Use authbind to bind privileged ports #2894

aledbf · 2018-08-03T13:57:01Z

What this PR does / why we need it:

Removes the attempt to listen ports in the ingress controller to check if a port is available with a simple connection check and adds authbind as mechanism to listen on privileged ports

ElvinEfendi · 2018-08-03T15:07:28Z

internal/net/net.go

-	ln.Close()
-	return true
+	defer conn.Close()
+	return false


this function is being called in cmd//nginx/flags.go when Nginx has not started yet, which results in for the dial to fail. And consequently

F0803 14:42:19.694324 5 main.go:72] Port 80 is already in use. Please check the flag --http-port

codecov-io · 2018-08-04T02:09:07Z

Codecov Report

Merging #2894 into master will increase coverage by 0.01%.
The diff coverage is 64.7%.

@@            Coverage Diff             @@
##           master    #2894      +/-   ##
==========================================
+ Coverage   47.58%   47.59%   +0.01%     
==========================================
  Files          76       76              
  Lines        5485     5490       +5     
==========================================
+ Hits         2610     2613       +3     
- Misses       2540     2541       +1     
- Partials      335      336       +1

Impacted Files	Coverage Δ
internal/ingress/controller/util.go	`27.77% <0%> (ø)`	⬆️
cmd/nginx/main.go	`6.57% <0%> (ø)`	⬆️
internal/ingress/controller/nginx.go	`11.68% <100%> (+0.39%)`	⬆️
internal/ingress/metric/collectors/controller.go	`90.67% <100%> (ø)`	⬆️
internal/net/net.go	`72.72% <100%> (ø)`	⬆️
internal/ingress/metric/collectors/socket.go	`79.27% <60%> (-0.54%)`	⬇️
internal/ingress/controller/config/config.go	`98.27% <0%> (-0.02%)`	⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9b3207d...b148f11. Read the comment docs.

ElvinEfendi · 2018-08-05T02:49:53Z

internal/ingress/controller/nginx.go

@@ -741,7 +741,10 @@ func configureDynamically(pcfg *ingress.Configuration, port int) error {
 	backends := make([]*ingress.Backend, len(pcfg.Backends))

 	for i, backend := range pcfg.Backends {
-		service := &apiv1.Service{Spec: backend.Service.Spec}
+		var service *apiv1.Service
+		if backend.Service != nil {


What did necessitate this? Is this fixing an actual bug? Maybe add a test case?

Running e2e tests I saw some errors when Service is nil trying to access the Spec field

ElvinEfendi · 2018-08-05T02:51:01Z

internal/ingress/metric/collectors/socket.go

+		return nil, err
+	}
+
+	err = os.Chmod(socket, 0777)


Is this needed so Nginx can connect to it?

ElvinEfendi · 2018-08-05T03:10:01Z

please squash commits, then it's good to go 👍

ElvinEfendi · 2018-08-05T15:43:03Z

/lgtm

k8s-ci-robot · 2018-08-05T15:43:07Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aledbf, ElvinEfendi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [ElvinEfendi,aledbf]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Aug 3, 2018

ElvinEfendi reviewed Aug 3, 2018

View reviewed changes

aledbf force-pushed the authbind branch 2 times, most recently from 800d5b5 to 5aa30ed Compare August 4, 2018 01:42

k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 4, 2018

aledbf force-pushed the authbind branch 2 times, most recently from b09e161 to 80c14c9 Compare August 4, 2018 16:14

aledbf assigned ElvinEfendi and antoineco Aug 4, 2018

ElvinEfendi reviewed Aug 5, 2018

View reviewed changes

aledbf force-pushed the authbind branch from 80c14c9 to b148f11 Compare August 5, 2018 15:19

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 5, 2018

Use authbind to bind privileged ports

01e0a80

aledbf force-pushed the authbind branch from b148f11 to 01e0a80 Compare August 5, 2018 15:43

k8s-ci-robot merged commit 7f7f59d into kubernetes:master Aug 5, 2018

aledbf deleted the authbind branch August 5, 2018 15:55

aledbf mentioned this pull request Sep 4, 2018

BindAddress is not respected during initial port availability check #2529

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use authbind to bind privileged ports #2894

Use authbind to bind privileged ports #2894

aledbf commented Aug 3, 2018

ElvinEfendi Aug 3, 2018

codecov-io commented Aug 4, 2018 •

edited

Loading

ElvinEfendi Aug 5, 2018 •

edited

Loading

aledbf Aug 5, 2018

ElvinEfendi Aug 5, 2018 •

edited

Loading

aledbf Aug 5, 2018

ElvinEfendi commented Aug 5, 2018

ElvinEfendi commented Aug 5, 2018

k8s-ci-robot commented Aug 5, 2018

Use authbind to bind privileged ports #2894

Use authbind to bind privileged ports #2894

Conversation

aledbf commented Aug 3, 2018

ElvinEfendi Aug 3, 2018

Choose a reason for hiding this comment

codecov-io commented Aug 4, 2018 • edited Loading

Codecov Report

ElvinEfendi Aug 5, 2018 • edited Loading

Choose a reason for hiding this comment

aledbf Aug 5, 2018

Choose a reason for hiding this comment

ElvinEfendi Aug 5, 2018 • edited Loading

Choose a reason for hiding this comment

aledbf Aug 5, 2018

Choose a reason for hiding this comment

ElvinEfendi commented Aug 5, 2018

ElvinEfendi commented Aug 5, 2018

k8s-ci-robot commented Aug 5, 2018

codecov-io commented Aug 4, 2018 •

edited

Loading

ElvinEfendi Aug 5, 2018 •

edited

Loading

ElvinEfendi Aug 5, 2018 •

edited

Loading