Backport of NET-5186 Fix issue where consul-dataplane attempts to write to a read-only file system location into release/1.0.x#254
Merged
nathancoleman merged 1 commit intorelease/1.0.xfrom Sep 5, 2023
Conversation
hc-github-team-consul-core
force-pushed
the
backport/setcap-envoy-only/manually-master-badger
branch
from
705c8ac to
fbaec06
Compare
hc-github-team-consul-core
force-pushed
the
backport/setcap-envoy-only/manually-master-badger
branch
from
fbaec06 to
705c8ac
Compare
…te to a read-only file system location
nathancoleman
force-pushed
the
backport/setcap-envoy-only/manually-master-badger
branch
from
705c8ac to
fc7a943
Compare
nathancoleman
approved these changes
Sep 5, 2023
Member
nathancoleman
left a comment
nathancoleman
left a comment
There was a problem hiding this comment.
Matches source PR other than changes around FIPS envoy
nathancoleman
deleted the
backport/setcap-envoy-only/manually-master-badger
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #253 to be assessed for backporting due to the inclusion of the label backport/1.0.
The below text is copied from the body of the original PR.
Running
setcapon the consul-dataplane binary results in a process that cannot see theTMPDIRenvar intended to influence where the envoy bootstrap config is written to. This is due to a previously-uknown-to-us side effect of glibc, described here.As a result, it attempts to write to the
/tmpdirectory instead of/consul/connect-inject-- configured for injected sidecars here -- and gets aread-only file systemerror.We previously considered dropping
setcapfor theconsul-dataplanebinary; however, theenvoybinary that is forked from dataplane cannot itself have a capability that the consul-dataplane process does not have.Instead, I've opted to keep
setcap net_bind_servicefor both envoy and consul-dataplane. We can work around the fact thatTMPDIRis invisible toconsul-dataplaneby not writing to the file system at all and usingenvoy --config-yaml <yaml or json string>where we were previously usingenvoy --config-path <string>.Overview of commits