Closed rorytorneymf closed 3 years ago
This oddly seems like an ss
bug. If I run ss -nltp
as the same user as the listening process, then it comes back with the pid. For some reason root
will not gather that information.
$ docker run -it --rm tianon/network-toolbox
root@bc058746626a:/# apt update
...
root@bc058746626a:/# apt install gosu
...
root@bc058746626a:/# nc -l 4444
[... check ss in another terminal]
^C
root@bc058746626a:/# gosu nobody nc -l 4444
....
$ docker exec -it admiring_keller bash
$ # both running as root
root@bc058746626a:/# ss -nltp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 1 0.0.0.0:4444 0.0.0.0:* users:(("nc",pid=325,fd=3))
$ # process running as nobody, ss as root
root@bc058746626a:/# ss -nltp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 1 0.0.0.0:4444 0.0.0.0:*
$ # process still as nobody , ss as nobody
root@bc058746626a:/# gosu nobody ss -nltp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 1 0.0.0.0:4444 0.0.0.0:* users:(("nc",pid=343,fd=3))
root@bc058746626a:/# exit
$ # process still as nobody , ss as nobody
$ docker exec -it --user nobody admiring_keller bash
nobody@bc058746626a:/$ ss -nltp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 1 0.0.0.0:4444 0.0.0.0:* users:(("nc",pid=343,fd=3))
nobody@bc058746626a:/$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 4764 4124 pts/0 SNs 16:42 0:00 bash --login -i
nobody 343 0.0 0.0 3204 864 pts/0 SN+ 16:45 0:00 nc -l 4444
nobody 369 0.0 0.0 3872 3152 pts/1 SNs 16:50 0:00 bash
nobody 377 0.0 0.0 7644 2708 pts/1 RN+ 16:54 0:00 ps aux
Normal behavior (not using gosu)
I have a container that calls an entrypoint script that uses the
gosu
utility to run a specified command as a particular user if an env var is set, or else to run as root:entrypoint.sh
When the
RUNAS_USER
env var is not provided (i.e.exec "$@"
is executed and container is run as root), when I log into the container and runss -nltp
, I can see that processes are correctly associated with a port (look at last column):Unexpected behavior (using gosu)
When the
RUNAS_USER
env var is provided (i.e.exec /usr/local/bin/gosu $RUNAS_USER "$@"
is executed and container is run as as a specific user), when I log into the container and runss -nltp
, the ports are no longer associated with any process (i.e. there are nousers:(("java",pid=7,fd=187))
etc entries in the output fromss -nltp
):Problem
When a container succeeds to associate a port with an underlying process the port is visible externally on the network. However, the above problem when using
gosu
means that my K8s deployment didn't setup ports externally routable to the pods of my nodeport service.