cloudflared
cloudflared copied to clipboard
cloudflare
🐛 cannot create ICMPv4 proxy: Group ID
Describe the bug A clear and concise description of what the bug is.
To Reproduce Deploy:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cloudflared
spec:
selector:
matchLabels:
app: cloudflared
replicas: 2 # You could also consider elastic scaling for this deployment
template:
metadata:
labels:
app: cloudflared
spec:
containers:
- name: cloudflared
image: cloudflare/cloudflared:2023.10.0
args:
- tunnel
# Points cloudflared to the config file, which configures what
# cloudflared will actually do. This file is created by a ConfigMap
# below.
- --config
- /etc/cloudflared/config/config.yaml
- run
livenessProbe:
httpGet:
# Cloudflared has a /ready endpoint which returns 200 if and only if
# it has an active connection to the edge.
path: /ready
port: 2000
failureThreshold: 1
initialDelaySeconds: 10
periodSeconds: 10
volumeMounts:
- name: config
mountPath: /etc/cloudflared/config
readOnly: true
# Each tunnel has an associated "credentials file" which authorizes machines
# to run the tunnel. cloudflared will read this file from its local filesystem,
# and it'll be stored in a k8s secret.
- name: creds
mountPath: /etc/cloudflared/creds
readOnly: true
volumes:
- name: creds
secret:
# By default, the credentials file will be created under ~/.cloudflared/<tunnel ID>.json
# when you run `cloudflared tunnel create`. You can move it into a secret by using:
# ```sh
# kubectl create secret generic tunnel-credentials \
# --from-file=credentials.json=/Users/yourusername/.cloudflared/<tunnel ID>.json
# ```
secretName: tunnel-credentials
# Create a config.yaml file from the ConfigMap below.
- name: config
configMap:
name: cloudflared
items:
- key: config.yaml
path: config.yaml
---
# This ConfigMap is just a way to define the cloudflared config.yaml file in k8s.
# It's useful to define it in k8s, rather than as a stand-alone .yaml file, because
# this lets you use various k8s templating solutions (e.g. Helm charts) to
# parameterize your config, instead of just using string literals.
apiVersion: v1
kind: ConfigMap
metadata:
name: cloudflared
data:
config.yaml: |
# Name of the tunnel you want to run
tunnel: pi-k8s
credentials-file: /etc/cloudflared/creds/credentials.json
# Serves the metrics server under /metrics and the readiness server under /ready
metrics: 0.0.0.0:2000
# Autoupdates applied in a k8s pod will be lost when the pod is removed or restarted, so
# autoupdate doesn't make sense in Kubernetes. However, outside of Kubernetes, we strongly
# recommend using autoupdate.
no-autoupdate: true
# The `ingress` block tells cloudflared which local service to route incoming
# requests to. For more about ingress rules, see
# https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/ingress
#
# Remember, these rules route traffic from cloudflared to a local service. To route traffic
# from the internet to cloudflared, run `cloudflared tunnel route dns <tunnel> <hostname>`.
# E.g. `cloudflared tunnel route dns example-tunnel tunnel.example.com`.
ingress:
# The first rule proxies traffic to the httpbin sample Service defined in app.yaml
- hostname: tunnel.mydomain.net
service: http://web-service:80
# This rule sends traffic to the built-in hello-world HTTP server. This can help debug connectivity
# issues. If hello.example.com resolves and tunnel.example.com does not, then the problem is
# in the connection from cloudflared to your local service, not from the internet to cloudflared.
- hostname: hello.mydomain.net
service: hello_world
# This rule matches any traffic which didn't match a previous rule, and responds with HTTP 404.
- service: http_status:404
Expected behavior Cloudflared connects and doesn't keep restarting the pods.
Environment and versions OS: Ubuntu 22.04.3 LTS x86_64 Host: KVM/QEMU (Standard PC (i440FX + PIIX, 1996) pc-i440fx-4.2) Kernel: 5.15.0-88-generic
Logs and errors
2023-11-14T20:37:13Z INF Starting tunnel tunnelID=3d897a40-XXXX-XXXX-XXXX-XXXXXXXXXXXX
2023-11-14T20:37:13Z INF Version 2023.10.0
2023-11-14T20:37:13Z INF GOOS: linux, GOVersion: go1.20.6, GoArch: amd64
2023-11-14T20:37:13Z INF Settings: map[config:/etc/cloudflared/config/config.yaml cred-file:/etc/cloudflared/creds/credentials.json credentials-file:/etc/cloudflared/creds/credentials.json metrics:0.0.0.0:2000 no-autoupdate:true]
2023-11-14T20:37:13Z INF Generated Connector ID: 428f64af-69d5-4e1e-a65f-321e92119696
2023-11-14T20:37:18Z ERR Failed to fetch features, default to disable error="lookup cfd-features.argotunnel.com on 10.96.0.10:53: read udp 100.64.1.85:43234->10.96.0.10:53: read: connection refused"
2023-11-14T20:37:23Z INF Initiating graceful shutdown due to signal terminated ...
2023-11-14T20:37:28Z WRN Unable to lookup protocol percentage.
2023-11-14T20:37:28Z INF Initial protocol http2
2023-11-14T20:37:28Z ERR update check failed error="Get \"https://update.argotunnel.com?arch=amd64&clientVersion=2023.10.0&os=linux\": dial tcp: lookup update.argotunnel.com on 10.96.0.10:53: read udp 100.64.1.85:57590->10.96.0.10:53: read: connection refused"
2023-11-14T20:37:28Z INF ICMP proxy will use 100.64.1.85 as source for IPv4
2023-11-14T20:37:28Z INF ICMP proxy will use fe80::6c75:96ff:****:**** in zone eth0 as source for IPv6
2023-11-14T20:37:28Z WRN The user running cloudflared process has a GID (group ID) that is not within ping_group_range. You might need to add that user to a group within that range, or instead update the range to encompass a group the user is already in by modifying /proc/sys/net/ipv4/ping_group_range. Otherwise cloudflared will not be able to ping this network error="Group ID 65532 is not between ping group 1 to 0"
2023-11-14T20:37:28Z WRN ICMP proxy feature is disabled error="cannot create ICMPv4 proxy: Group ID 65532 is not between ping group 1 to 0 nor ICMPv6 proxy: socket: permission denied"
2023-11-14T20:37:38Z INF Starting Hello World server at 127.0.0.1:37731
2023-11-14T20:37:38Z INF Starting metrics server on [::]:2000/metrics
2023-11-14T20:37:48Z INF Tunnel server stopped
2023-11-14T20:37:48Z INF Metrics server stopped
Additional context ) I just followed this instruction ) 2022.3.0 worked in the past but the same config doesn't seem to work anymore. This might be unrelated or because of an old version but I'd thought I would mention it.
Also not working even when running as privileged container as uid/gid 0 and all capabilities.
Appreciate any information getting the ICMP proxy working.
Hey all. I got this working by setting the securityContext of the pod in my deployment to the following:
apiVersion: apps/v1
kind: Deployment
spec:
...
template:
spec:
securityContext:
runAsGroup: 65532
runAsUser: 65532
runAsNonRoot: true
sysctls:
- name: net.ipv4.ping_group_range
value: "0 200000000"
...
Hope that helps!
With the inspiration of the solution of @philwinder, I fixed it with the following:
apiVersion: apps/v1
kind: Deployment
spec:
...
template:
spec:
securityContext:
sysctls:
- name: net.ipv4.ping_group_range
value: "65532 65532"
containers:
- name: cloudflared
securityContext:
runAsUser: 65532
runAsGroup: 65532
runAsNonRoot: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
I'm not sure which is the better/safer solution.
FYI for me, I only needed to add:
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
securityContext:
sysctls:
- name: net.ipv4.ping_group_range
value: "0 2147483647"
The other stuff, for me, wasn't needed.