Bug 2020377 - permissions error while using tcpdump option with must-gather
Summary: permissions error while using tcpdump option with must-gather
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.10
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: 4.10.0
Assignee: Ben Bennett
QA Contact: Mehul Modi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-04 17:15 UTC by Mehul Modi
Modified: 2022-03-10 16:25 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:25:33 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift oc pull 962 0 None open Bug 2020377: add linux capability for host network packet captures 2021-11-05 11:42:13 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:25:52 UTC

Description Mehul Modi 2021-11-04 17:15:48 UTC
Description of problem:

https://issues.redhat.com/browse/SDN-1760 added an option to capture tcpdump packets, however while testing it fails to do so as below:

$ ./oc adm must-gather --dest-dir ./tmp --source-dir '/tmp/tcpdump/' --image quay.io/openshift/origin-network-tools:latest --node-selector 'kubernetes.io/os=linux,node-role.kubernetes.io/master' --host-network -- timeout 30 tcpdump -i any -w /tmp/tcpdump/\$POD_NAME-%Y-%m-%dT%H:%M:%S.pcap -W 1 -G 300
[must-gather      ] OUT Using must-gather plug-in image: quay.io/openshift/origin-network-tools:latest
When opening a support case, bugzilla, or issue please include the following summary data along with any other requested information.
ClusterID: bc06a2a8-d1c9-415e-9e17-8fa6e43c993b
ClusterVersion: Stable at "4.10.0-0.nightly-2021-11-04-001635"
ClusterOperators:
	All healthy and stable


[must-gather      ] OUT namespace/openshift-must-gather-6cz8g created
[must-gather      ] OUT clusterrolebinding.rbac.authorization.k8s.io/must-gather-zqk67 created
Warning: would violate "latest" version of "baseline" PodSecurity profile: host namespaces (hostNetwork=true)
[must-gather      ] OUT pod: must-gather-f6s2q on node: ci-ln-tp3hvw2-72292-t8rf7-master-0 for plug-in image quay.io/openshift/origin-network-tools:latest created
[must-gather      ] OUT pod: must-gather-jfhrz on node: ci-ln-tp3hvw2-72292-t8rf7-master-1 for plug-in image quay.io/openshift/origin-network-tools:latest created
[must-gather      ] OUT pod: must-gather-jqzn4 on node: ci-ln-tp3hvw2-72292-t8rf7-master-2 for plug-in image quay.io/openshift/origin-network-tools:latest created
[must-gather-jfhrz] POD 2021-11-04T16:58:28.800868866Z tcpdump: any: You don't have permission to capture on that device
[must-gather-jfhrz] POD 2021-11-04T16:58:28.800868866Z (socket: Operation not permitted)
[must-gather-f6s2q] POD 2021-11-04T16:58:28.573518008Z tcpdump: 2021-11-04T16:58:28.573646835Z any: You don't have permission to capture on that device
[must-gather-f6s2q] POD 2021-11-04T16:58:28.573646835Z (socket: Operation not permitted)2021-11-04T16:58:28.573673551Z 
[must-gather-jqzn4] POD 2021-11-04T16:58:28.589776570Z tcpdump: any: You don't have permission to capture on that device
[must-gather-jqzn4] POD 2021-11-04T16:58:28.589776570Z (socket: Operation not permitted)
[must-gather-jfhrz] OUT waiting for gather to complete
[must-gather-f6s2q] OUT waiting for gather to complete
[must-gather-jqzn4] OUT waiting for gather to complete
[must-gather-jfhrz] OUT downloading gather output
[must-gather-f6s2q] OUT downloading gather output
[must-gather-jqzn4] OUT downloading gather output
[must-gather-jqzn4] OUT receiving file list ... done
[must-gather-jfhrz] OUT receiving file list ... done
[must-gather-jqzn4] OUT 
[must-gather-jqzn4] OUT sent 16 bytes  received 44 bytes  40.00 bytes/sec
[must-gather-jqzn4] OUT total size is 0  speedup is 0.00
[must-gather-jfhrz] OUT 
[must-gather-jfhrz] OUT sent 16 bytes  received 44 bytes  24.00 bytes/sec
[must-gather-jfhrz] OUT total size is 0  speedup is 0.00
[must-gather-f6s2q] OUT receiving file list ... done
[must-gather-f6s2q] OUT 
[must-gather-f6s2q] OUT sent 16 bytes  received 44 bytes  9.23 bytes/sec
[must-gather-f6s2q] OUT total size is 0  speedup is 0.00
[must-gather      ] OUT clusterrolebinding.rbac.authorization.k8s.io/must-gather-zqk67 deleted
[must-gather      ] OUT namespace/openshift-must-gather-6cz8g deleted


When opening a support case, bugzilla, or issue please include the following summary data along with any other requested information.
ClusterID: bc06a2a8-d1c9-415e-9e17-8fa6e43c993b
ClusterVersion: Stable at "4.10.0-0.nightly-2021-11-04-001635"
ClusterOperators:
	All healthy and stable





Version-Release number of selected component (if applicable):

[root@ocp-edge50 ~]# oc version
Client Version: 4.10.0-0.nightly-2021-11-03-111400
Server Version: 4.10.0-0.nightly-2021-11-03-111400



How reproducible:
Reliably


Steps to Reproduce:
1.install 4.10 cluster, login as kubeadmin
2. Run above "oc adm mustgather" command
3.

Actual results:
Command fails to capture tcpdump packets due to permissions issue.


Expected results:
tcpdump packet capture should succeed.

Additional info:

Comment 1 Mehul Modi 2021-11-04 17:17:40 UTC
Correct oc version:

$ ./oc version
Client Version: 4.10.0-0.nightly-2021-11-04-001635
Server Version: 4.10.0-0.nightly-2021-11-04-001635
Kubernetes Version: v1.22.1+1b2affc

Comment 4 zhaozhanqi 2021-11-29 03:07:02 UTC
@

Comment 5 zhaozhanqi 2021-11-29 03:08:23 UTC
(In reply to zhaozhanqi from comment #4)
> @

Mehul Modi assign you this bug for verification, thanks.

Comment 7 Mehul Modi 2021-11-29 22:15:07 UTC
Marking Verified, attached testing notes above.

Comment 11 errata-xmlrpc 2022-03-10 16:25:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.