Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-42010

Router pod is missing cap_net_bind_service capability when included as PBI to bootc image

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • 4.18.0
    • 4.18.0
    • MicroShift
    • None

      Description of problem:

      When embedding container images during bootc build procedure (Physically Bound Image or PBI), the router pod somehow "loses" the cap_net_bind_service capability, which prevents haproxy from binding to ports 80/443.

      Version-Release number of selected component (if applicable):

      MicroShift version agnostic, bootc-specific

      How reproducible:

      100%

      Steps to Reproduce:

      Build bootc container image with embedded PBI's and boot a VM using this image.
      
      # SOURCE_IMAGES contains a comma-separated list of container image references.
      # Split the variable and pull each image in a separate layer.
      # {{ range (.Env.SOURCE_IMAGES | strings.Split ",") }}
      RUN --mount=type=secret,id=pullsecret,dst=/run/secrets/pull-secret.json \    
          podman pull \    
             --authfile /run/secrets/pull-secret.json \    
             --root=/var/lib/containers/storage-preloaded \    
          "{{ . }}"
      # {{ end }}
      
      # Edit the container storage configuration file
      RUN sed -i '/^additionalimagestores.*/a\   "/var/lib/containers/storage-preloaded",' /etc/containers/storage.conf

      Actual results:

      haproxy fails with errors in the router pod
      
      I0916 06:09:16.832964       1 router.go:537] "msg"="calling reload function" "fn"=0 "logger"="te
      mplate"
      E0916 06:09:16.833057       1 haproxy.go:418] can't scrape HAProxy: dial unix /var/lib/haproxy/run/haproxy.sock: connect: no such file or directory
      I0916 06:09:16.833156       1 router.go:541] "msg"="reloading the router" "logger"="template"
      E0916 06:09:16.869028       1 limiter.go:165] error reloading router: exit status 1
      [NOTICE]   (9) : haproxy version is 2.8.10-f28885f
      [NOTICE]   (9) : path to executable is /usr/sbin/haproxy
      [ALERT]    (9) : Binding [/var/lib/haproxy/conf/haproxy.config:63] for frontend public: cannot bind socket (Permission denied) for [0.0.0.0:80]
      [ALERT]    (9) : Binding [/var/lib/haproxy/conf/haproxy.config:98] for frontend public_ssl: cannot bind socket (Permission denied) for [0.0.0.0:443]
      [ALERT]    (9) : [/usr/sbin/haproxy.main()] Some protocols failed to start their listeners! Exit
      ing.
      I0916 06:09:17.471312       1 healthz.go:255] backend-http check failed: healthz
      [-]backend-http failed: backend reported failure 

      Expected results:

      The router pod should start normally   

      Additional info:

      Working configuration

      $ oc debug -n openshift-ingress router-default-6d6b65d69c-6v2xp
      Starting pod/router-default-6d6b65d69c-6v2xp-debug-wkmx9 ...
      Pod IP: 10.42.0.12
      If you don't see a command prompt, try pressing enter.
      sh-5.1$ getcap /usr/sbin/haproxy 
      /usr/sbin/haproxy cap_net_bind_service=ep

      Bootc with embedded container images

      $ oc debug -n openshift-ingress router-default-7645cf4959-l8cv7
      Starting pod/router-default-7645cf4959-l8cv7-debug-fp2c4 ...
      Pod IP: 10.42.0.12
      If you don't see a command prompt, try pressing enter.
      sh-5.1$ getcap /usr/sbin/haproxy 
      sh-5.1$ 

              Unassigned Unassigned
              ggiguash@redhat.com Gregory Giguashvili
              John George John George
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: