-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add warning log when host enable SELinux #15414
Conversation
Commits 98871ec, 146da2a do not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
Please wait for a hours, I will try to fix. it |
b36cbcc
to
998776e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the submission. I'm not sure if this is quite the right fix, for a couple of reasons:
- This error message will get printed in addition to the other log message. It would be more consistent to add this condition at the same place where the "BPF host reachable services for UDP needs kernel..." message is printed, maybe by doing the check via
errors.Is(err, unix.EPERM)
at that location rather than doing the directerrno
check at this point. - The permission denied error could occur for reasons other than that SELinux is enabled. One way to address this is rather than asking the user to disable SELinux is to instead state that tools like SELinux may be restricting permissions. The implication then is that it's up to the user to decide whether they are happy to disable SELinux or wish to craft SELinux profiles to allow these particular call paths.
I have some additional minor suggestions below as well for how to format and spell the message consistently to Cilium log styling.
998776e
to
7e7b94c
Compare
pkg/bpf/bpf_linux.go
Outdated
@@ -662,6 +663,8 @@ func TestDummyProg(progType ProgType, attachType uint32) error { | |||
return errno | |||
} | |||
return nil | |||
} else if errors.Is(errno, unix.EPERM) { | |||
log.WithError(errno).Warningf("Cilium cannot load bpf programs. Security profiles like SELinux may be restricting permissions.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This error message will get printed in addition to the other log message. It would be more consistent to add this condition at the same place where the "BPF host reachable services for UDP needs kernel..." message is printed, maybe by doing the check via errors.Is(err, unix.EPERM) at that location rather than doing the direct errno check at this point.
Could you take a look at how this could be better integrated with the log error handling in the parent function initKubeProxyReplacementOptions()
or above instead, where this function is called from?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how about this?
7e7b94c
to
09ac73a
Compare
18ed2dc
to
7e15247
Compare
daemon/cmd/kube_proxy_replacement.go
Outdated
} | ||
if option.Config.EnableHostServicesTCP { | ||
bpf.TestIPDummyProg(bpf.ProgTypeCgroupSockAddr, bpf.BPF_CGROUP_INET4_CONNECT, bpf.BPF_CGROUP_INET6_CONNECT, func(ipv4Result error, ipv6Result error) { | ||
msg := fmt.Sprintf("Test Dummy Prog Faild: [ IPv4: %v, IPv6: %v ], BPF host reachable services for TCP needs kernel 4.17.0 or newer.", ipv4Result, ipv6Result) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Getting there. I think we could probably get away with something a bit simpler: If the first prog attempt fails with unix.EPERM
then it probably means that all subsequent loads are also going to fail with the same error, regardless of IPv4/IPv6 or which particular hook?
Additionally, in Cilium's logging we aim to properly use Structured logging so that fields are properly propagated in logging systems that are intelligent enough to use them (particularly when formatting messages to JSON logging platforms). What does this mean for the PR here? Rather than combining static content (the message) with dynamic logging content (The %v
bits), the dynamic content is separately specified into the logging system. In practice, the syntax for this looks like:
log.WithError(err).Warn("Cilium cannot load bpf programs. Security profiles like SELinux may be restricting permissions.")
If there are additional details you want to share in the logs, you can also add WithFields(...)
, like log.WithError(err).WithFields(logfields.IPv4, ipAddr).Warn(...)
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
I use %v
because I think we need to tell the user what's error message is. Both IPv6 and IPv4. If use %s
and error
is nil
it will display like %!s(<nil>)
, but %v
don't have this problem.
Signed-off-by: hui.kong <konghui@live.cn>
48de77a
to
6f4723f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, LGTM.
test-me-please |
I didn't triage the CI failures in the "checks" section at the bottom of the page, but given the changes being made by this PR it seems unlikely that the failures are related to the PR. You're welcome to assist investigation (drop by #testing on Cilium Slack), or otherwise maybe we can re-run the tests when the tree is more stable again. |
If host enable SELinux. Program running on the container doesn't allow invoke bpf syscall with load option. The logs like this
So if user running cilium with enable
host reachable service
on a host with correct kernel version(4.19.57, 5.1.16, 5.2.0 or newer) and SELinux enabled. It still display such error:It makes user confuse about this log, because there kernel version was correct.
So I add the warning message tell user they need to disable SELinux when the cilium start faild due to SELinux enabled.