Launch envoy through capability wrapper

[swalberg]

(if capabilities are present)

When capabilities are explicitly dropped

sean~/play/ambassador (use_capabilities_wrapper *%)$ kubectl logs ambassador-7cb95448b8-mjxhp | grep cap
2019-11-21 17:59:05 AMBASSADOR INFO cap_net_bind_service is not supported, launching Envoy directly

When capabilities are present

sean~/play/ambassador (use_capabilities_wrapper *%)$ kubectl logs ambassador-bdbc4675d-hmq82 | grep cap
2019-11-21 18:00:08 AMBASSADOR INFO cap_net_bind_service is supported, launching Envoy through a wrapper
2019/11/21 18:00:08 Starting Envoy with CAP_NET_BIND_SERVICE capability
2019/11/21 18:00:08 Succeeded in setting capabilities

Additionally, if the capabilities are present, you can bind Envoy to a
low port, e.g. 80 or 443:

bash-5.0$ netstat -anp | grep 0.0.0.0:80
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
bash-5.0$ ps -ef | grep [w]rapper
  167 8888      0:06 {envoy} wrapper -c /ambassador/bootstrap-ads.json

Related Issues

Fixes #1841

Testing

Manual testing and added CI tests.

Todos

• Tests
• Documentation

Other

• If this is a documentation change, please open the pull request at https://github.com/datawire/ambassador-docs instead.
• Code changes should occur against master.

[swalberg]

Don't merge this just yet... Going to do a bit more testing. The tests don't run locally and I want to see if they work in CI.

[swalberg]

This works fine locally, I'll be darned if I can get tests to pass (on this branch or master) on my Mac or on a new k3s cluster though.

[swalberg]

With the latest rebase it's now only my tests that are failing. I'll try it again locally.

[kflynn]

Hey, now that we've gotten past the 1.0 transition I'd like to get this landed. Need help from us to get tests sorted out?

[swalberg]

Hey, yes, please. Give me some time to get caught up and rebased so I know what the current problem is. Thanks!

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[swalberg]

A million apologies. Let me get this rebased and over the line.

[swalberg]

Is there still an issue running tests on a mac? I tried make test after setting the registry and k8s config and get failure in smoke tests:

Teleproxy exited with 1 error(s):
  K8S: Get https://kubernetes.docker.internal:6443/api?timeout=32s: dial tcp: lookup kubernetes.docker.internal on 127.0.0.11:53: no such host
2020/05/09 00:44:58 poll get: Get http://httptarget: dial tcp: lookup httptarget on 127.0.0.11:53: no such host
--- FAIL: TestSmoke (1.01s)
    teleproxy_test.go:44: exit status 1
    teleproxy_test.go:106: giving up because we have already failed
    teleproxy_test.go:52: os: process already finished

[kflynn]

@swalberg I run them on a Mac a lot -- what kind of cluster were you trying to use?

[swalberg]

I'm using docker-desktop. Happy to change it to whatever works.

[kflynn]

I don't think the whole test suite can fit into Docker on a Mac. 🙁 Internally, we have an old tool called Kubernaut that provisions clusters in EC2, but really any cluster should work, it's just that the tests spin up a lot of Ambassadors, so a beefy cluster is a must.

Alternately, if you merge master yet again, CI should be able to run the tests for you again. You've been running this at your site, yes?

[swalberg]

Oh, I can find a bigger test cluster then. I had it in our cluster for testing but since we're so far behind on Ambassador I can't use current versions. This'll change soon 🤞 .

[swalberg]

Just a note that we've upgraded things here enough that I can get back to testing.

[swalberg]

I'm getting crashes on the capabilities wrapper now. I see there was a minor refactoring in 58c1267 to extract it which seems related. I'm having trouble explaining what I'm seeing, but it looks like the return address of capset is getting overwritten, resulting in a segfault. BUT, if I throw a fmt.Println in that method (anywhere) it works.

I can't explain it yet, but here's a gist to show I'm not nuts: https://gist.github.com/swalberg/c4b50e395c239920863f898551a12c24

[swalberg]

Bah is there a way to re-run this? Looks like there was a connection reset in the middle of it when it tries to pull down the gcloud tools.

[swalberg]

Is there a way to run just one test locally? I tried make pytest TEST_NAME=CanBindToLowPort but it seems to run everything.

[kflynn]

make push pytest-only PYTEST_ARGS="-k CanBindToLowPort" should do it.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[swalberg]

Funny enough, PodSecurityPolicies are being removed from K8s, which is the reason I needed this wrapper.

Seems like there are a lot of changes since I looked at this. Is this solution still viable?

[LukeShu]

FWIW, I still want to get this in.

[akevdmeer]

This feature would still be nice.