Bug 2020377

Summary: permissions error while using tcpdump option with must-gather
Product: OpenShift Container Platform Reporter: Mehul Modi <memodi>
Component: NetworkingAssignee: Ben Bennett <bbennett>
Networking sub component: openshift-sdn QA Contact: Mehul Modi <memodi>
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: unspecified CC: zzhao
Version: 4.10   
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 16:25:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mehul Modi 2021-11-04 17:15:48 UTC 
Description of problem:

https://issues.redhat.com/browse/SDN-1760 added an option to capture tcpdump packets, however while testing it fails to do so as below:

$ ./oc adm must-gather --dest-dir ./tmp --source-dir '/tmp/tcpdump/' --image quay.io/openshift/origin-network-tools:latest --node-selector 'kubernetes.io/os=linux,node-role.kubernetes.io/master' --host-network -- timeout 30 tcpdump -i any -w /tmp/tcpdump/\$POD_NAME-%Y-%m-%dT%H:%M:%S.pcap -W 1 -G 300
[must-gather      ] OUT Using must-gather plug-in image: quay.io/openshift/origin-network-tools:latest
When opening a support case, bugzilla, or issue please include the following summary data along with any other requested information.
ClusterID: bc06a2a8-d1c9-415e-9e17-8fa6e43c993b
ClusterVersion: Stable at "4.10.0-0.nightly-2021-11-04-001635"
ClusterOperators:
	All healthy and stable


[must-gather      ] OUT namespace/openshift-must-gather-6cz8g created
[must-gather      ] OUT clusterrolebinding.rbac.authorization.k8s.io/must-gather-zqk67 created
Warning: would violate "latest" version of "baseline" PodSecurity profile: host namespaces (hostNetwork=true)
[must-gather      ] OUT pod: must-gather-f6s2q on node: ci-ln-tp3hvw2-72292-t8rf7-master-0 for plug-in image quay.io/openshift/origin-network-tools:latest created
[must-gather      ] OUT pod: must-gather-jfhrz on node: ci-ln-tp3hvw2-72292-t8rf7-master-1 for plug-in image quay.io/openshift/origin-network-tools:latest created
[must-gather      ] OUT pod: must-gather-jqzn4 on node: ci-ln-tp3hvw2-72292-t8rf7-master-2 for plug-in image quay.io/openshift/origin-network-tools:latest created
[must-gather-jfhrz] POD 2021-11-04T16:58:28.800868866Z tcpdump: any: You don't have permission to capture on that device
[must-gather-jfhrz] POD 2021-11-04T16:58:28.800868866Z (socket: Operation not permitted)
[must-gather-f6s2q] POD 2021-11-04T16:58:28.573518008Z tcpdump: 2021-11-04T16:58:28.573646835Z any: You don't have permission to capture on that device
[must-gather-f6s2q] POD 2021-11-04T16:58:28.573646835Z (socket: Operation not permitted)2021-11-04T16:58:28.573673551Z 
[must-gather-jqzn4] POD 2021-11-04T16:58:28.589776570Z tcpdump: any: You don't have permission to capture on that device
[must-gather-jqzn4] POD 2021-11-04T16:58:28.589776570Z (socket: Operation not permitted)
[must-gather-jfhrz] OUT waiting for gather to complete
[must-gather-f6s2q] OUT waiting for gather to complete
[must-gather-jqzn4] OUT waiting for gather to complete
[must-gather-jfhrz] OUT downloading gather output
[must-gather-f6s2q] OUT downloading gather output
[must-gather-jqzn4] OUT downloading gather output
[must-gather-jqzn4] OUT receiving file list ... done
[must-gather-jfhrz] OUT receiving file list ... done
[must-gather-jqzn4] OUT 
[must-gather-jqzn4] OUT sent 16 bytes  received 44 bytes  40.00 bytes/sec
[must-gather-jqzn4] OUT total size is 0  speedup is 0.00
[must-gather-jfhrz] OUT 
[must-gather-jfhrz] OUT sent 16 bytes  received 44 bytes  24.00 bytes/sec
[must-gather-jfhrz] OUT total size is 0  speedup is 0.00
[must-gather-f6s2q] OUT receiving file list ... done
[must-gather-f6s2q] OUT 
[must-gather-f6s2q] OUT sent 16 bytes  received 44 bytes  9.23 bytes/sec
[must-gather-f6s2q] OUT total size is 0  speedup is 0.00
[must-gather      ] OUT clusterrolebinding.rbac.authorization.k8s.io/must-gather-zqk67 deleted
[must-gather      ] OUT namespace/openshift-must-gather-6cz8g deleted


When opening a support case, bugzilla, or issue please include the following summary data along with any other requested information.
ClusterID: bc06a2a8-d1c9-415e-9e17-8fa6e43c993b
ClusterVersion: Stable at "4.10.0-0.nightly-2021-11-04-001635"
ClusterOperators:
	All healthy and stable





Version-Release number of selected component (if applicable):

[root@ocp-edge50 ~]# oc version
Client Version: 4.10.0-0.nightly-2021-11-03-111400
Server Version: 4.10.0-0.nightly-2021-11-03-111400



How reproducible:
Reliably


Steps to Reproduce:
1.install 4.10 cluster, login as kubeadmin
2. Run above "oc adm mustgather" command
3.

Actual results:
Command fails to capture tcpdump packets due to permissions issue.


Expected results:
tcpdump packet capture should succeed.

Additional info:
Comment 1 Mehul Modi 2021-11-04 17:17:40 UTC 
Correct oc version:

$ ./oc version
Client Version: 4.10.0-0.nightly-2021-11-04-001635
Server Version: 4.10.0-0.nightly-2021-11-04-001635
Kubernetes Version: v1.22.1+1b2affc
Comment 4 zhaozhanqi 2021-11-29 03:07:02 UTC 
@
Comment 5 zhaozhanqi 2021-11-29 03:08:23 UTC 
(In reply to zhaozhanqi from comment #4)
> @

Mehul Modi assign you this bug for verification, thanks.
Comment 7 Mehul Modi 2021-11-29 22:15:07 UTC 
Marking Verified, attached testing notes above.
Comment 11 errata-xmlrpc 2022-03-10 16:25:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056