Skip to content

api: don't attempt to set unix domain socket group to cilium #19850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

api: don't attempt to set unix domain socket group to cilium #19850

wants to merge 2 commits into from

Conversation

tklauser
Copy link
Member

Since commit 67f74ff ("images/cilium: remove cilium group from
Dockerfile") the cilium group is no longer created in the image running
the agent, resulting in the following log message on cilium-agent start:

level=info msg="Group not found" error="group: unknown group cilium" file-path=/var/run/cilium/cilium.sock group=cilium subsys=api

Setting the group is no longer necessary, so that part of
SetDefaultPermissions.

@tklauser tklauser added release-note/misc This PR makes changes that have no direct user impact. needs-backport/1.9 labels May 17, 2022
@tklauser tklauser requested a review from a team as a code owner May 17, 2022 08:58
@tklauser tklauser requested a review from nathanjsweet May 17, 2022 08:58
@tklauser
Copy link
Member Author

/test

@rolinh rolinh removed the request for review from nathanjsweet May 17, 2022 09:03
@joestringer joestringer requested a review from aanm May 17, 2022 18:20
joestringer
joestringer approved these changes May 17, 2022
View reviewed changes
Copy link
Member

@joestringer joestringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice cleanup, thanks. I think when we support non-root, this should also not be necessary so 👍

@tklauser tklauser force-pushed the pr/tklauser/api-socket-group branch from cf34ac3 to e0dfa97 Compare May 18, 2022 09:22
@tklauser tklauser requested review from a team as code owners May 18, 2022 09:22
@tklauser tklauser requested review from a team and christarazi May 18, 2022 09:22
@tklauser
Copy link
Member Author

tklauser commented May 18, 2022
edited
Loading

Added a second commit to drop the cilium group from dev and test VMs as well and run per-node cilium commands with sudo for the runtime tests. This should fix the failing runtime tests.

@tklauser tklauser force-pushed the pr/tklauser/api-socket-group branch from e0dfa97 to a7e4e65 Compare May 18, 2022 09:28
@tklauser
Copy link
Member Author

/test-runtime

@tklauser tklauser force-pushed the pr/tklauser/api-socket-group branch from a7e4e65 to 4985707 Compare May 18, 2022 09:58
@tklauser tklauser requested review from a team as code owners May 18, 2022 09:58
@tklauser tklauser requested review from a team and jrajahalme May 18, 2022 09:58
@tklauser tklauser requested review from glibsm and YutaroHayakawa May 18, 2022 09:58
@tklauser
Copy link
Member Author

/test-runtime

@tklauser tklauser force-pushed the pr/tklauser/api-socket-group branch from 4985707 to dd6b11b Compare May 18, 2022 10:58
@tklauser
api: don't attempt to set unix domain socket group to cilium
7a60be8 
Since commit 67f74ff ("images/cilium: remove cilium group from
Dockerfile") the cilium group is no longer created in the image running
the agent, resulting in the following log message on cilium-agent start:

level=info msg="Group not found" error="group: unknown group cilium" file-path=/var/run/cilium/cilium.sock group=cilium subsys=api

Setting the group is no longer necessary, so drop that part of
SetDefaultPermissions.

Signed-off-by: Tobias Klauser <tobias@cilium.io>
@tklauser tklauser force-pushed the pr/tklauser/api-socket-group branch from dd6b11b to 174803b Compare May 18, 2022 11:15
@tklauser
Copy link
Member Author

/test-runtime

@tklauser tklauser force-pushed the pr/tklauser/api-socket-group branch 2 times, most recently from ac4c6df to 95720a2 Compare May 18, 2022 11:27
@tklauser
Copy link
Member Author

/test-runtime

@tklauser tklauser force-pushed the pr/tklauser/api-socket-group branch from 95720a2 to 5cd6198 Compare May 18, 2022 12:36
@tklauser
Copy link
Member Author

/test-runtime

@tklauser
make, test, Vagrantfile: don't add cilium group on installation
3460d4c 
Since commit 67f74ff ("images/cilium: remove cilium group from
Dockerfile") the cilium group is no longer created in the docker image.
Follow the same approach for the agent running in the test/dev VM.

As a consequence, the per-node `cilium` command needs to be run as
`root` in the runtime tests.

Signed-off-by: Tobias Klauser <tobias@cilium.io>
@tklauser tklauser force-pushed the pr/tklauser/api-socket-group branch from 5cd6198 to 3460d4c Compare May 18, 2022 14:32
@tklauser
Copy link
Member Author

/test-runtime

@tklauser
Copy link
Member Author

/test

@tklauser tklauser mentioned this pull request May 24, 2022
Merged
@tklauser
Copy link
Member Author

Closing in favor of #19927.

@tklauser tklauser closed this May 24, 2022
@tklauser tklauser deleted the pr/tklauser/api-socket-group branch May 24, 2022 07:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joestringer joestringer joestringer approved these changes

@rolinh rolinh rolinh approved these changes

@christarazi christarazi christarazi approved these changes

@tommyp1ckles tommyp1ckles tommyp1ckles approved these changes

@michi-covalent michi-covalent michi-covalent approved these changes

@aanm aanm Awaiting requested review from aanm

@jrajahalme jrajahalme Awaiting requested review from jrajahalme jrajahalme was automatically assigned from cilium/proxy

@glibsm glibsm Awaiting requested review from glibsm

@YutaroHayakawa YutaroHayakawa Awaiting requested review from YutaroHayakawa

Assignees
No one assigned
Labels
release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@tklauser @joestringer @rolinh @christarazi @tommyp1ckles @michi-covalent