search

osixia / docker-keepalived

Keepalived container image 🐳🌴
MIT License
402 stars 146 forks source link

more perms required #14

Closed ReSearchITEng closed 5 years ago

ReSearchITEng commented 6 years ago

--cap-add=NET_ADMIN does not seem to be enough, as it gives: Cant send advert to 192.168.1.195 (Operation not permitted)

By adding --privileged, everything seems ok.

When it gives error, I am running with: docker run --name ka --env KEEPALIVED_INTERFACE=$(ip route | grep default | head -1 | cut -d" " -f5) --env KEEPALIVED_PASSWORD="d0cker" --cap-add=NET_ADMIN --net=host --env KEEPALIVED_UNICAST_PEERS="#PYTHON2BASH:['192.168.1.176', '192.168.1.195', '192.168.1.92']" --env KEEPALIVED_VIRTUAL_IPS="#PYTHON2BASH:['192.168.1.99']" --detach osixia/keepalived:1.4.1 --loglevel debug

Fri Feb 23 23:27:08 2018:  Default script uid:gid 0:0
Fri Feb 23 23:27:12 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:12 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
Fri Feb 23 23:27:12 2018: VRRP_Instance(VI_1) Transition to MASTER STATE
Fri Feb 23 23:27:13 2018: VRRP_Instance(VI_1) Entering MASTER STATE
Fri Feb 23 23:27:13 2018: VRRP_Instance(VI_1) setting protocol VIPs.
Fri Feb 23 23:27:13 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:13 2018: VRRP_Instance(VI_1) Sending/queueing gratuitous ARPs on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:13 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:13 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:13 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:13 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:13 2018: Opening script file /container/service/keepalived/assets/notify.sh
Fri Feb 23 23:27:13 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:13 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
I'm the MASTER! Whup whup.
Fri Feb 23 23:27:14 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:14 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
Fri Feb 23 23:27:15 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:15 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
Fri Feb 23 23:27:16 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:16 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
Fri Feb 23 23:27:17 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:17 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
Fri Feb 23 23:27:18 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:18 2018: VRRP_Instance(VI_1) Sending/queueing gratuitous ARPs on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:18 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:18 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:18 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:18 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:18 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:18 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
Fri Feb 23 23:27:19 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:19 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
Fri Feb 23 23:27:20 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:20 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
devrandom0 commented 5 years ago

check your firewall accept the VRRP protocol:

iptables -I INPUT -p vrrp -j ACCEPT
iptables -I OUTPUT -p vrrp -j ACCEPT
ReSearchITEng commented 5 years ago

@sinamoghaddas Thanks for the suggestion. It tried with firewall fully open (ACCEPT policy). Also it was noticed the error is related to permissions: "(Operation not permitted)". Without any changes to the firewall, by adding the privileged mode, everything went fine.

But ideally, we need to find the exact capability to enable, not full.

devrandom0 commented 5 years ago

@ReSearchITEng this is my cap config:

    cap_add:
      - NET_ADMIN
      - NET_BROADCAST
      - NET_RAW
ReSearchITEng commented 5 years ago

Thanks, I will to add these!