Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

more perms required #14

Closed
ReSearchITEng opened this issue Feb 23, 2018 · 4 comments
Closed

more perms required #14

ReSearchITEng opened this issue Feb 23, 2018 · 4 comments
Labels
bug help wanted

Comments

@ReSearchITEng
Copy link
Contributor

--cap-add=NET_ADMIN does not seem to be enough, as it gives:
Cant send advert to 192.168.1.195 (Operation not permitted)

By adding --privileged, everything seems ok.

When it gives error, I am running with:
docker run --name ka --env KEEPALIVED_INTERFACE=$(ip route | grep default | head -1 | cut -d" " -f5) --env KEEPALIVED_PASSWORD="d0cker" --cap-add=NET_ADMIN --net=host --env KEEPALIVED_UNICAST_PEERS="#PYTHON2BASH:['192.168.1.176', '192.168.1.195', '192.168.1.92']" --env KEEPALIVED_VIRTUAL_IPS="#PYTHON2BASH:['192.168.1.99']" --detach osixia/keepalived:1.4.1 --loglevel debug

Fri Feb 23 23:27:08 2018:  Default script uid:gid 0:0
Fri Feb 23 23:27:12 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:12 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
Fri Feb 23 23:27:12 2018: VRRP_Instance(VI_1) Transition to MASTER STATE
Fri Feb 23 23:27:13 2018: VRRP_Instance(VI_1) Entering MASTER STATE
Fri Feb 23 23:27:13 2018: VRRP_Instance(VI_1) setting protocol VIPs.
Fri Feb 23 23:27:13 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:13 2018: VRRP_Instance(VI_1) Sending/queueing gratuitous ARPs on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:13 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:13 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:13 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:13 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:13 2018: Opening script file /container/service/keepalived/assets/notify.sh
Fri Feb 23 23:27:13 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:13 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
I'm the MASTER! Whup whup.
Fri Feb 23 23:27:14 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:14 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
Fri Feb 23 23:27:15 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:15 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
Fri Feb 23 23:27:16 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:16 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
Fri Feb 23 23:27:17 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:17 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
Fri Feb 23 23:27:18 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:18 2018: VRRP_Instance(VI_1) Sending/queueing gratuitous ARPs on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:18 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:18 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:18 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:18 2018: Sending gratuitous ARP on enp0s3 for 192.168.1.99
Fri Feb 23 23:27:18 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:18 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
Fri Feb 23 23:27:19 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:19 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
Fri Feb 23 23:27:20 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.195 (Operation not permitted)
Fri Feb 23 23:27:20 2018: VRRP_Instance(VI_1) Cant send advert to 192.168.1.92 (Operation not permitted)
@devrandom0
Copy link
Contributor

check your firewall
accept the VRRP protocol:

iptables -I INPUT -p vrrp -j ACCEPT
iptables -I OUTPUT -p vrrp -j ACCEPT

@ReSearchITEng
Copy link
Contributor Author

ReSearchITEng commented Mar 14, 2019
edited
Loading

@sinamoghaddas Thanks for the suggestion.
It tried with firewall fully open (ACCEPT policy).
Also it was noticed the error is related to permissions: "(Operation not permitted)".
Without any changes to the firewall, by adding the privileged mode, everything went fine.

But ideally, we need to find the exact capability to enable, not full.

@devrandom0
Copy link
Contributor

@ReSearchITEng
this is my cap config:

    cap_add:
      - NET_ADMIN
      - NET_BROADCAST
      - NET_RAW

@ReSearchITEng
Copy link
Contributor Author

Thanks, I will to add these!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@devrandom0 @ReSearchITEng @BertrandGouny