Comments (11)
The experimental image resolved it for me. I didn't need the annotation.
from gatus.
I do not.
from gatus.
I'm seeing the same behavior. I toyed around with passing sysctls
to the securityContext
and the method described by @jerome-karabenli -- both are unable to ping outside the pod.
I've search existing issues (#633, #182, #105) and I'm wondering if I'm missing something,
from gatus.
The issue is here https://github.com/TwiN/gatus/blob/master/client/client.go#L246
pinger.SetPrivileged(runtime.GOOS != "darwin")
This will set privileged to true on linux and need to use the privileged ping instead of the unprivileged one. See https://github.com/prometheus-community/pro-bing/blob/ac3b40f1f0a7438a429e9bf6f2bc2a94ba286e39/ping.go#L430
Linux and darwin both support NonPrivileged ping (https://pkg.go.dev/golang.org/x/net/icmp?utm_source=godoc#example-PacketConn-NonPrivilegedPing) so I would expect it to be safe to only filter for windows.
The change was made here: c423afb for issue #132 but darwin supports non-privileged pings so the windows only condition should be okay.
from gatus.
Feel free to make a PR if you think that'll fix it!
from gatus.
I created #748 in an attempt to address it, but I would appreciate if somebody (either @jerome-karabenli, @kevin7s-io, @h3mmy, @heathcliff26 or anybody reading this) could test it on their end and report back on whether #748 fixed it.
I've just built a container image; if you'd like to try it, pull twinproduction/gatus:experimental
.
Note that the image in question is only built for linux/amd64
.
from gatus.
Works on Windows, but not on my Kubernetes cluster, even with the following configuration on the pods
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- NET_RAW
influxdata/influxdata-docker#550 and influxdata/influxdata-docker#547 seems to have some information on what needs to be done to fix this.
Looking at containerd/containerd#6924, perhaps this will be fixed automagically too for Kubernetes 🤔
from gatus.
I have tested it with podman and the experimental
image works when running as root, but not in rootless mode.
I also tested running v5.10.0
as root since i didn't before, but it did not work.
So i guess the fix works, but still needs to have some privileges set.
from gatus.
I'm currently experiencing this issue, where my config that was working in docker doesn't work in Kubernetes.
I tried a bunch of things, such as capabilities
, and using the same SC I use in blackbox-exporter:
podSecurityContext:
sysctls:
- name: net.ipv4.ping_group_range
value: "0 65536"
which also didn't work. I already have set
enable_unprivileged_ports = true
enable_unprivileged_icmp = true
and that doesn't appear to help either.
from gatus.
I created #748 in an attempt to address it, but I would appreciate if somebody (either @jerome-karabenli, @kevin7s-io, @h3mmy, @heathcliff26 or anybody reading this) could test it on their end and report back on whether #748 fixed it.
I've just built a container image; if you'd like to try it, pull
twinproduction/gatus:experimental
.Note that the image in question is only built for
linux/amd64
.
SO sorry I missed this. I went ahead an tested the branch in #748 and it works in my k3s cluster.
This is a link to my HelmRelease: https://github.com/h3mmy/bloopySphere/blob/96329ee8e913168f11198920db4cd0f758b1ea68/cluster/apps/monitoring/gatus/app/helm-release.yaml
Important bits:
- container running as non-root
- dropped ALL capabilities
- disallow privilege escalation
- I do have an annotation to set the sysctls
annotations:
reloader.stakater.com/auto: "true"
# https://github.com/prometheus-community/pro-bing#linux
security.alpha.kubernetes.io/sysctls: net.ipv4.ping_group_range=0 2147483647
And the config I used as a test case: https://github.com/h3mmy/bloopySphere/blob/96329ee8e913168f11198920db4cd0f758b1ea68/cluster/apps/networking/traefik/external-services/nas-camelus.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: camelus-plexii-gatus-ep
namespace: networking
labels:
gatus.io/enabled: "true"
data:
config.yaml: |
endpoints:
- name: camelus-plexii-ping
group: infrastructure
url: icmp://${NAS_ADDRESS}
interval: 5m
ui:
hide-url: true
hide-hostname: true
conditions:
- "[CONNECTED] == true"
alerts:
- type: discord
Let me know if you'd like me to try any different arrangements for different scenarios.
from gatus.
The experimental image resolved it for me. I didn't need the annotation.
It may vary with host distribution and kernel security profiles. I'm not an expert though.
Do you have any security profiles enabled on your host? AppArmor, seccomp, SELinux, etc?
from gatus.
Related Issues (20)
- Allow alerting on external endpoints that do not receive a push within a configurable time frame HOT 2
- Provide Backend Error messages via Gatus frontend
- x509: certificate signed by unknown authority HOT 2
- Ping not working in neither docker nor k3s HOT 4
- Details page is empty when CJK chars is used in endpoint name HOT 1
- Badges for groups
- Domain expiration not updating HOT 4
- Expose Raw Uptime Data via the API
- Please add additional Endpoint
- Nginx service health check
- Monitor Unix domain sockets
- Ability to send http headers
- Allow setting a priority on resolved Pushover notifications HOT 1
- Default alert settings not used for external endpoint HOT 3
- [Question] How monitoring docker container? HOT 1
- Case change in config file not effective
- Add support for DNS over TLS and DNS over HTTPS HOT 1
- A delay in sending email alerts blocks endpoint healthchecks from being run
- Add condition result to pushover alerts
- Alert send to Zulip
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatus.