K8s deployment failed as security pre-required?


(Pat Murphy) #1

deployment in kubernetes without configuration met errors:

panic: standard_init_linux.go:178: exec user process caused "operation not permitted" [recovered]
        panic: standard_init_linux.go:178: exec user process caused "operation not permitted"
goroutine 1 [running, locked to thread]:
panic(0x7eb2e0, 0xc820139260)
        /usr/lib/go1.6/src/runtime/panic.go:481 +0x3e6
github.com/urfave/cli.HandleAction.func1(0xc8200ab2f8)
        /build/amd64-usr/var/tmp/portage/app-emulation/runc-1.0.0_rc2_p9/work/runc-1.0.0_rc2_p9/Godeps/_workspace/src/github.com/urfave/cli/app.go:478 +0x38e
panic(0x7eb2e0, 0xc820139260)
        /usr/lib/go1.6/src/runtime/panic.go:443 +0x4e9
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization.func1(0xc8200aac08, 0xc82001e0b8, 0xc8200aad18)
        /build/amd64-usr/var/tmp/portage/app-emulation/runc-1.0.0_rc2_p9/work/runc-1.0.0_rc2_p9/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:259 +0x136
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization(0xc820068960, 0x7f48112294d0, 0xc820139260)
        /build/amd64-usr/var/tmp/portage/app-emulation/runc-1.0.0_rc2_p9/work/runc-1.0.0_rc2_p9/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:277 +0x5b1
main.glob.func8(0xc820086780, 0x0, 0x0)
        /build/amd64-usr/var/tmp/portage/app-emulation/runc-1.0.0_rc2_p9/work/runc-1.0.0_rc2_p9/main_unix.go:26 +0x68
reflect.Value.call(0x74fac0, 0x9012a0, 0x13, 0x847808, 0x4, 0xc8200ab278, 0x1, 0x1, 0x0, 0x0, ...)
        /usr/lib/go1.6/src/reflect/value.go:435 +0x120d
reflect.Value.Call(0x74fac0, 0x9012a0, 0x13, 0xc8200ab278, 0x1, 0x1, 0x0, 0x0, 0x0)
        /usr/lib/go1.6/src/reflect/value.go:303 +0xb1
github.com/urfave/cli.HandleAction(0x74fac0, 0x9012a0, 0xc820086780, 0x0, 0x0)
        /build/amd64-usr/var/tmp/portage/app-emulation/runc-1.0.0_rc2_p9/work/runc-1.0.0_rc2_p9/Godeps/_workspace/src/github.com/urfave/cli/app.go:487 +0x2ee
github.com/urfave/cli.Command.Run(0x84a6b8, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8e05e0, 0x51, 0x0, ...)
        /build/amd64-usr/var/tmp/portage/app-emulation/runc-1.0.0_rc2_p9/work/runc-1.0.0_rc2_p9/Godeps/_workspace/src/github.com/urfave/cli/command.go:191 +0xfec
github.com/urfave/cli.(*App).Run(0xc820001980, 0xc82000a100, 0x2, 0x2, 0x0, 0x0)
        /build/amd64-usr/var/tmp/portage/app-emulation/runc-1.0.0_rc2_p9/work/runc-1.0.0_rc2_p9/Godeps/_workspace/src/github.com/urfave/cli/app.go:240 +0xaa4
main.main()
        /build/amd64-usr/var/tmp/portage/app-emulation/runc-1.0.0_rc2_p9/work/runc-1.0.0_rc2_p9/main.go:137 +0xe24

the deployment is very straightforwards:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: packetbeat
  namespace: monitoring
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: packetbeat
        name: packetbeat
    spec:
      containers:
      - image: local-registry:5000/packetbeat:5.5.2
        name: packetbeat
        resources:
          limits:
            cpu: 500m
            memory: 512Mi
          requests:
           cpu: 500m
           memory: 512Mi

The OS:
x86_64 Intel(R) Xeon(R) CPU E5-2680 v4 @ 2.40GHz GenuineIntel GNU/Linux

The reason I thought its OS level security related as:
https://github.com/moby/moby/issues/29928

Any help will be really appreciated! :grinning:


(Carlos Pérez Aradros) #2

Hi @Yveseirean,

I think the error you see is related to packetbeat needed permissions, could you try to set security context for the container? something like this:

name: packetbeat
image: local-registry:5000/packetbeat:5.5.2
...
securityContext:
    runAsUser: 0

(Carlos Pérez Aradros) #3

You could also just add NET_ADMIN capability, as explained here: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container

These are the docs on how to run it in docker: https://www.elastic.co/guide/en/beats/packetbeat/6.0/running-on-docker.html


(Pat Murphy) #4

thank you, enquiring the NET_ADMIN credentials at this moment, will update later


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.