Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

On the firewall the metal user is not allowed to execute from a vrf #45

Open
majst01 opened this issue Aug 15, 2020 · 4 comments
Open

Comments

@majst01
Copy link
Contributor

majst01 commented Aug 15, 2020

on the firewall doing something like this:

ip vrf exec vrf64 bash
mkdir failed for /sys/fs/cgroup/unified/user.slice/user-1000.slice/session-20.scope/vrf: Permission denied
Failed to setup vrf cgroup2 directory

Does not work. This is related to unified hierarchies from cgroup2 as described:

A proposed solutions seems to be to change the kernel cmdline to have systemd.legacy_systemd_cgroup_controller=1 set.:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash ...more... systemd.legacy_systemd_cgroup_controller=1"

If this works, fi-ts/cloudctl#8 will be able to make a ssh session to a machine through the firewall, once the metal user is able to load the required bpf program loaded by ip.

@mwindower
Copy link
Contributor

I would propose an other option to solve the "ssh to machine" problem.

We could import the tenant VRF to the default VRF only locally on the firewall.

So there would be no need to change the VRF to access the tenant VRF.

@majst01
Copy link
Contributor Author

majst01 commented Sep 18, 2020

If this does not break the existing networking, this would be great. It would also solve a problem i actually see with the evebox event forwarding which can potentially be towards internet or the tenant vrf.

@mwindower
Copy link
Contributor

It's currently active on gerrit's test cluster in fra.

@majst01
Copy link
Contributor Author

majst01 commented Sep 18, 2020

great so i can test with the machine access

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants