[Experimental] Include both privileged and non-privileged binaries in Docker image #652
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This way ingress-gateway can use the privileged entrypoint without everyone else having to add the NET_BIND_SERVICE capability when they don't need/want it
Draft
2 tasks
|
this shouldn't affect nomad/VM deployments as those don't use dataplane |
zalimeni
reviewed
Oct 17, 2024
cmd/consul-dataplane/main.go
Outdated
| @@ -100,6 +100,7 @@ func init() { | |||
| IntVar(flags, &flagOpts.dataplaneConfig.Envoy.Concurrency, "envoy-concurrency", "DP_ENVOY_CONCURRENCY", "The number of worker threads that Envoy uses.") | |||
| IntVar(flags, &flagOpts.dataplaneConfig.Envoy.DrainTimeSeconds, "envoy-drain-time-seconds", "DP_ENVOY_DRAIN_TIME", "The time in seconds for which Envoy will drain connections.") | |||
| StringVar(flags, &flagOpts.dataplaneConfig.Envoy.DrainStrategy, "envoy-drain-strategy", "DP_ENVOY_DRAIN_STRATEGY", "The behaviour of Envoy during the drain sequence. Determines whether all open connections should be encouraged to drain immediately or to increase the percentage gradually as the drain time elapses.") | |||
| StringVar(flags, &flagOpts.dataplaneConfig.Envoy.ExecutablePath, "envoy-executable-path", "DP_ENVOY_EXECUTABLE_PATH", "Path to the Envoy executable to run. Defaults to the ") | |||
There was a problem hiding this comment.
~ Looks like this needs a bit more text
|
This seems like a great idea! Excited to see it happen. Hoping/expecting the constraints around |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, the
NET_BIND_SERVICEcapability is added to the dataplane (and Envoy) entrypoints since we cannot know at build time whether a non-root user at runtime will attempt to bind to a privileged port. The reason this is the default behavior was to avoid a breaking change in ingress gateways, which had previously supported binding to privileged ports; however, there are still many use cases where it's preferable to avoid this capability when it isn't needed.This change introduces a second set of entrypoints to the container that do not have the
NET_BIND_SERVICEcapability. In this way, we can support both use cases:The container will default to the non-privileged entrypoint, and ingress gateway deployments that do want to support binding to privileged ports will need to override the entrypoint to
privileged-consul-dataplaneand provide a path toprivileged-envoy. This way, no deployment needs theNET_BIND_SERVICEcapability unless they are overriding the entrypoint in order to support binding to privileged ports.See hashicorp/consul-k8s#4394 for an example of how this works in consul-k8s.
Warning
We still need to determine the impact – if any – of a change like this for VM and Nomad deployments of consul-dataplane