Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Swap deployment doesn't detect privileged ports in the original deployment #983

Closed
ark3 opened this issue Apr 5, 2019 · 0 comments

Comments

1 participant
@ark3
Copy link
Contributor

commented Apr 5, 2019

Which is to say, it knows about ports from the original deployment so it can forward them, but it doesn't use that information to choose the proxy image (privileged or unprivileged). So if there are no --expose <low port> options at the command line, it will always pick the unprivileged image and then fail to forward those ports.

For example, if you swap this deployment without any --expose argument, Tel will claim to forward port 80, but it'll run the unprivileged image and the port forward will fail (silently!).

$ kubectl run --restart=Always apache80 --image=httpd --expose --port 80
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
service/apache80 created
deployment.apps/apache80 created

$ telepresence --run curl apache80
[...]
T: Setup complete. Launching your command.
<html><body><h1>It works!</h1></body></html>
T: Your process has exited.

$ telepresence --swap-deployment apache80 --docker-run --rm httpd
T: Volumes are rooted at $TELEPRESENCE_ROOT. See https://telepresence.io/howto/volumes.html for details.                         
T: Starting network proxy to cluster by swapping out Deployment apache80 with a proxy                                            
T: Forwarding remote port 80 to local port 80.

T: Setup complete. Launching your container.
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[Fri Apr 05 18:53:20.299339 2019] [mpm_event:notice] [pid 7:tid 140146794582080] AH00489: Apache/2.4.39 (Unix) configured -- resuming normal operations
[Fri Apr 05 18:53:20.299551 2019] [core:notice] [pid 7:tid 140146794582080] AH00094: Command line: 'httpd -D FOREGROUND'

$ # From elsewhere...

$ telepresence --run curl apache80
[...]
T: Setup complete. Launching your command.
curl: (7) Couldn't connect to server
T: Your process exited with return code 7.

The fix is to override the proxy image in proxy/deployment.py:supplant_deployment(...) if there is a privileged port in the original container's info.

In the meantime, the workaround is to add --expose 80 to the Telepresence command to force use of the privileged image.

@ark3 ark3 added the bug label Apr 5, 2019

@ark3 ark3 added this to To do in Tel Tracker via automation Apr 5, 2019

@ark3 ark3 changed the title Swap deployment doesn't detect priviliged ports in the original deployment Swap deployment doesn't detect privileged ports in the original deployment Apr 12, 2019

@ark3 ark3 moved this from To do to In progress in Tel Tracker Apr 12, 2019

@ark3 ark3 closed this in 6cc2016 Apr 12, 2019

Tel Tracker automation moved this from In progress to Done Apr 12, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.