All work
2 of 2
latest Poweredby instance missing CAP_NET_RAW capability in OpenShift deployment
Description
Environment
Tested with Poweredby 2023.1.12 image
Acceptance / Success Criteria
None
Details
Assignee
UnassignedUnassignedReporter
JianYetJianYetHB Grooming Date
Feb 22, 2024HB Backlog Status
Refined BacklogSprint
NoneFix versions
Affects versions
Priority
High
Details
Details
Assignee
Unassigned
UnassignedReporter
JianYet
JianYetHB Grooming Date
Feb 22, 2024
HB Backlog Status
Refined Backlog
Sprint
None
Fix versions
Affects versions
Priority
HighPagerDuty
PagerDuty
PagerDuty
Created January 26, 2024 at 7:34 PM
Updated June 13, 2024 at 5:41 PM
Activity
JianYetFebruary 16, 2024 at 9:57 PMEdited
I can still reproduce this on poweredby 2023.1.13. Probably best if someone else can verify that it’s not isolated to my environment.
The capabilities of the java binary seems ok though.
bash-5.1$ getcap `cat etc/java.conf`
/usr/lib/jvm/jre-11/bin/java cap_net_bind_service,cap_net_raw=epMortezaJanuary 26, 2024 at 9:09 PM
I was unable to reproduce the issue using the latest Meridian 2023 on OpenShift
JianYetJanuary 26, 2024 at 7:43 PM
It’s better if another person ( >_> @Morteza ) can verify my test results.
Benjamin ReedJanuary 26, 2024 at 7:39 PM
Not surprised by the poweredby, I made a change to do security updates before images are generated, so then the JDK gets updated and no longer has setcap. I’m confused by it happening on the meridian side though, since we don’t change the base image at all there.
While running with privileged mode in the OpenShift platform, Meridian and Poweredby instance cannot perform ICMP polls. I see ICMP socket permission error in manager.log. Consequently, ICMP service monitor is not available.
2024-01-26 13:05:24,825 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://docs.opennms.com/ for information on configuring ICMP for non-root. 2024-01-26 13:05:24,828 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://docs.opennms.com/ for information on configuring ICMP for non-root.This result of the test is negative when testing on Docker containers.
values.yamlused to deploy OpenNMScore: configuration: alwaysRollDeployment: true database: password: 0p3nNM5 poolSize: 50 username: opennms enableAcls: false enableAlec: false enableCortex: false enableTssDualWrite: false etcUpdatePolicy: never http: adminPassword: admin restPassword: admin restUsername: opennms ports: karaf: enabled: true externalPort: 8101 syslog: enabled: true externalPort: 10514 trapd: enabled: true externalPort: 1162 rras: - 'RRA:AVERAGE:0.5:1:2016' - 'RRA:AVERAGE:0.5:12:1488' - 'RRA:AVERAGE:0.5:288:366' - 'RRA:MAX:0.5:288:366' - 'RRA:MIN:0.5:288:366' storage: etc: 1Gi mibs: 100M rrd: 50Gi image: pullPolicy: IfNotPresent repository: opennms/horizon tag: poweredby-2023.1.12-linux-amd64 inspector: enabled: false postConfigJob: ttlSecondsAfterFinished: 300 resources: limits: cpu: '2' memory: 8Gi requests: cpu: '2' memory: 4Gi terminationGracePeriodSeconds: 120 createNamespace: false dependencies: clusterRole: true clusterRoleBinding: true cortex: bulkheadMaxWaitDuration: '9223372036854775807' externalTagsCacheSize: 1000 maxConcurrentHttpConnections: 100 metricCacheSize: 1000 readTimeoutInMs: 1000 readUrl: >- http://cortex-query-frontend.shared.svc.cluster.local:8080/prometheus/api/v1 writeTimeoutInMs: 1000 writeUrl: 'http://cortex-distributor.shared.svc.cluster.local:8080/api/v1/push' elasticsearch: configuration: flows: indexStrategy: daily numShards: 1 replicationFactor: 0 password: 31@st1c port: 9200 username: elastic kafka: configuration: saslMechanism: PLAIN securityProtocol: PLAINTEXT hostname: 192.168.86.5 port: 29092 username: opennms loki: port: 3100 postgresql: hostname: postgresql.horizon.svc password: postgres port: 5432 sslfactory: org.postgresql.ssl.LibPQFactory sslmode: disable username: postgres route: true securitycontext: allowPrivilegeEscalation: true allowedCapabilities: - NET_BIND_SERVICE - CAP_NET_RAW securitycontextconstraints: enabled: true name: opennms-scc serviceaccount: enabled: true name: opennms-sa truststore: password: 0p3nNM5 domain: apps-crc.testing grafana: configuration: database: image: pullPolicy: IfNotPresent repository: postgres tag: '13' password: Gr@f@n@ sslmode: disable username: grafana ui: adminPassword: admin image: pullPolicy: IfNotPresent repository: opennms/helm tag: 9.0.10 imageRenderer: image: pullPolicy: IfNotPresent repository: grafana/grafana-image-renderer tag: latest replicaCount: 2 resources: limits: cpu: 200m memory: 256Mi requests: cpu: 100m memory: 128Mi replicaCount: 1 resources: limits: cpu: 200m memory: 1Gi requests: cpu: 100m memory: 1Gi ingress: certManager: clusterIssuer: opennms-issuer className: nginx multiTenant: false promtail: image: pullPolicy: IfNotPresent repository: grafana/promtail tag: latest resources: limits: cpu: 50m memory: 64Mi releaseNamespace: false sentinel: configuration: database: poolSize: 25 image: pullPolicy: IfNotPresent repository: opennms/sentinel replicaCount: 0 resources: limits: cpu: '2' memory: 4Gi requests: cpu: '2' memory: 2Gi terminationGracePeriodSeconds: 60 timezone: America/New_York