Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

On CIS hardened systems lldp can't disable i40e lldp PermissionError: [Errno 1] Operation not permitted /sys/kernel/debug/i40e/XXXXXX/command #9

Closed
dparv opened this issue Aug 22, 2022 · 5 comments
Closed

On CIS hardened systems lldp can't disable i40e lldp PermissionError: [Errno 1] Operation not permitted /sys/kernel/debug/i40e/XXXXXX/command #9

dparv opened this issue Aug 22, 2022 · 5 comments
Assignees
@ivoks

Comments

@dparv
Copy link

dparv commented Aug 22, 2022

2022-08-22 13:37:33 WARNING unit.lldpd/156.config-changed logger.go:60 Traceback (most recent call last):
2022-08-22 13:37:33 WARNING unit.lldpd/156.config-changed logger.go:60 File "/var/lib/juju/agents/unit-lldpd-156/charm/hooks/config-changed", line 93, in
2022-08-22 13:37:33 WARNING unit.lldpd/156.config-changed logger.go:60 hooks.execute(sys.argv)
2022-08-22 13:37:33 WARNING unit.lldpd/156.config-changed logger.go:60 File "/var/lib/juju/agents/unit-lldpd-156/charm/charmhelpers/core/hookenv.py", line 934, in execute
2022-08-22 13:37:33 WARNING unit.lldpd/156.config-changed logger.go:60 self._hookshook_name
2022-08-22 13:37:33 WARNING unit.lldpd/156.config-changed logger.go:60 File "/var/lib/juju/agents/unit-lldpd-156/charm/hooks/config-changed", line 51, in config_changed
2022-08-22 13:37:33 WARNING unit.lldpd/156.config-changed logger.go:60 disable_i40e_lldp()
2022-08-22 13:37:33 WARNING unit.lldpd/156.config-changed logger.go:60 File "/var/lib/juju/agents/unit-lldpd-156/charm/hooks/config-changed", line 78, in disable_i40e_lldp
2022-08-22 13:37:33 WARNING unit.lldpd/156.config-changed logger.go:60 cmd = open('%s/%s/command' % (str(path), str(nic)), 'w')
2022-08-22 13:37:33 WARNING unit.lldpd/156.config-changed logger.go:60 PermissionError: [Errno 1] Operation not permitted: '/sys/kernel/debug/i40e/0000:b0:00.1/command'

Workaround is to disable it with ethtool, but charm still in error state:

cat ifaces | xargs -I {} ethtool --set-priv-flags {} disable-fw-lldp on
@dparv
Copy link
Author

dparv commented Aug 22, 2022

  • might not be related to CIS hardening, as this has also failed on vanilla ubuntu during MAAS commissioning with a script to disable lldp, might need to move the code to using ethtool

@ivoks ivoks self-assigned this Sep 16, 2022
@MrClayPole
Copy link
Contributor

Looks like if you have secureboot enabled then it blocks access to debugfs which then causes the charm to error when accessing '/sys/kernel/debug/i40e/0000:b0:00.1/command'. I believe this charm needs to be updated to use ethtool rather than using debugfs file systems

@xtrusia xtrusia mentioned this issue Jan 4, 2024
Closed
@MrClayPole
Copy link
Contributor

#16

@xtrusia
Copy link
Contributor

xtrusia commented Apr 8, 2024

Hello @wolsen
I'm aware of that this patch is merged and there are something to clean up.
But the customer is waiting on this patched charm to be released for a long time.
Could you please check this once more?
Thanks in advance!

@wolsen
Copy link
Collaborator

wolsen commented May 22, 2024

Fix is released and available in the latest/candidate channel

@wolsen wolsen closed this as completed May 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ivoks ivoks

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ethtool ivoks/charm-lldpd
Using ethtool to disable lldp for i40e nics
5 participants
@xtrusia @ivoks @wolsen @MrClayPole @dparv