View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0018413CentOS CIgeneralpublic2022-03-10 11:402022-03-12 07:57
Reporterlog4bob Assigned To 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status assignedResolutionopen 
Platformx86_64OSCentOS StreamOS Version8
Summary0018413: tcp4 bind to unprivileged port range not permitted
DescriptionEnvironment:
Kubernetes: v1.18.10
Docker: 20.10.12
containerd: 1.4.13
Linux kernel: Linux ecs-3021 5.15.12-1.el8.elrepo.x86_64 #1 SMP Mon Dec 27 18:01:10 EST 2021 x86_64 x86_64 x86_64 GNU/Linux

~10 services were created towards the K8s, 5 of them were configured with NodePort, which implies the kube-proxy container will bind IP address and port with the host. The port was set as 30080 etc. The log reports errors as below continuously. And this happened on all the 3 nodes of the K8s cluster.

> (:30080/tcp), skipping this nodePort: listen tcp4 :30080: bind: operation not permitted
> (:30670/tcp), skipping this nodePort: listen tcp4 :30670: bind: operation not permitted
> (:30990/tcp), skipping this nodePort: listen tcp4 :30990: bind: operation not permitted

After the ports change to 31080, 31670, 31990, the ports bonded successfully.

Steps To ReproduceThere was not a definite way to reproduce. But this problem still exists on these 3 nodes.
Additional InformationThe kube-proxy containers were running as root since the docker daemon running as root.

$ cat /etc/redhat-release
CentOS Stream release 8

$ uname -a
Linux ecs-3021 5.15.12-1.el8.elrepo.x86_64 #1 SMP Mon Dec 27 18:01:10 EST 2021 x86_64 x86_64 x86_64 GNU/Linux

$ sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768 60999

$ ps -ef | grep kube-proxy
root 1818506 1818485 0 16:51 ? 00:00:13 /usr/local/bin/kube-proxy --config=/var/lib/kube-proxy/config.conf --hostname-override=host-3

TagsNo tags attached.

Activities

toracat

toracat

2022-03-11 18:05

manager   ~0038869

First, all Stream-related bugs should be reported upstream. Please see https://wiki.centos.org/ReportBugs for details.

Second, it looks as if you build a custom kernel from ELRepo's kernel-ml. You may want to use your own tag and remove the original ".elrepo" tag.
toracat

toracat

2022-03-11 19:39

manager   ~0038871

@log4bob

Regarding the .elrepo tag, strictly speaking I'm asking not to ADD it rather than 'remove' it. This is because the only way to use it is to add the tag during the kernel build. It is not in the spec file.
log4bob

log4bob

2022-03-12 07:57

reporter   ~0038873

Thanks. This issue can be closed since the kernel is not an official release and there's not a clear way to reproduce the problem. I will submit a new issue to https://bugzilla.redhat.com if there's more info collected.

Issue History

Date Modified Username Field Change
2022-03-10 11:40 log4bob New Issue
2022-03-10 11:40 log4bob Status new => assigned
2022-03-11 18:05 toracat Note Added: 0038869
2022-03-11 19:39 toracat Note Added: 0038871
2022-03-12 07:57 log4bob Note Added: 0038873