debug
Signed-off-by: James Strong <strong.james.e@gmail.com>
This commit is contained in:
James Strong
James Strong
parent
75ab7c826d
commit
3110846e41
3 changed files with 9 additions and 26 deletions
|
|
@ -30,13 +30,13 @@ MELANGE_DIR ?= melange
|
|||
APKO_DIR ?= apko
|
||||
MELANGE ?= docker run --rm --privileged -w /work -v "${PWD}":/work distroless.dev/melange:latest
|
||||
MELANGE_DETACHED ?= docker run -d -w /work --rm --privileged -v "${PWD}":/work distroless.dev/melange:latest
|
||||
APKO ?= docker run --rm -w /work -v "${PWD}":/work ko.local:5f90a47e3144af5b529930d71eb58fc6ea0004113aa0cdb3d1da35d6065b594e
|
||||
APKO ?= docker run --rm -w /work -v "${PWD}":/work ko.local:282aa9f94ed181bbe42ab3897f41687c92a86260ea0820151c9353ecfc1ae3d6
|
||||
KEY ?= melange.rsa
|
||||
REPO ?= packages
|
||||
TEMPLATE ?= melange/nginx-templates.json
|
||||
MELANGE_OPTS ?= -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS}
|
||||
MELANGE_INGRESS_OPT ?= -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS} --empty-workspace
|
||||
APKO_OPTS ?= -k ${KEY}.pub --debug --use-docker-mediatypes --sbom=false --build-arch ${ARCHS} ${APKO_DIR}/${FILE}.yaml
|
||||
APKO_OPTS ?= -k ${KEY}.pub --debug --sbom=false --build-arch ${ARCHS} ${APKO_DIR}/${FILE}.yaml
|
||||
KEY ?= melange.rsa
|
||||
REPO ?= $(shell pwd)/packages
|
||||
ARCHS ?="amd64,arm64,arm/v6,arm/v7,s390x"
|
||||
|
|
|
|||
|
|
@ -214,8 +214,6 @@ pipeline:
|
|||
set -o nounset
|
||||
set -o pipefail
|
||||
|
||||
ls -lah
|
||||
ls -lah etc/nginx
|
||||
export BUILD_PATH="${PWD}"
|
||||
echo "BUILD_PATH $BUILD_PATH"
|
||||
echo "Arch: $(uname -m)"
|
||||
|
|
|
|||
|
|
@ -17,12 +17,9 @@ limitations under the License.
|
|||
package net
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"k8s.io/klog/v2"
|
||||
"kernel.org/pub/linux/libs/security/libcap/cap"
|
||||
_net "net"
|
||||
"os"
|
||||
"os/exec"
|
||||
)
|
||||
|
||||
|
|
@ -66,28 +63,16 @@ func IsIPv6Enabled() bool {
|
|||
|
||||
// CheckCapNetBind checks if cap_net_bind_service is set for ingress
|
||||
func CheckCapNetBind() error {
|
||||
processID := os.Getpid()
|
||||
set, err := cap.GetPID(processID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
klog.InfoS("ingress-nginx capability set %v", set.String())
|
||||
orig := cap.GetProc()
|
||||
|
||||
//check effective
|
||||
// Value 10 = NET_BIND_SERVICE
|
||||
effective, err := set.GetFlag(0, 10)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer orig.SetProc() // restore original caps on exit.
|
||||
|
||||
//check permitted
|
||||
permitted, err := set.GetFlag(1, 10)
|
||||
c, err := orig.Dup()
|
||||
if err != nil {
|
||||
return err
|
||||
return fmt.Errorf("failed to read capabilitiess: %v", err)
|
||||
}
|
||||
klog.InfoS("ingress-nginx capabilities: permitted %v effective %v", permitted, effective)
|
||||
if !permitted && !effective {
|
||||
return errors.New(fmt.Sprintf("ingress-nginx capabilities: permitted %v effective %v", permitted, effective))
|
||||
if on, _ := c.GetFlag(cap.Effective, cap.NET_BIND_SERVICE); !on {
|
||||
return fmt.Errorf("insufficient privilege to bind to low ports - want %q, have %q", cap.NET_BIND_SERVICE, c)
|
||||
}
|
||||
|
||||
return nil
|
||||
|
|
|
|||
Loading…
Reference in a new issue