-
Bug
-
Resolution: Unresolved
-
Normal
-
4.18.0
-
None
-
None
-
5
-
True
-
Description of problem:
When embedding container images during bootc build procedure (Physically Bound Image or PBI), the router pod somehow "loses" the cap_net_bind_service capability, which prevents haproxy from binding to ports 80/443.
Version-Release number of selected component (if applicable):
MicroShift version agnostic, bootc-specific
How reproducible:
100%
Steps to Reproduce:
Build bootc container image with embedded PBI's and boot a VM using this image. # SOURCE_IMAGES contains a comma-separated list of container image references. # Split the variable and pull each image in a separate layer. # {{ range (.Env.SOURCE_IMAGES | strings.Split ",") }} RUN --mount=type=secret,id=pullsecret,dst=/run/secrets/pull-secret.json \ podman pull \ --authfile /run/secrets/pull-secret.json \ --root=/var/lib/containers/storage-preloaded \ "{{ . }}" # {{ end }} # Edit the container storage configuration file RUN sed -i '/^additionalimagestores.*/a\ "/var/lib/containers/storage-preloaded",' /etc/containers/storage.conf
Actual results:
haproxy fails with errors in the router pod I0916 06:09:16.832964 1 router.go:537] "msg"="calling reload function" "fn"=0 "logger"="te mplate" E0916 06:09:16.833057 1 haproxy.go:418] can't scrape HAProxy: dial unix /var/lib/haproxy/run/haproxy.sock: connect: no such file or directory I0916 06:09:16.833156 1 router.go:541] "msg"="reloading the router" "logger"="template" E0916 06:09:16.869028 1 limiter.go:165] error reloading router: exit status 1 [NOTICE] (9) : haproxy version is 2.8.10-f28885f [NOTICE] (9) : path to executable is /usr/sbin/haproxy [ALERT] (9) : Binding [/var/lib/haproxy/conf/haproxy.config:63] for frontend public: cannot bind socket (Permission denied) for [0.0.0.0:80] [ALERT] (9) : Binding [/var/lib/haproxy/conf/haproxy.config:98] for frontend public_ssl: cannot bind socket (Permission denied) for [0.0.0.0:443] [ALERT] (9) : [/usr/sbin/haproxy.main()] Some protocols failed to start their listeners! Exit ing. I0916 06:09:17.471312 1 healthz.go:255] backend-http check failed: healthz [-]backend-http failed: backend reported failure
Expected results:
The router pod should start normally
Additional info:
Working configuration
$ oc debug -n openshift-ingress router-default-6d6b65d69c-6v2xp Starting pod/router-default-6d6b65d69c-6v2xp-debug-wkmx9 ... Pod IP: 10.42.0.12 If you don't see a command prompt, try pressing enter. sh-5.1$ getcap /usr/sbin/haproxy /usr/sbin/haproxy cap_net_bind_service=ep
Bootc with embedded container images
$ oc debug -n openshift-ingress router-default-7645cf4959-l8cv7 Starting pod/router-default-7645cf4959-l8cv7-debug-fp2c4 ... Pod IP: 10.42.0.12 If you don't see a command prompt, try pressing enter. sh-5.1$ getcap /usr/sbin/haproxy sh-5.1$
- blocks
-
USHIFT-4336 Support for container image embedding technique (isolated installs)
- Closed
- is caused by
-
OCPBUGS-42147 haproxy binary capabilities in bootc images
- Closed
- links to