search

BCDevOps / platform-services

Collection of platform related tools and configurations
Apache License 2.0
13 stars 29 forks source link

Aporeto Enforcers don't appear to run on RHCOS #371

Open stewartshea opened 5 years ago

stewartshea commented 5 years ago

Red Hat Enterprise Linux Core OS will be the new operating system of choice for the OpenShift 4.x clusters. At this point in time it appears that Aporeto Enforcers fail to start on RHCOS 4.x

[root@bastion-01 templates]# oc logs enforcerd-cv9dv -f

               __                            _
    ___ _ __  / _| ___  _ __ ___ ___ _ __ __| |
   / _ \ '_ \| |_ / _ \| '__/ __/ _ \ '__/ _' |
  |  __/ | | |  _| (_) | | | (_|  __/ | | (_| |
   \___|_| |_|_|  \___/|_|  \___\___|_|  \__,_|

   Aporeto Enforcer Agent
   v1.901.35 - 9a3e025b2140d52fa33f9d24770a91cce7a03879
 _______________________________________________________________

{"l":"warn","t":1571101505.570371,"m":"Failed to list chains","context":"mangle","error":"running [/sbin/iptables -t mangle -S --wait]: exit status 3: modprobe: can't change directory to '/lib/modules': No such file or directory\niptables v1.6.2: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)\nPerhaps iptables or your kernel needs to be upgraded.\n"}
{"l":"warn","t":1571101505.5717225,"m":"Failed to list chains","context":"nat","error":"running [/sbin/iptables -t nat -S --wait]: exit status 3: modprobe: can't change directory to '/lib/modules': No such file or directory\niptables v1.6.2: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)\nPerhaps iptables or your kernel needs to be upgraded.\n"}
{"l":"info","t":1571101505.5892646,"m":"Probing cloud providers..."}
{"l":"info","t":1571101507.0895307,"m":"Using generic metadata extractor"}
{"l":"info","t":1571101507.1292186,"m":"Detected machine metadata","Attributes":{"ID":"61a852e1-5ea5-454b-885e-19cc76927962","SystemTags":[],"UserTags":[],"FQDN":"10-100-1-32.kubelet.kube-system.svc.cluster.local","Name":"10-100-1-32.kubelet.kube-system.svc.cluster.local"}}
W1015 01:05:07.129348    8409 client_config.go:549] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
{"l":"info","t":1571101507.1458194,"m":"Using app credentials"}
{"l":"info","t":1571101507.1458743,"m":"Service","api":"https://api.console.aporeto.com"}
{"l":"info","t":1571101507.2967196,"m":"Looking for pre existing enforcer","namespace":"/sheastewart/kubernetes-clusters/ocp4-1","machine-id":"61a852e1-5ea5-454b-885e-19cc76927962"}
{"l":"info","t":1571101507.4496095,"m":"Using enforcer object with parameters","id":"5da5137637284f0001637235","namespace":"/sheastewart/kubernetes-clusters/ocp4-1","metadata":[],"tags":["app:k8s:node:annotation:machineconfiguration.openshift.io/currentConfig=rendered-worker-cad4c131865a3868ef46c9bf85bdbe81","app:k8s:node:annotation:machineconfiguration.openshift.io/desiredConfig=rendered-worker-cad4c131865a3868ef46c9bf85bdbe81","app:k8s:node:annotation:machineconfiguration.openshift.io/state=Done","app:k8s:node:annotation:volumes.kubernetes.io/controller-managed-attach-detach=true","app:k8s:node:architecture=amd64","app:k8s:node:bootid=85ae4d27-5a52-4960-a853-31d3f7a69f46","app:k8s:node:containerruntimeversion=cri-o://1.13.11-0.7.dev.rhaos4.1.git9cb8f2f.el8-dev","app:k8s:node:hostname=ocp-app-02.ocp.cloud.lab","app:k8s:node:internalip=10.100.1.32","app:k8s:node:kernelversion=4.18.0-80.11.2.el8_0.x86_64","app:k8s:node:kubeletversion=v1.13.4+12ee15d4a","app:k8s:node:kubeproxyversion=v1.13.4+12ee15d4a","app:k8s:node:label:beta.kubernetes.io/arch=amd64","app:k8s:node:label:beta.kubernetes.io/os=linux","app:k8s:node:label:kubernetes.io/hostname=ocp-app-02.ocp.cloud.lab","app:k8s:node:label:node.openshift.io/os_id=rhcos","app:k8s:node:label:node.openshift.io/os_version=4.1","app:k8s:node:machineid=61a852e15ea5454b885e19cc76927962","app:k8s:node:operatingsystem=linux","app:k8s:node:osimage=Red Hat Enterprise Linux CoreOS 410.8.20190920.2 (Ootpa)","app:k8s:node:systemuuid=61a852e1-5ea5-454b-885e-19cc76927962","app:k8s:pod:annotation:openshift.io/scc=privileged","app:k8s:pod:label:app=enforcerd","app:k8s:pod:label:controller-revision-hash=644dbf6f65","app:k8s:pod:label:pod-template-generation=1","app:k8s:pod:label:type=aporeto","app:k8s:pod:name=enforcerd-hvtmh","app:k8s:pod:namespace=aporeto"]}
{"l":"info","t":1571101509.0697236,"m":"Validating enforcer identity and uniqueuness ..."}
{"l":"info","t":1571101576.1762216,"m":"Update check enabled","currentVersion":"v1.901.35"}
{"l":"info","t":1571101576.1773307,"m":"Enabling Trireme Datapath v1.0"}
{"l":"warn","t":1571101576.1879675,"m":"failed to create the cgroup manager","cgroupsMountPoint":"/sys/fs/cgroup","error":"stat /var/run/docker.sock: no such file or directory"}
{"l":"info","t":1571101576.1895714,"m":"Running audit monitor"}
{"l":"warn","t":1571101576.2434108,"m":"Failed to list chains","context":"mangle","error":"running [/sbin/iptables -t mangle -S --wait]: exit status 3: modprobe: can't change directory to '/lib/modules': No such file or directory\niptables v1.6.2: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)\nPerhaps iptables or your kernel needs to be upgraded.\n"}
{"l":"warn","t":1571101576.2447052,"m":"Failed to list chains","context":"nat","error":"running [/sbin/iptables -t nat -S --wait]: exit status 3: modprobe: can't change directory to '/lib/modules': No such file or directory\niptables v1.6.2: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)\nPerhaps iptables or your kernel needs to be upgraded.\n"}
{"l":"error","t":1571101576.2556398,"m":"Error when starting the supervisor","error":"unable to start the implementer: Unable to initialize chains: running [/sbin/iptables -t nat -N TRI-Redir-App --wait]: exit status 3: modprobe: can't change directory to '/lib/modules': No such file or directory\niptables v1.6.2: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)\nPerhaps iptables or your kernel needs to be upgraded.\n"}
{"l":"fatal","t":1571101576.2556808,"m":"Unable to start controllers","error":"Failed to activate controler: Error while starting supervisor unable to start the implementer: Unable to initialize chains: running [/sbin/iptables -t nat -N TRI-Redir-App --wait]: exit status 3: modprobe: can't change directory to '/lib/modules': No such file or directory\niptables v1.6.2: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)\nPerhaps iptables or your kernel needs to be upgraded.\n"}
stewartshea commented 5 years ago

Possibly related: https://bugzilla.redhat.com/show_bug.cgi?id=1708500

stewartshea commented 5 years ago

Tmp workaround right now is to run:

sudo modprobe ip_tables && sudo modprobe iptable_nat