New version of Telepresence ships OCP proxy image

[bartoszmajsak]

See https://github.com/telepresenceio/telepresence/blob/master/k8s-proxy/Dockerfile.ocp

Related tasks

• [ ] test when 0.103 is out and swap in our implementation
• [ ] potentially slim down by using ubi8 image (it's centos7 ATM); see che images for potential hints

[bartoszmajsak]

With 0.103 being released yesterday we can already test the new OCP image for telepresence proxy. https://www.telepresence.io/reference/changelog

[bartoszmajsak]

If we decide to use this image for Openshift clusters we should have a way to know what cluster type are we using. I can see two options:

• explicit flag (with k8s and ocp as only possible values for now)
• automatically checking api-versions to see if there's a notion of openshift.io namespaces

WDYT @aslakknutsen?

[bartoszmajsak]

With the latest 0.103 and new -ocp proxy container I'm unable to run the simplest example of swapping deployment telepresence --swap-deployment hello-world --expose 8000 --run python3 -m http.server 8000 where hello-world is the datawire/hello-world sample python app. I used daily qe cluster.

When swapping the deployment it prompts for telepresence@127.0.0.1 password

╰─ telepresence --swap-deployment hello-world --expose 8000 --run python3 -m http.server 8000

T: How Telepresence uses sudo: https://www.telepresence.io/reference/install#dependencies
T: Invoking sudo. Please enter your sudo password.
[sudo] password for bartek:                       
T: Starting proxy with method 'vpn-tcp', which has the following limitations: All processes are affected, only one 
T: telepresence can run per machine, and you can't use other VPNs. You may need to add cloud hosts and headless services 
T: with --also-proxy. For a full list of method limitations see https://telepresence.io/reference/methods.html
T: Volumes are rooted at $TELEPRESENCE_ROOT. See https://telepresence.io/howto/volumes.html for details.
telepresence@127.0.0.1's password: 
telepresence@127.0.0.1's password: 
telepresence@127.0.0.1's password: 
telepresence@127.0.0.1's password:

Here's the behavior on the command line:

and full telepresence.log

[bartoszmajsak]

Prompting for pwd is especially interesting considering this:

https://github.com/telepresenceio/telepresence/blob/2584d12e790934944e597795b79fde1ea0a7022a/k8s-proxy/Dockerfile.ocp#L53

[bartoszmajsak]

Logs from failing container:

 ssh-keygen: generating new host keys: RSA1 RSA DSA ECDSA ED25519                                                                           │
│ Retrieving this pod's namespace from the process environment                                                                               │
│ Pod's namespace is 'bartosz-tp-hello-world'                                                                                                │
│ Listening...                                                                                                                               │
│ 2019-12-12T10:55:13+0000 [-] Loading ./forwarder.py...                                                                                     │
│ 2019-12-12T10:55:13+0000 [-] /etc/resolv.conf changed, reparsing                                                                           │
│ 2019-12-12T10:55:13+0000 [-] Resolver added ('172.30.0.10', 53) to server list                                                             │
│ 2019-12-12T10:55:13+0000 [-] SOCKSv5Factory starting on 9050                                                                               │
│ 2019-12-12T10:55:13+0000 [socks.SOCKSv5Factory#info] Starting factory <socks.SOCKSv5Factory object at 0x7f791d11b3c8>                      │
│ 2019-12-12T10:55:13+0000 [-] DNSDatagramProtocol starting on 9053                                                                          │
│ 2019-12-12T10:55:13+0000 [-] Starting protocol <twisted.names.dns.DNSDatagramProtocol object at 0x7f791d11b710>                            │
│ 2019-12-12T10:55:13+0000 [-] Loaded.                                                                                                       │
│ 2019-12-12T10:55:13+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 19.7.0 (/opt/rh/rh-python36/root/usr/bin/python3 3.6.3)  │
│ starting up.                                                                                                                               │
│ 2019-12-12T10:55:13+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.      │
│ 2019-12-12T10:55:44+0000 [Poll#error] Failed to contact Telepresence client:                                                               │
│ 2019-12-12T10:55:44+0000 [Poll#error] Connection was refused by other side: 111: Connection refused.                                       │
│ 2019-12-12T10:55:44+0000 [Poll#warn] Perhaps it's time to exit?                                                                            │
│ 2019-12-12T10:56:14+0000 [Poll#error] Failed to contact Telepresence client:                                                               │
│ 2019-12-12T10:56:14+0000 [Poll#error] Connection was refused by other side: 111: Connection refused.                                       │
│ 2019-12-12T10:56:14+0000 [Poll#warn] Perhaps it's time to exit?                                                                            │
│                                                                   

[bartoszmajsak]

It seems that sshd needs AUDIT_WRITE kernel capability which is disabled in CRI-O. So either we need to add that, which is yet another security relaxation or we should figure out how to fix the base image. I will investigate further.

[bartoszmajsak]

Similar CRI-O restrictions might be affecting Squash pods.