weave icon indicating copy to clipboard operation
weave copied to clipboard

Published 20 hours ago verified publisher icon weaveworks

Running Weave Net with privileged: false

Open rroberts59110 opened this issue 4 years ago • 4 comments

Is it possible to run Weave Net as unprivileged?

I am trying to integrate weave with Rancher K3s v18.6, Weave 2.8.1. I wish to not allow privileged containers, so I have a pod security policy that does not allow privileged containers.

The weave-net daemonset creates the weave-net-XXXXX pods but the weave-init container fails. The logs for that container show: ipset v7.2: Kernel error received: Operation not permitted

I see no SELinux denials and the dontaudit rules have been turned off.

This failure seems to be because the pod is running with privileged: false.

I have tried experimenting with Linux capabilities but nothing seems to make any difference. Does anyone know a way around this?

rroberts59110 avatar Jul 22 '21 23:07 rroberts59110

OK. Partially answered my own question. You not only have to add Linux capabilities to the PodSecurityPolicy but also to the container in the pod created by the Weave Daemonset. Now I am seeing an SELinux denial associated with the weave-npc container.

rroberts59110 avatar Jul 23 '21 15:07 rroberts59110

I have overcome all of my problems with running weave net unprivileged save one. The weave container is failing with this message in the logs: $ kubectl -n kube-system logs weave-net-cnnlq -c weave DEBU: 2021/07/27 21:57:14.624867 [kube-peers] Checking peer "ca:88:1e:45:e4:86" against list &{[]} Peer not in list; removing persisted data INFO: 2021/07/27 21:57:14.803655 Command line options: map[conn-limit:200 datapath:datapath db-prefix:/weavedb/weave-net docker-api: expect-npc:true http-addr:127.0.0.1:6784 ipalloc-init:consensus=0 ipalloc-range:10.32.0.0/16 log-level:debug metrics-addr:0.0.0.0:6782 name:ca:88:1e:45:e4:86 nickname:bbking no-dns:true no-masq-local:true port:6783] INFO: 2021/07/27 21:57:14.803703 weave 2.8.1 FATA: 2021/07/27 21:57:15.166253 creating bridged fastdp veth pair: setting accept_ra to 0: open /proc/sys/net/ipv6/conf/vethwe-bridge/accept_ra: read-only file system I don't see the /proc/sys/net/ipv6/conf/vethwe-bridge directory at all so I'm assuming that the weave container is failing to create the veth pair at all much less modify the value in accept_ra. I've tried adding every Linux capability that seemed relevant with no change and I'm not seeing any SELinux denials. Any help would be appreciated.

rroberts59110 avatar Jul 28 '21 14:07 rroberts59110

I'm not seeing any SELinux denials

Try temporarily disabling SELinux dontaudit rules by running the semodule -DB command on your nodes where Weave is running and looking for more AVC denials. Run semodule -B after you're done with your investigation to reenable dontaudit rules.

NeonSludge avatar Jul 28 '21 17:07 NeonSludge

I appreciate the comment. I have set SELinux to Permissive and I am still seeing the above failure. The problem seems to be that I cannot create the veth pair. Since writing the above I have tried adding every Linux capability with no change. Not sure what I have to do to set permissions appropriately.

rroberts59110 avatar Jul 29 '21 15:07 rroberts59110