-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chroot can not read from /dev/urandom #9549
Comments
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@schoentoon Could you check how the filesystems are mounted on the container? If it is mounted with the |
It looks like / is, but /dev isn't. Not sure whether that matters or not. $ kubectl exec -it --namespace ingress-nginx ingress-nginx-controller-598fcf4865-9bnks -- /bin/sh
/chroot/etc/nginx $ mount
overlay on / type overlay (rw,nodev,relatime,seclabel,lowerdir=/var/lib/containers/storage/overlay/l/H66SR4LHSWGRWJHJ5GYUT37B5L:/var/lib/containers/storage/overlay/l/J4AA262VH4LRDGBZOULIGKXQSB:/var/lib/containers/storage/overlay/l/DYQ3P6K7OWCGFLX62WPH4UVG7Z:/var/lib/containers/storage/overlay/l/YCM7KTR6RLZLKITYVXYYDEVUUI:/var/lib/containers/storage/overlay/l/4E3CUFTIHKEBCGFO2CYSRS7ZJT:/var/lib/containers/storage/overlay/l/FVIVWB7OI525NAF6WA2QAXDXTQ:/var/lib/containers/storage/overlay/l/7NMUXOIFZQHROTGP3ZGAODCWIN:/var/lib/containers/storage/overlay/l/DCY6VIAHMZA3HVGXKMT3GOEHPL:/var/lib/containers/storage/overlay/l/NMZHSQOG3TTBWQ7LE4PPFLCIDD:/var/lib/containers/storage/overlay/l/XRQ7MBGRTVUDGV4ZLLFNN54CQF:/var/lib/containers/storage/overlay/l/SNB5TSC2VMFCG5I2RQ5P6AYOVZ:/var/lib/containers/storage/overlay/l/OP5AT6VAXU6TPHKPVB45QAWAQ2:/var/lib/containers/storage/overlay/l/34IDGNNUAIN25QDDEOFFI7BQPM,upperdir=/var/lib/containers/storage/overlay/f41713e7727fc9d9933adae5a73785a316e19ee960a4fc8c8002ce5d59c267c8/diff,workdir=/var/lib/containers/storage/overlay/f41713e7727fc9d9933adae5a73785a316e19ee960a4fc8c8002ce5d59c267c8/work,metacopy=on,volatile)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev type tmpfs (rw,nosuid,seclabel,size=65536k,mode=755,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=666)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime,seclabel)
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime,seclabel)
cgroup on /sys/fs/cgroup type cgroup2 (ro,nosuid,nodev,noexec,relatime,seclabel)
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,seclabel,size=65536k,inode64)
tmpfs on /etc/resolv.conf type tmpfs (rw,nosuid,nodev,noexec,seclabel,size=802260k,nr_inodes=819200,mode=755,inode64)
tmpfs on /etc/hostname type tmpfs (rw,nosuid,nodev,seclabel,size=802260k,nr_inodes=819200,mode=755,inode64)
tmpfs on /run/.containerenv type tmpfs (rw,nosuid,nodev,seclabel,size=802260k,nr_inodes=819200,mode=755,inode64)
/dev/vda4 on /etc/hosts type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
/dev/vda4 on /dev/termination-log type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
tmpfs on /run/secrets type tmpfs (rw,nosuid,nodev,seclabel,size=802260k,nr_inodes=819200,mode=755,inode64)
tmpfs on /usr/local/certificates type tmpfs (ro,relatime,seclabel,size=3384612k,inode64)
tmpfs on /run/secrets/kubernetes.io/serviceaccount type tmpfs (ro,relatime,seclabel,size=3384612k,inode64)
proc on /proc/asound type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/bus type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/fs type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/irq type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)
tmpfs on /proc/acpi type tmpfs (ro,relatime,seclabel,inode64)
tmpfs on /proc/kcore type tmpfs (rw,nosuid,seclabel,size=65536k,mode=755,inode64)
tmpfs on /proc/keys type tmpfs (rw,nosuid,seclabel,size=65536k,mode=755,inode64)
tmpfs on /proc/latency_stats type tmpfs (rw,nosuid,seclabel,size=65536k,mode=755,inode64)
tmpfs on /proc/timer_list type tmpfs (rw,nosuid,seclabel,size=65536k,mode=755,inode64)
tmpfs on /proc/scsi type tmpfs (ro,relatime,seclabel,inode64)
tmpfs on /sys/firmware type tmpfs (ro,relatime,seclabel,inode64)
/chroot/etc/nginx $ |
|
/assign |
What's the version of CRI-O? |
I'm not root inside the container though. As for your questions, here you go. /chroot/etc/nginx $ id
uid=101(www-data) gid=82(www-data) groups=82(www-data)
/chroot/etc/nginx $ cd /dev/
/dev $ ls -la | grep rand
crw-rw-rw- 1 root root 1, 8 Feb 1 08:18 random
crw-rw-rw- 1 root root 1, 9 Feb 1 08:18 urandom
/dev $ cd /chroot/dev/
/chroot/dev $ ls -la | grep rand
crw-rw-rw- 1 root root 1, 8 Nov 8 22:47 random
crw-rw-rw- 1 root root 1, 9 Nov 8 22:47 urandom
/chroot/dev $ cat /dev/urandom | head
<snip gibberish>
/chroot/dev $ cat /chroot/dev/urandom | head
cat: can't open '/chroot/dev/urandom': Permission denied
/chroot/dev $ It does seem a bit weird to me that creation date of the devices in /chroot/dev are so far in the past though, I thought those are supposed to be created by the init container? cri-o version is 1.24.1 |
@schoentoon do you know where/how/why that seed is getting used in lua_ingress.lua ? |
I have no idea about that, I just run the controller as shown in the deploy folder of this repository. Only modification I made to it were for the chroot. |
This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach |
The project has decided to deprecate the chrooted image as the final goal to increase security of the control is getting implemented in the regular image. The project also needs to focus on minimizing the support/maintenance of features that are not directly implied by the Ingress-API or rather closely tied to the Ingress-API specs, because there is a lack of resources like developer time. Parallel efforts are in progress to implement the Gateway-API. Since this issue is adding to the tally of open issues without any action item, I will close this issue now. /close |
@longwuyuan: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This is basically #8680 but unlike what we thought at the time, it doesn't seem fixed on newer kernel/Fedora CoreOS/cri-o.
What happened:
When starting the controller it errors with the following.
What you expected to happen:
I expected the controller to start without errors.
NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
NGINX Ingress controller
Release: v1.5.1
Build: d003aae
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.21.6
Kubernetes version (use
kubectl version
):Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.7", GitCommit:"132a687512d7fb058d0f5890f07d4121b3f0a2e2", GitTreeState:"clean", BuildDate:"2021-05-12T12:40:09Z", GoVersion:"go1.15.12", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.1", GitCommit:"86ec240af8cbd1b60bcc4c03c20da9b98005b92e", GitTreeState:"clean", BuildDate:"2021-12-16T11:34:54Z", GoVersion:"go1.17.5", Compiler:"gc", Platform:"linux/amd64"}
Environment:
Kernel (e.g.
uname -a
): Linux node1 6.0.18-300.fc37.x86_64 Basic structure #1 SMP PREEMPT_DYNAMIC Sat Jan 7 17:10:00 UTC 2023 x86_64 x86_64 x86_64 GNU/LinuxInstall tools:
I installed this cluster using kubespray 2.18 to be more precise
Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc.
Basic cluster related info:
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
node1 Ready control-plane,master 9d v1.23.1 192.168.122.82 Fedora CoreOS 37.20230110.3.1 6.0.18-300.fc37.x86_64 cri-o://1.24.1
node2 Ready control-plane,master 9d v1.23.1 192.168.122.176 Fedora CoreOS 37.20230110.3.1 6.0.18-300.fc37.x86_64 cri-o://1.24.1
node3 Ready 9d v1.23.1 192.168.122.110 Fedora CoreOS 37.20230110.3.1 6.0.18-300.fc37.x86_64 cri-o://1.24.1
How was the ingress-nginx-controller installed:
I took https://github.com/kubernetes/ingress-nginx/blob/release-1.5/deploy/static/provider/baremetal/deploy.yaml and made the modifications needed for chroot. So change the image and add SYS_CHROOT capability. Then just applied this using
kubectl apply -f ingress-nginx.yml
Current State of the controller:
kubectl describe ingressclasses
kubectl -n <ingresscontrollernamespace> get all -A -o wide
kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>
kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>
Current state of ingress object, if applicable:
This is just a testing cluster, so not applicable.
kubectl -n <appnnamespace> get all,ing -o wide
kubectl -n <appnamespace> describe ing <ingressname>
Others:
kubectl describe ...
of any custom configmap(s) created and in useHow to reproduce this issue:
Anything else we need to know:
The text was updated successfully, but these errors were encountered: