mirror of https://github.com/tailscale/tailscale/
wgengine/router,util/kmod: load & log xt_mark
Attempt to load the xt_mark kernel module when it is not present. If the load fails, log error information. It may be tempting to promote this failure to an error once it has been in use for some time, so as to avoid reaching an error with the iptables invocation, however, there are conditions under which the two stages may disagree - this change adds more useful breadcrumbs. Example new output from tailscaled running under my WSL2: ``` router: ensure module xt_mark: "/usr/sbin/modprobe xt_mark" failed: exit status 1; modprobe: FATAL: Module xt_mark not found in directory /lib/modules/5.10.43.3-microsoft-standard-WSL2 ``` Background: There are two places to lookup modules, one is `/proc/modules` "old", the other is `/sys/module/` "new". There was query_modules(2) in linux <2.6, alas, it is gone. In a docker container in the default configuration, you would get /proc/modules and /sys/module/ both populated. lsmod may work file, modprobe will fail with EPERM at `finit_module()` for an unpriviliged container. In a priviliged container the load may *succeed*, if some conditions are met. This condition should be avoided, but the code landing in this change does not attempt to avoid this scenario as it is both difficult to detect, and has a very uncertain impact. In an nspawn container `/proc/modules` is populated, but `/sys/module` does not exist. Modern `lsmod` versions will fail to gather most module information, without sysfs being populated with module information. In WSL2 modules are likely missing, as the in-use kernel typically is not provided by the distribution filesystem, and WSL does not mount in a module filesystem of its own. Notably the WSL2 kernel supports iptables marks without listing the xt_mark module in /sys/module, and /proc/modules is empty. On a recent kernel, we can ask the capabilities system about SYS_MODULE, that will help to disambiguate between the non-privileged container case and just being root. On older kernels these calls may fail. Update #4329 Signed-off-by: James Tucker <james@tailscale.com>pull/4480/head
James Tucker
2 years ago
committed by
James Tucker
parent
f7cb6630e7
commit
8d6793fd70
@ -0,0 +1,31 @@
|
||||
// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
//go:build linux
|
||||
// +build linux
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"tailscale.com/util/kmod"
|
||||
)
|
||||
|
||||
func main() {
|
||||
if len(os.Args) != 2 {
|
||||
fmt.Fprintln(os.Stderr, "error: a module name must be supplied")
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
done, err := kmod.EnsureModule(os.Args[1])
|
||||
if done {
|
||||
os.Exit(0)
|
||||
}
|
||||
if err != nil {
|
||||
fmt.Fprintf(os.Stderr, "%s\n", err)
|
||||
}
|
||||
os.Exit(1)
|
||||
}
|
||||
@ -0,0 +1,161 @@
|
||||
// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
//go:build linux
|
||||
// +build linux
|
||||
|
||||
// Package kmod provides a simple API to attempt to ensure that a kernel
|
||||
// module is loaded in a wide variety of environments, and otherwise
|
||||
// report descriptive loggable error strings.
|
||||
// This package does not have extensive unit testing, as the broader set
|
||||
// of challenges associated with the package come from a wide variety of
|
||||
// distribution and linux version differences that are problematic to
|
||||
// mock/stub/emulate, including syscall boundary behaviors. The program
|
||||
// `ensuremod` is kept nearby the source that provides a method for
|
||||
// integration testing.
|
||||
package kmod
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
|
||||
"go4.org/mem"
|
||||
"golang.org/x/sys/unix"
|
||||
"kernel.org/pub/linux/libs/security/libcap/cap"
|
||||
"pault.ag/go/modprobe"
|
||||
"tailscale.com/util/lineread"
|
||||
"tailscale.com/util/multierr"
|
||||
)
|
||||
|
||||
// hasKernelModule attempts to find a kernel module by name using procfs and
|
||||
// sysfs. If the module is found to be loaded, true is returned, in all other
|
||||
// cases false is returned, regardless of errors or a missing module.
|
||||
func hasKernelModule(name string) (bool, error) {
|
||||
if _, err := os.Stat(filepath.Join("/sys/module", name)); err == nil {
|
||||
return true, nil
|
||||
}
|
||||
|
||||
prefix := mem.S(name + " ")
|
||||
stopFound := errors.New("")
|
||||
|
||||
err := lineread.File("/proc/modules", func(line []byte) error {
|
||||
if mem.HasPrefix(mem.B(line), prefix) {
|
||||
return stopFound
|
||||
}
|
||||
return nil
|
||||
})
|
||||
if err == stopFound {
|
||||
return true, nil
|
||||
}
|
||||
if err != nil {
|
||||
err = fmt.Errorf("module %s not found in /sys/module or /proc/modules: %w", name, err)
|
||||
}
|
||||
return false, err
|
||||
}
|
||||
|
||||
// canInstallModule attempts to determine if the current process has sufficient
|
||||
// privilege to install modules. If the capabilities API can be queried without
|
||||
// error, then the result depends on the SYS_MODULE effective capability,
|
||||
// otherwise returns true only if the current process is running as root. A
|
||||
// result of true implies that it may be worth trying to install a module, not
|
||||
// that doing so will work.
|
||||
func canInstallModule() (bool, error) {
|
||||
caps, err := cap.GetPID(0) // 0 = current process
|
||||
if err == nil {
|
||||
// errors from GetFlag are either due to the receiver being
|
||||
// uninitialized, or the kernel gave junk results, both of which aren't
|
||||
// very meaningful out of context to a user, so this error is mostly
|
||||
// ignored.
|
||||
b, err := caps.GetFlag(cap.Effective, cap.SYS_MODULE)
|
||||
if err == nil {
|
||||
return b, nil
|
||||
}
|
||||
}
|
||||
|
||||
// could not determine a well known result from capabilities, make an
|
||||
// assumption based on uid.
|
||||
if os.Getuid() == 0 {
|
||||
return true, nil
|
||||
}
|
||||
return false, fmt.Errorf("not running as root, and unable to check kernel module capabilities")
|
||||
}
|
||||
|
||||
// firstExecutable checks paths for a path that exists and is executable by the current user.
|
||||
func firstExecutable(paths ...string) string {
|
||||
for _, path := range paths {
|
||||
if unix.Access(path, unix.X_OK) == nil {
|
||||
return path
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// runModprobe runs `modprobePath name` and reports summary error output on error.
|
||||
func runModprobe(name, modprobePath string) error {
|
||||
cmd := exec.Command(modprobePath, name)
|
||||
out, err := cmd.CombinedOutput()
|
||||
if err != nil {
|
||||
err = fmt.Errorf("%q failed: %w; %s", fmt.Sprintf("%s %s", modprobePath, name), err, bytes.TrimSpace(out))
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
// tryInstallModule attempts to find a modprobe binary to run either in
|
||||
// well-known paths, or in $PATH, and runs it. If it can not find a modprobe to
|
||||
// run, it instead falls back to a syscall interface to attempt to install a
|
||||
// module.
|
||||
func tryInstallModule(name string) error {
|
||||
path := firstExecutable("/usr/sbin/modprobe", "/sbin/modprobe")
|
||||
if path != "" {
|
||||
return runModprobe(name, path)
|
||||
}
|
||||
path, err := exec.LookPath("modprobe")
|
||||
if err == nil {
|
||||
return runModprobe(name, path)
|
||||
}
|
||||
|
||||
err = modprobe.Load(name, "")
|
||||
if err != nil {
|
||||
err = fmt.Errorf("unable to find modprobe(1), and load of module %s failed with: %w", name, err)
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
// EnsureModule attempts to ensure that the given module is installed, returning
|
||||
// true only if it has been found or successfully installed, otherwise false is
|
||||
// returned along with a list of informational errors about probe attempts.
|
||||
func EnsureModule(name string) (bool, error) {
|
||||
has, hasErr := hasKernelModule(name)
|
||||
if has {
|
||||
return has, nil
|
||||
}
|
||||
var errors []error
|
||||
if hasErr != nil {
|
||||
errors = append(errors, hasErr)
|
||||
}
|
||||
|
||||
can, canErr := canInstallModule()
|
||||
if can && canErr != nil {
|
||||
errors = append(errors, canErr)
|
||||
}
|
||||
if !can {
|
||||
if canErr == nil {
|
||||
errors = append(errors, fmt.Errorf("module %q not found, and current user can not install modules", name))
|
||||
}
|
||||
}
|
||||
|
||||
if can {
|
||||
if err := tryInstallModule(name); err == nil {
|
||||
return true, nil
|
||||
} else {
|
||||
errors = append(errors, err)
|
||||
}
|
||||
}
|
||||
|
||||
return false, multierr.New(errors...)
|
||||
}
|
||||
Loading…
Reference in New Issue