search

nginxinc / kubernetes-ingress

NGINX and NGINX Plus Ingress Controllers for Kubernetes
https://docs.nginx.com/nginx-ingress-controller
Apache License 2.0
4.66k stars 1.97k forks source link

Enforcer nmap v5 crashes on startup with no active waf policy configured #6251

Open anderius opened 2 months ago

anderius commented 2 months ago

Describe the bug Enforcer container fails to start without sites configured. NginxIC container also fails to start, waiting for the enforcer container.

To Reproduce Deploy the Helm chart with Nginx App Protect V5 enabled, but no resources that uses the WAF. That is, no VirtualServer with apBundle.

Expected behavior We expect the nginx ic and the enforcer container to start without errors, even when no virtualserver with WAF is deployed.

Your environment

Additional context Log from the enforcer container:

│ setting memory control callbacks for XML                                                                                                                                           │
│ BD_MISC|CRIT  |Aug 13 13:16:22.079|0013|/builds/6x631E1L/0/waf/waf-general/secore/bd/bd/manifest_listener.cpp:0198|failed to get manifest last modification time, err: No such fil │
│ Timeout detected while waiting for configuration. time since last config: 40 BD aborting                                                                                           │
│ BD_MISC|WARN  |Aug 13 13:16:22.080|0013|/builds/6x631E1L/0/waf/waf-general/secore/bd/bd/manifest_listener.cpp:0199|Timeout detected while waiting for configuration. time since la │
│                                                                                                                                                                                    │
│ BD_MISC|ERR   |Aug 13 13:16:22.081|0013|/builds/6x631E1L/0/waf/waf-general/secore/bd/bd/manifest_listener.cpp:0114|failed opening manifest out file. path=/opt/app_protect/bd_conf │
│ 2024/08/13 13:16:22 Execution failed: exit status 1
github-actions[bot] commented 2 months ago

Hi @anderius thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this :slightly_smiling_face:

Cheers!

janibashamd commented 2 months ago

I'm also facing similar issue.

AlexFenlon commented 2 months ago

Hi Folks, we are currently looking into this.

shaun-nx commented 2 months ago

Hi folks @anderius @janibashamd We've been in contact with the team that owns the development of this component of AppProtect v5. They are working on ensure the waf-enforcer wont crash in this scenario.

As soon as we have more info, we'll share it in this thread.