Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docs: Container/Image requires root #3380

Closed
Reris opened this issue Oct 10, 2023 · 3 comments
Closed

Docs: Container/Image requires root #3380

Reris opened this issue Oct 10, 2023 · 3 comments
Labels
stale Issue is stale and will be closed

Comments

@Reris
Copy link

Reris commented Oct 10, 2023

Please describe your use case / problem.
As I was trying to get telepresence to run, it just didnt work. Always failing with a CrashLoopBackOff.
Some frustrating days of trying (yeah, I'm a mediocre k8s user) it turned out to be a simple permissions problem:
error failed to clear chain TEL_INBOUND_TCP: running [/sbin/iptables -t nat -N TEL_INBOUND_TCP --wait]: exit status 4: Fatal: can't open lock file /run/xtables.lock: Permission denied

I was too restrictive with the user permissions and configured my helm deployment to be just a common www-data(33) user.

Describe the solution you'd like
Just a little sentence in the Telepresence Quickstart-docs that describes this requirement in 'Intercept Your Service'. Something like:
'The -container must be configured with root access for Telepresence to intercept traffic.'

Describe alternatives you've considered
Alternative would be telepresence without permission requirements :)

@knlambert
Copy link
Contributor

knlambert commented Oct 10, 2023

Hello @Reris, thank you for your feedback.

One good thing to know though is that this root access is only required if the service you intercept is using a numeric targetPort:

https://www.getambassador.io/docs/telepresence/latest/troubleshooting#injected-init-container-doesnt-function-properly

So I think you want to fix that by doing one of the following:

  • Using the port name for targetPort.
  • Adding a NET_ADMIN capability to your pod :)

Let me know if that's related so I can eventually see how to add that to the quickstart :)

@Reris
Copy link
Author

Reris commented Oct 10, 2023

Thanks for your suggestions. This could be a good href in the QuickStart. My suggestion is just to prevent some stumbling blocks right at the beginning.

I'm using telepresence in a simple, local k3d environment where i try to imitate the production environment. Using a named targetPort won't work with Headless services, so this goes too far. NET_ADMIN is a good advice. But I've already had a helm chart with settable UIDs. Could be helpful in debugging as well, while NET_ADMIN sounds more like a better match for a production environment. Learned a lot! :)

@thallgren thallgren added stale Issue is stale and will be closed and removed a:docs labels Aug 13, 2024
Copy link

This issue was closed because it has been stalled for 7 days with no activity.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Aug 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
stale Issue is stale and will be closed
Projects
None yet
Development

No branches or pull requests

4 participants