V 1.3 - envoy crashes in IngressGateway when non-root and global.sds enabled

rtmie · November 25, 2019, 4:22pm

I am running/trying to run istio using non-root for all containers.
When running v1.3 with global sds set to true the envoy process in the ingressgateway crashes continually. Setting the securityContext n the container to runAsUser: 0 stops the failure.

ingress-gateway log for istio-proxy

2019-11-23T09:27:50.717536Z     info    Envoy command: [-c /etc/istio/proxy/envoy-rev0.json --restart-epoch 0 --drain-time-s 45 --parent-shutdown-time-s 60 --service-cluster istio-ingressgateway --service-node router~172.16.3.68~istio-ingressgateway-6f858f5685-xp6mc.istio-system~istio-system.svc.cluster.local --max-obj-name-len 189 --local-address-ip-version v4 --allow-unknown-fields -l warning --component-log-level misc:error]
[2019-11-23 09:27:50.730][23][warning][config] [external/envoy/source/server/options_impl.cc:193] --allow-unknown-fields is deprecated, use --allow-unknown-static-fields instead.
[2019-11-23 09:27:50.783][23][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:87] gRPC config stream closed: 14, no healthy upstream
[2019-11-23 09:27:50.783][23][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:50] Unable to establish new stream
[2019-11-23 09:27:52.195][60][critical][main] [external/envoy/source/exe/terminate_handler.cc:13] std::terminate called! (possible uncaught exception, see trace)
[2019-11-23 09:27:52.195][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:69] Backtrace (use tools/stack_decode.py to get line numbers):
[2019-11-23 09:27:52.198][83][critical][main] [external/envoy/source/exe/terminate_handler.cc:13] std::terminate called! (possible uncaught exception, see trace)
[2019-11-23 09:27:52.198][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:69] Backtrace (use tools/stack_decode.py to get line numbers):
[2019-11-23 09:27:52.201][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #0: Envoy::TerminateHandler::logOnTerminate()::$_0::operator()() [0x1fe6ab8]
[2019-11-23 09:27:52.204][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #0: Envoy::TerminateHandler::logOnTerminate()::$_0::operator()() [0x1fe6ab8]
[2019-11-23 09:27:52.207][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #1: [0x1fe69c9]
[2019-11-23 09:27:52.209][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #1: [0x1fe69c9]
[2019-11-23 09:27:52.213][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #2: std::__terminate() [0x22077b3]
[2019-11-23 09:27:52.215][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #2: std::__terminate() [0x22077b3]
[2019-11-23 09:27:52.219][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #3: Envoy::Config::DataSource::read() [0x1b29259]
[2019-11-23 09:27:52.220][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #3: Envoy::Config::DataSource::read() [0x1b29259]
[2019-11-23 09:27:52.225][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #4: Envoy::Extensions::GrpcCredentials::FileBasedMetadata::FileBasedMetadataAuthenticator::GetMetadata() [0xcc6930]
[2019-11-23 09:27:52.226][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #4: Envoy::Extensions::GrpcCredentials::FileBasedMetadata::FileBasedMetadataAuthenticator::GetMetadata() [0xcc6930]
[2019-11-23 09:27:52.231][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #5: grpc::MetadataCredentialsPluginWrapper::InvokePlugin() [0x1b2c60d]
[2019-11-23 09:27:52.232][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #5: grpc::MetadataCredentialsPluginWrapper::InvokePlugin() [0x1b2c60d]
[2019-11-23 09:27:52.237][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #6: std::__1::__function::__func<>::operator()() [0x1b2d3ce]
[2019-11-23 09:27:52.237][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #6: std::__1::__function::__func<>::operator()() [0x1b2d3ce]
[2019-11-23 09:27:52.243][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #7: grpc::DynamicThreadPool::ThreadFunc() [0x1b338b1]
[2019-11-23 09:27:52.243][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #7: grpc::DynamicThreadPool::ThreadFunc() [0x1b338b1]
[2019-11-23 09:27:52.248][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #8: grpc::DynamicThreadPool::DynamicThread::ThreadFunc() [0x1b33605]
[2019-11-23 09:27:52.249][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #8: grpc::DynamicThreadPool::DynamicThread::ThreadFunc() [0x1b33605]
[2019-11-23 09:27:52.254][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #9: grpc_core::(anonymous namespace)::ThreadInternalsPosix::ThreadInternalsPosix()::{lambda()#1}::__invoke() [0x1bf40d3]
[2019-11-23 09:27:52.254][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #10: start_thread [0x7fc3071b96db]
[2019-11-23 09:27:52.254][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:81] Caught Aborted, suspect faulting address 0x271100000017
[2019-11-23 09:27:52.254][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:69] Backtrace (use tools/stack_decode.py to get line numbers):
[2019-11-23 09:27:52.254][83][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #0: __restore_rt [0x7fc3071c4890]
[2019-11-23 09:27:52.255][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #9: grpc_core::(anonymous namespace)::ThreadInternalsPosix::ThreadInternalsPosix()::{lambda()#1}::__invoke() [0x1bf40d3]
[2019-11-23 09:27:52.255][60][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #10: start_thread [0x7fc3071b96db]
2019-11-23T09:27:52.260552Z     warn    Epoch 0 terminated with an error: signal: aborted
2019-11-23T09:27:52.260574Z     warn    Aborted all epochs
2019-11-23T09:27:52.260729Z     info    Epoch 0: set retry delay to 200ms, budget to 9

If I use the upstream image for the proxy all is well (but it looks like all processes in that run as root) or setting a securityContext for the container with runAsUser: 0 also resolves.

I am using the envoy binary from the upstream deb (I had previously been building envoy form source - but same issue).

The target container was originally scratch bit to zone in on the problem I have switched to distrolesscc.
Same experience with both. The other envoys (sidecars to control plane pilot, mixer etc) do not show this issue.

Here’s my docker file:

ARG ISTIO_VERSION
FROM myartifactory.com/dev/istio-package/istiobuilder:${ISTIO_VERSION} as builder


USER root

ENV PROXY_BUILD=/home/build/proxybuild
ENV ARTIFACTS_LOG=/home/build/artifacts.txt
ENV PROXY_FOLDER=istio-proxy


RUN mkdir -p ${PROXY_BUILD}/etc/istio/proxy && \
    mkdir -p ${PROXY_BUILD}/var/log && \
    mkdir -p ${PROXY_BUILD}/var/run/sds && \
    echo "root:x:0:0:root:/root:/sbin/nologin" > ${PROXY_BUILD}/etc/passwd && \
    echo "nobody:x:65534:65534:nobody:/nonexistent:/sbin/nologin" >> ${PROXY_BUILD}/etc/passwd && \
    echo "nonroot:x:65532:65532:nonroot:/home/nonroot:/sbin/nologin" >> ${PROXY_BUILD}/etc/passwd && \
    echo "istio-user:10001:10001:istio-user:/var/lib/istio" >>${PROXY_BUILD}/etc/passwd && \
    tar -zxf /home/build/go/src/istio.io/istio/docker/ca-certificates.tgz -C ${PROXY_BUILD} && \
    chmod 644 ${PROXY_BUILD}/etc/ssl/certs/ca-certificates.crt && \
    cp ${GOPATH}/src/istio.io/istio/pilot/docker/*.yaml.tmpl  ${PROXY_BUILD}/etc/istio/proxy && \
    tar -C ${PROXY_BUILD} -xzf /ca-certificates.tgz 
COPY envoy ${PROXY_BUILD}/envoy

FROM gcr.io/distroless/cc:latest
ARG proxy_version
ARG istio_version



ENV PROXY_BUILD=/home/build/proxybuild

COPY --from=builder --chown=10001:10001 /ca-certificates.tgz /ca-certificates.tgz
COPY --from=builder ${PROXY_BUILD}/etc/passwd /etc/passwd
COPY --from=builder ${PROXY_BUILD}/etc/ssl /etc/ssl
COPY --from=builder --chown=10001:10001 ${PROXY_BUILD}/etc/istio /etc/istio
COPY --from=builder /home/build/go/out/linux_amd64/release/pilot-agent /usr/local/bin/pilot-agent
COPY --from=builder ${PROXY_BUILD}/envoy /usr/local/bin/envoy
COPY --from=builder /home/build/go/src/istio.io/istio/tools/packaging/common/istio-iptables.sh /usr/local/bin/istio-iptables.sh

COPY --from=builder --chown=10001:10001 ${PROXY_BUILD}/var/log /var/log
COPY --from=builder --chown=10001:10001 ${PROXY_BUILD}/var/run /var/run

COPY --from=builder --chown=10001:10001 /home/build/go/src/istio.io/istio/tools/packaging/common/envoy_bootstrap_drain.json /var/lib/istio/envoy/envoy_bootstrap_drain.json
COPY --from=builder --chown=10001:10001 /home/build/go/src/istio.io/istio/tools/packaging/common/envoy_bootstrap_v2.json /var/lib/istio/envoy/envoy_bootstrap_tmpl.json
COPY --from=builder --chown=10001:10001 /home/build/go/src/istio.io/istio/tools/packaging/common/sidecar.env /var/lib/istio/envoy/sidecar.env
COPY --from=builder --chown=10001:10001 /home/build/go/src/istio.io/istio/pilot/docker/envoy_pilot.yaml.tmpl /etc/istio/proxy/envoy_pilot.yaml.tmpl
COPY --from=builder --chown=10001:10001 /home/build/go/src/istio.io/istio/pilot/docker/envoy_telemetry.yaml.tmpl /etc/istio/proxy/envoy_telemetry.yaml.tmpl
COPY --from=builder --chown=10001:10001 /home/build/go/src/istio.io/istio/pilot/docker/envoy_policy.yaml.tmpl /etc/istio/proxy/envoy_policy.yaml.tmpl

USER istio-user

ENTRYPOINT ["/usr/local/bin/pilot-agent"]

I don’t want to run as user 0 especially on the ingressgateway

rtmie · December 11, 2019, 11:37am

Answering my own question here:
The issue here was that my envoy process could not access the jwt token for GRPC transactions. The solution wat to set fsGroup in the securityContext of the pod.

Topic		Replies	Views
"gRPC config stream closed: 13" error in Envoy proxies? Config	9	11279	August 11, 2023
Ingress/egress/sidecar proxies not running when using SDS in istio 1.5.0 Security security	5	3906	June 12, 2020
403 Envoy Filter Ext Auth	3	2741	October 14, 2020
istio-Ingressgateway pod is failing with 503 error Networking	1	1805	June 25, 2019
Envoy.ext_authz filter config for Istio 1.1.3 Networking	4	2481	January 15, 2020

V 1.3 - envoy crashes in IngressGateway when non-root and global.sds enabled

Related Topics