swap deployment fails when securityContext contains unprivileged user #875
Description
What were you trying to do?
trying to use the swap-deployment feature with one of my deployments.
What did you expect to happen?
expected to expose two ports for a local process and have traffic directed to them
What happened instead?
telepresence died with the attached traceback
full log in gist: https://gist.github.com/kunickiaj/080328802f437cdc1fbb6722856de4ee
It seems that the root cause is the securityContext in the container I wished to swap.
Other (more privileged) containers do not have this issue. Was able to confirm that removing the following securityContext from the affected container allowed me to work around the issue:
securityContext:
runAsNonRoot: true
runAsUser: 500Probably related to #617 #737 and #723
A possible fix might be to have telepresence replace the relevant parts of the security context if it does in fact need root (e.g. removing the runAsNonRoot). Would also suggest alerting the user to those kind of modifications.
Automatically included information
Command line: ['/usr/local/bin/telepresence', '--swap-deployment', 'sch-control-hub-pipelinestore:pipelinestore', '--expose', '18631', '--expose', '18632']
Version: 0.96
Python version: 3.6.6 (default, Oct 4 2018, 20:50:27) [GCC 4.2.1 Compatible Apple LLVM 10.0.0 (clang-1000.11.45.2)]
kubectl version: Client Version: v1.13.0 // Server Version: v1.10.0
oc version: oc v3.11.0+0cbc58b // kubernetes v1.11.0+d4cacc0 // features: Basic-Auth // // Server https://192.168.37.162:8443 // kubernetes v1.10.0
OS: Darwin streamsam381331.nerdworld.xyz 18.2.0 Darwin Kernel Version 18.2.0: Mon Nov 12 20:24:46 PST 2018; root:xnu-4903.231.4~2/RELEASE_X86_64 x86_64
Traceback (most recent call last):
File "/usr/local/bin/telepresence/telepresence/cli.py", line 131, in crash_reporting
yield
File "/usr/local/bin/telepresence/telepresence/main.py", line 70, in main
socks_port, ssh = do_connect(runner, remote_info)
File "/usr/local/bin/telepresence/telepresence/connect/connect.py", line 99, in do_connect
return connect(runner_, remote_info, is_container_mode, args.expose)
File "/usr/local/bin/telepresence/telepresence/connect/connect.py", line 57, in connect
ssh.wait()
File "/usr/local/bin/telepresence/telepresence/connect/ssh.py", line 82, in wait
raise RuntimeError("SSH isn't starting.")
RuntimeError: SSH isn't starting.
Logs:
20 | Handling connection for 52930
48.2 60 | Connection to 127.0.0.1 closed by remote host.
48.2 TEL | [60] exit 255 in 0.56 secs.
48.4 TEL | [61] Running: ssh -F /dev/null -q -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null -p 52930 telepresence@127.0.0.1 /bin/true
48.5 20 | Handling connection for 52930
49.0 61 | Connection to 127.0.0.1 closed by remote host.
49.0 TEL | [61] exit 255 in 0.57 secs.
49.3 TEL | [62] Running: ssh -F /dev/null -q -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null -p 52930 telepresence@127.0.0.1 /bin/true
49.3 20 | Handling connection for 52930
49.8 62 | Connection to 127.0.0.1 closed by remote host.
49.8 TEL | [62] exit 255 in 0.57 secs.
51.1 19 | 2018-12-15T00:16:01+0000 [Poll#error] Failed to contact Telepresence client:
51.1 19 | 2018-12-15T00:16:01+0000 [Poll#error] An error occurred while connecting: 99: Address not available.
51.1 19 | 2018-12-15T00:16:01+0000 [Poll#warn] Perhaps it's time to exit?