Docs: Container/Image requires root #3380
Comments
|
Hello @Reris, thank you for your feedback. One good thing to know though is that this root access is only required if the service you intercept is using a numeric So I think you want to fix that by doing one of the following:
Let me know if that's related so I can eventually see how to add that to the quickstart :) |
|
Thanks for your suggestions. This could be a good href in the QuickStart. My suggestion is just to prevent some stumbling blocks right at the beginning. I'm using telepresence in a simple, local k3d environment where i try to imitate the production environment. Using a named targetPort won't work with Headless services, so this goes too far. NET_ADMIN is a good advice. But I've already had a helm chart with settable UIDs. Could be helpful in debugging as well, while NET_ADMIN sounds more like a better match for a production environment. Learned a lot! :) |
Please describe your use case / problem.
As I was trying to get telepresence to run, it just didnt work. Always failing with a CrashLoopBackOff.
Some frustrating days of trying (yeah, I'm a mediocre k8s user) it turned out to be a simple permissions problem:
error failed to clear chain TEL_INBOUND_TCP: running [/sbin/iptables -t nat -N TEL_INBOUND_TCP --wait]: exit status 4: Fatal: can't open lock file /run/xtables.lock: Permission deniedI was too restrictive with the user permissions and configured my helm deployment to be just a common www-data(33) user.
Describe the solution you'd like
Just a little sentence in the Telepresence Quickstart-docs that describes this requirement in 'Intercept Your Service'. Something like:
'The -container must be configured with root access for Telepresence to intercept traffic.'
Describe alternatives you've considered
Alternative would be telepresence without permission requirements :)
The text was updated successfully, but these errors were encountered: