search

cloudflare / cloudflared

Cloudflare Tunnel client (formerly Argo Tunnel)
https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide
Apache License 2.0
8.93k stars 788 forks source link

🐛 cannot create ICMPv4 proxy: Group ID #1109

Open RFlintstone opened 10 months ago

RFlintstone commented 10 months ago

Describe the bug A clear and concise description of what the bug is.

To Reproduce Deploy:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cloudflared
spec:
  selector:
    matchLabels:
      app: cloudflared
  replicas: 2 # You could also consider elastic scaling for this deployment
  template:
    metadata:
      labels:
        app: cloudflared
    spec:
      containers:
      - name: cloudflared
        image: cloudflare/cloudflared:2023.10.0
        args:
        - tunnel
        # Points cloudflared to the config file, which configures what
        # cloudflared will actually do. This file is created by a ConfigMap
        # below.
        - --config
        - /etc/cloudflared/config/config.yaml
        - run
        livenessProbe:
          httpGet:
            # Cloudflared has a /ready endpoint which returns 200 if and only if
            # it has an active connection to the edge.
            path: /ready
            port: 2000
          failureThreshold: 1
          initialDelaySeconds: 10
          periodSeconds: 10
        volumeMounts:
        - name: config
          mountPath: /etc/cloudflared/config
          readOnly: true
        # Each tunnel has an associated "credentials file" which authorizes machines
        # to run the tunnel. cloudflared will read this file from its local filesystem,
        # and it'll be stored in a k8s secret.
        - name: creds
          mountPath: /etc/cloudflared/creds
          readOnly: true
      volumes:
      - name: creds
        secret:
          # By default, the credentials file will be created under ~/.cloudflared/<tunnel ID>.json
          # when you run `cloudflared tunnel create`. You can move it into a secret by using:
          # ```sh
          # kubectl create secret generic tunnel-credentials \
          # --from-file=credentials.json=/Users/yourusername/.cloudflared/<tunnel ID>.json
          # ```
          secretName: tunnel-credentials
      # Create a config.yaml file from the ConfigMap below.
      - name: config
        configMap:
          name: cloudflared
          items:
          - key: config.yaml
            path: config.yaml
---
# This ConfigMap is just a way to define the cloudflared config.yaml file in k8s.
# It's useful to define it in k8s, rather than as a stand-alone .yaml file, because
# this lets you use various k8s templating solutions (e.g. Helm charts) to
# parameterize your config, instead of just using string literals.
apiVersion: v1
kind: ConfigMap
metadata:
  name: cloudflared
data:
  config.yaml: |
    # Name of the tunnel you want to run
    tunnel: pi-k8s
    credentials-file: /etc/cloudflared/creds/credentials.json
    # Serves the metrics server under /metrics and the readiness server under /ready
    metrics: 0.0.0.0:2000
    # Autoupdates applied in a k8s pod will be lost when the pod is removed or restarted, so
    # autoupdate doesn't make sense in Kubernetes. However, outside of Kubernetes, we strongly
    # recommend using autoupdate.
    no-autoupdate: true
    # The `ingress` block tells cloudflared which local service to route incoming
    # requests to. For more about ingress rules, see
    # https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/ingress
    #
    # Remember, these rules route traffic from cloudflared to a local service. To route traffic
    # from the internet to cloudflared, run `cloudflared tunnel route dns <tunnel> <hostname>`.
    # E.g. `cloudflared tunnel route dns example-tunnel tunnel.example.com`.
    ingress:
    # The first rule proxies traffic to the httpbin sample Service defined in app.yaml
    - hostname: tunnel.mydomain.net
      service: http://web-service:80
    # This rule sends traffic to the built-in hello-world HTTP server. This can help debug connectivity
    # issues. If hello.example.com resolves and tunnel.example.com does not, then the problem is
    # in the connection from cloudflared to your local service, not from the internet to cloudflared.
    - hostname: hello.mydomain.net
      service: hello_world
    # This rule matches any traffic which didn't match a previous rule, and responds with HTTP 404.
    - service: http_status:404

Expected behavior Cloudflared connects and doesn't keep restarting the pods.

Environment and versions OS: Ubuntu 22.04.3 LTS x86_64 Host: KVM/QEMU (Standard PC (i440FX + PIIX, 1996) pc-i440fx-4.2) Kernel: 5.15.0-88-generic

Logs and errors

2023-11-14T20:37:13Z INF Starting tunnel tunnelID=3d897a40-XXXX-XXXX-XXXX-XXXXXXXXXXXX
2023-11-14T20:37:13Z INF Version 2023.10.0
2023-11-14T20:37:13Z INF GOOS: linux, GOVersion: go1.20.6, GoArch: amd64
2023-11-14T20:37:13Z INF Settings: map[config:/etc/cloudflared/config/config.yaml cred-file:/etc/cloudflared/creds/credentials.json credentials-file:/etc/cloudflared/creds/credentials.json metrics:0.0.0.0:2000 no-autoupdate:true]
2023-11-14T20:37:13Z INF Generated Connector ID: 428f64af-69d5-4e1e-a65f-321e92119696
2023-11-14T20:37:18Z ERR Failed to fetch features, default to disable error="lookup cfd-features.argotunnel.com on 10.96.0.10:53: read udp 100.64.1.85:43234->10.96.0.10:53: read: connection refused"
2023-11-14T20:37:23Z INF Initiating graceful shutdown due to signal terminated ...
2023-11-14T20:37:28Z WRN Unable to lookup protocol percentage.
2023-11-14T20:37:28Z INF Initial protocol http2
2023-11-14T20:37:28Z ERR update check failed error="Get \"https://update.argotunnel.com?arch=amd64&clientVersion=2023.10.0&os=linux\": dial tcp: lookup update.argotunnel.com on 10.96.0.10:53: read udp 100.64.1.85:57590->10.96.0.10:53: read: connection refused"
2023-11-14T20:37:28Z INF ICMP proxy will use 100.64.1.85 as source for IPv4
2023-11-14T20:37:28Z INF ICMP proxy will use fe80::6c75:96ff:****:**** in zone eth0 as source for IPv6
2023-11-14T20:37:28Z WRN The user running cloudflared process has a GID (group ID) that is not within ping_group_range. You might need to add that user to a group within that range, or instead update the range to encompass a group the user is already in by modifying /proc/sys/net/ipv4/ping_group_range. Otherwise cloudflared will not be able to ping this network error="Group ID 65532 is not between ping group 1 to 0"
2023-11-14T20:37:28Z WRN ICMP proxy feature is disabled error="cannot create ICMPv4 proxy: Group ID 65532 is not between ping group 1 to 0 nor ICMPv6 proxy: socket: permission denied"
2023-11-14T20:37:38Z INF Starting Hello World server at 127.0.0.1:37731
2023-11-14T20:37:38Z INF Starting metrics server on [::]:2000/metrics
2023-11-14T20:37:48Z INF Tunnel server stopped
2023-11-14T20:37:48Z INF Metrics server stopped

Additional context ) I just followed this instruction ) 2022.3.0 worked in the past but the same config doesn't seem to work anymore. This might be unrelated or because of an old version but I'd thought I would mention it.

guilherme-santos commented 6 months ago

Any news here?

nmesstorff commented 3 months ago

Also not working even when running as privileged container as uid/gid 0 and all capabilities.

Appreciate any information getting the ICMP proxy working.

philwinder commented 2 months ago

Hey all. I got this working by setting the securityContext of the pod in my deployment to the following:

apiVersion: apps/v1
kind: Deployment
spec:
...
  template:
    spec:
      securityContext:
        runAsGroup: 65532
        runAsUser: 65532
        runAsNonRoot: true 
        sysctls:
        - name: net.ipv4.ping_group_range
          value: "0           200000000"
         ...

Hope that helps!

ukd1 commented 2 months ago

@philwinder worked great, thanks!

mrclrchtr commented 2 months ago

With the inspiration of the solution of @philwinder, I fixed it with the following:

apiVersion: apps/v1
kind: Deployment
spec:
  ...
  template:
    spec:
      securityContext:
        sysctls:
          - name: net.ipv4.ping_group_range
            value: "65532       65532"
      containers:
        - name: cloudflared
          securityContext:
            runAsUser: 65532
            runAsGroup: 65532
            runAsNonRoot: true
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false

I'm not sure which is the better/safer solution.

ukd1 commented 2 months ago

FYI for me, I only needed to add:

apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      securityContext:
        sysctls:
        - name: net.ipv4.ping_group_range
          value: "0 2147483647"

The other stuff, for me, wasn't needed.