View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0018413||CentOS CI||general||public||2022-03-10 11:40||2022-03-12 07:57|
|Priority||normal||Severity||major||Reproducibility||have not tried|
|Platform||x86_64||OS||CentOS Stream||OS Version||8|
|Summary||0018413: tcp4 bind to unprivileged port range not permitted|
Linux kernel: Linux ecs-3021 5.15.12-1.el8.elrepo.x86_64 #1 SMP Mon Dec 27 18:01:10 EST 2021 x86_64 x86_64 x86_64 GNU/Linux
~10 services were created towards the K8s, 5 of them were configured with NodePort, which implies the kube-proxy container will bind IP address and port with the host. The port was set as 30080 etc. The log reports errors as below continuously. And this happened on all the 3 nodes of the K8s cluster.
> (:30080/tcp), skipping this nodePort: listen tcp4 :30080: bind: operation not permitted
> (:30670/tcp), skipping this nodePort: listen tcp4 :30670: bind: operation not permitted
> (:30990/tcp), skipping this nodePort: listen tcp4 :30990: bind: operation not permitted
After the ports change to 31080, 31670, 31990, the ports bonded successfully.
|Steps To Reproduce||There was not a definite way to reproduce. But this problem still exists on these 3 nodes.|
|Additional Information||The kube-proxy containers were running as root since the docker daemon running as root. |
$ cat /etc/redhat-release
CentOS Stream release 8
$ uname -a
Linux ecs-3021 5.15.12-1.el8.elrepo.x86_64 #1 SMP Mon Dec 27 18:01:10 EST 2021 x86_64 x86_64 x86_64 GNU/Linux
$ sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768 60999
$ ps -ef | grep kube-proxy
root 1818506 1818485 0 16:51 ? 00:00:13 /usr/local/bin/kube-proxy --config=/var/lib/kube-proxy/config.conf --hostname-override=host-3
|Tags||No tags attached.|
First, all Stream-related bugs should be reported upstream. Please see https://wiki.centos.org/ReportBugs for details.
Second, it looks as if you build a custom kernel from ELRepo's kernel-ml. You may want to use your own tag and remove the original ".elrepo" tag.
Regarding the .elrepo tag, strictly speaking I'm asking not to ADD it rather than 'remove' it. This is because the only way to use it is to add the tag during the kernel build. It is not in the spec file.
|Thanks. This issue can be closed since the kernel is not an official release and there's not a clear way to reproduce the problem. I will submit a new issue to https://bugzilla.redhat.com if there's more info collected.|