kubectl
won’t apply the ziti-tunnel sidecar deployment as written in the quickstart. I’ll follow on here with examples.
If you have a demonstrable issue with documentation or with any of the code provided it’d be great if you could file a github issue against the project in question. Additional information about how to file a bug can be found here https://netfoundry.github.io/policies/CONTRIBUTING.html#bugissue-reports
If you would prefer having a discussion first - this is the right place!
… and add link to github issue here
I was able to correct the deployment by renaming the volume and adding some attributes that were probably optional when the quickstart was written and became required with newer versions of Kubernetes. Here’s a pull request: add newly required attributes to sidecar quickstart deployment example by qrkourier · Pull Request #21 · openziti/ziti · GitHub
I did run into a new, related issue getting the quickstart to work. After supplying the JWT ziti-tunnel
runs with an error.
❯ kubectl logs --follow ziti-tunnel-sidecar-demo-65d8c947d4-n9dv6 --container ziti-tunnel
running ziti-tunnel
+ ziti-tunnel -i /netfoundry/tunnel-sidecar.json run
{"file":"/go/src/bitbucket.org/netfoundry/ziti/tunnel/intercept/tproxy/tproxy_linux.go:72","func":"bitbucket.org/netfoundry/ziti/tunnel/intercept/tproxy.New","level":"info","msg":"tproxy listening on tcp:127.0.0.1:38363","time":"2020-01-02T13:15:00Z"}
{"file":"/go/src/bitbucket.org/netfoundry/ziti/tunnel/intercept/tproxy/tproxy_linux.go:82","func":"bitbucket.org/netfoundry/ziti/tunnel/intercept/tproxy.New","level":"info","msg":"tproxy listening on udp:127.0.0.1:53401, remoteAddr: \u003cnil\u003e","time":"2020-01-02T13:15:00Z"}
{"file":"/go/src/bitbucket.org/netfoundry/ziti/tunnel/cmd/ziti-tunnel/subcmd/run.go:36","func":"bitbucket.org/netfoundry/ziti/tunnel/cmd/ziti-tunnel/subcmd.run","level":"info","msg":"tproxy initialization failed: failed to list iptables chains: running [/sbin/iptables -t mangle -S --wait]: exit status 3: iptables v1.4.21: can't initialize iptables table `mangle': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\n","time":"2020-01-02T13:15:00Z"}
{"file":"/go/src/bitbucket.org/netfoundry/ziti/tunnel/cmd/ziti-tunnel/subcmd/run.go:45","func":"bitbucket.org/netfoundry/ziti/tunnel/cmd/ziti-tunnel/subcmd.run","level":"info","msg":"tun initialization failed: failed to open tun interface (name='', mtu=65535): open /dev/net/tun: no such file or directory","time":"2020-01-02T13:15:00Z"}
{"file":"/go/src/bitbucket.org/netfoundry/ziti/tunnel/cmd/ziti-tunnel/subcmd/run.go:53","func":"bitbucket.org/netfoundry/ziti/tunnel/cmd/ziti-tunnel/subcmd.run","level":"fatal","msg":"failed to initialize an interceptor","time":"2020-01-02T13:15:00Z"}
+ alldone
+ sleep 1
Seems like it can't open the TUN for some reason. Did you try a fresh new install of all this? I created Using the kubernetes quickstart returns error · Issue #22 · openziti/ziti · GitHub to track this problem. Can you add the exact steps to reproduce there please?
The problem seems to be that the run-as user specified in the Dockerfile does not have permission to do the things that ziti-tunnel
is trying to do, namely to modify the mangle table with iptables
. I’m not sure what a fresh install might look like because I’m using the container image version tag specified in the Quickstart.
I’m guessing this is the Dockerfile and I see from the tunneler doc for Linux indicates the NET_ADMIN capability is required, so I’m investigating how to grant that to the run-as user in the container without also granting all privileges with a simple sudo
. I’ll send a PR for the Docker file if I’m able to get it working.
That is not the Dockerfile. I’ll get the Docker artifacts pushed in a PR to the ziti-cmd repo shortly.
The URL of the quickstart in question has changed to https://netfoundry.github.io/ziti-doc/ziti-cmd/quickstart/kubernetes/sidecar-tunnel/kubernetes-sidecar-tunnel-quickstart.html