presented in the lab guide. I attempted to reproduce the issue on two Kubernetes releases: v1.33.1 (etcd 3.5.21) and v1.34.1 (etcd 3.6.4).

    Regards,
    -Chris

  • josefassad
    josefassad Posts: 9
    edited December 2025

    Hi @chrispokorni . You bet. I'll actually grab version strings from kubeadm too since that's the fella that got me this version of etcd.

    josef@control-plane:~/tmp/echo-server$ kubectl exec -n kube-system etcd-cp -- etcdctl version | cowsay
 _________________________________________
< etcdctl version: 3.6.5 API version: 3.6 >
 -----------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
josef@control-plane:~/tmp/echo-server$ kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"34", EmulationMajor:"", EmulationMinor:"", MinCompatibilityMajor:"", MinCompatibilityMinor:"", GitVersion:"v1.34.3", GitCommit:"df11db1c0f08fab3c0baee1e5ce6efbf816af7f1", GitTreeState:"clean", BuildDate:"2025-12-09T15:05:15Z", GoVersion:"go1.24.11", Compiler:"gc", Platform:"linux/amd64"}

    So digging around a bit, here's what I think is going on. I was naughty and used k8s 1.34 when in fact Lab 3.1 said to use 1.33. Looking at the k8s changelog for 1.34, I note the following:

    Updated etcd version to v3.6.0. (#131501, @joshjms) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]

    Looking at the corresponding etcd changelog, you can see they went distroless (Dockerfile for reference). A whole four years ago!

    It's distroless, so there's no busybox or any other kind of userland in there. Hence no bash or sh. So as far as hypotheses go, this one is only punctured by one fact: that you tested against a 1.34 line and found a shell in the etcd container.

  • chrispokorni
    chrispokorni Posts: 2,605

    Hi @josefassad,

    Thank you for the detailed output. When etcd went distroless I remember we experienced similar issues, but eventually some CLI tools/utilities have been added back into the image and the expected behaviors resumed (for the purpose of our lab exercises). Therefore -- sh -c 'some-command' worked without any issues.

    I will monitor github for reported etcd issues to determine if this is temporary or a permanent reduction of the image footprint. Until we know more, the workaround you recommended above can be successfully used for Lab exercise 4.1 and can be tailored for other scenarios as well.

    Regards,
    -Chris

  • chriswood123
    chriswood123 Posts: 2

    @josefassad ah yes, don't know why I didn't think to look at the flags before going down the road of a separate pod! I can confirm that the flags work for me too.

    I did try and create an etcdctl cli static pod on my control plane node with the /var/lib/etcd and /etc/kubernetes/pki/etcd hostPath volumes, but the volumes didn't mount (and without any errors I could see). Seems like the mount for the original etcd container has some kind of exclusivity flag:

            {
          "destination": "/var/lib/etcd",
          "options": [
            "rbind",
            "rprivate",
            "rw"
          ],
          "source": "/var/lib/etcd",
          "type": "bind"
        },

    @chrispokorni

    $ kubectl exec -ti -n kube-system etcd-k8s-control-1 -- etcdctl version
etcdctl version: 3.5.24
API version: 3.5

$ sudo kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"33", EmulationMajor:"", EmulationMinor:"", MinCompatibilityMajor:"", MinCompatibilityMinor:"", GitVersion:"v1.33.6", GitCommit:"1e09fec02ac194c1044224e45e60d249e98cd092", GitTreeState:"clean", BuildDate:"2025-11-11T19:13:44Z", GoVersion:"go1.24.9", Compiler:"gc", Platform:"linux/amd64"}

$ kubectl version
Client Version: v1.32.3
Kustomize Version: v5.5.0
Server Version: v1.33.6

    Note that I didn't follow the lab instructions on setting up a cluster as I already had one running in much the same way, but using Debian 12 on qemu VMs.

  • chrispokorni
    chrispokorni Posts: 2,605

    Hi @chriswood123 @josefassad,

    I took a deeper dive into the etcd image inconsistencies, and I uncovered the following (so far):

    KUBERNETES      ETCD
RELEASE         IMAGE       sh SUPPORT
-----------------------------------------------
1.33.1          3.5.21          YES
1.33.2          3.5.21          YES
1.33.3          3.5.21          YES
1.33.4          3.5.21          YES
1.33.5          3.5.21          YES
1.33.6          3.5.24          NO
1.33.7          3.5.24          NO
1.34.1          3.6.4           YES
1.34.2          3.6.5           NO
1.34.3          3.6.5           NO

    This helps us to plan ahead for possible changes to the lab guide to account for missing sh shell.

    For the time being, the .1 Kubernetes patch releases support the instructions as they are presented in the lab guide where etcdctl tool runs in the container's shell:

    kubectl -n kube-system exec -it etcd-cp -- sh -c \
  "ETCDCTL_CACERT=/etc/kubernetes/pki/etcd/ca.crt \
  ETCDCTL_CERT=/etc/kubernetes/pki/etcd/server.crt \
  ETCDCTL_KEY=/etc/kubernetes/pki/etcd/server.key \
  etcdctl endpoint health"

    However, if deviating from the lab guide by installing patch releases with etcd images missing sh shell support, the instructions need to be adapted to call etcdctl directly:

    kubectl -n kube-system exec etcd-cp -- \
  etcdctl endpoint health \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key

    Regards,
    -Chris

  • josefassad
    josefassad Posts: 9

    @chrispokorni I just checked in a v1.34.1 minikube and that tracks; I also see a sh.

    It's still a bit odd, but for reasons that I don't think affect the course materials. So I'll let it rest.

  • jooiongen
    jooiongen Posts: 4

    I just want to add a "This affects me too" here. My deviation from the labguide is running kubeadm 1.33.7 and so on, pluss using Debian Trixie as distro.

    kubectl -n kube-system exec etcd-k8smn01 -- /usr/local/bin/etcd --version
    etcd Version: 3.5.24
    Git SHA: e72f3c2
    Go Version: go1.24.9
    Go OS/Arch: linux/amd64

  • chrispokorni
    chrispokorni Posts: 2,605
    edited December 2025

    Hi @jooiongen,

    Thank you for confirming that deviating from the lab guide recommended versioning schema produces the unexpected (yet known) issue on this lab exercise :wink:

    Regards,
    -Chris

  • stralex
    stralex Posts: 3

    Thanks! I initially thought that this is a thing with arm64 image. But even googling took me here.

Categories

Upcoming Training