mirror of
https://github.com/tailscale/tailscale.git
synced 2025-10-24 17:48:57 +00:00
wgengine/router,util/kmod: load & log xt_mark
Attempt to load the xt_mark kernel module when it is not present. If the load fails, log error information. It may be tempting to promote this failure to an error once it has been in use for some time, so as to avoid reaching an error with the iptables invocation, however, there are conditions under which the two stages may disagree - this change adds more useful breadcrumbs. Example new output from tailscaled running under my WSL2: ``` router: ensure module xt_mark: "/usr/sbin/modprobe xt_mark" failed: exit status 1; modprobe: FATAL: Module xt_mark not found in directory /lib/modules/5.10.43.3-microsoft-standard-WSL2 ``` Background: There are two places to lookup modules, one is `/proc/modules` "old", the other is `/sys/module/` "new". There was query_modules(2) in linux <2.6, alas, it is gone. In a docker container in the default configuration, you would get /proc/modules and /sys/module/ both populated. lsmod may work file, modprobe will fail with EPERM at `finit_module()` for an unpriviliged container. In a priviliged container the load may *succeed*, if some conditions are met. This condition should be avoided, but the code landing in this change does not attempt to avoid this scenario as it is both difficult to detect, and has a very uncertain impact. In an nspawn container `/proc/modules` is populated, but `/sys/module` does not exist. Modern `lsmod` versions will fail to gather most module information, without sysfs being populated with module information. In WSL2 modules are likely missing, as the in-use kernel typically is not provided by the distribution filesystem, and WSL does not mount in a module filesystem of its own. Notably the WSL2 kernel supports iptables marks without listing the xt_mark module in /sys/module, and /proc/modules is empty. On a recent kernel, we can ask the capabilities system about SYS_MODULE, that will help to disambiguate between the non-privileged container case and just being root. On older kernels these calls may fail. Update #4329 Signed-off-by: James Tucker <james@tailscale.com>
This commit is contained in:

committed by
James Tucker

parent
f7cb6630e7
commit
8d6793fd70
@@ -165,9 +165,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
|
||||
inet.af/netaddr from inet.af/wf+
|
||||
inet.af/peercred from tailscale.com/ipn/ipnserver
|
||||
W 💣 inet.af/wf from tailscale.com/wf
|
||||
L 💣 kernel.org/pub/linux/libs/security/libcap/cap from tailscale.com/util/kmod
|
||||
L kernel.org/pub/linux/libs/security/libcap/psx from kernel.org/pub/linux/libs/security/libcap/cap
|
||||
L nhooyr.io/websocket from tailscale.com/derp/derphttp+
|
||||
L nhooyr.io/websocket/internal/errd from nhooyr.io/websocket
|
||||
L nhooyr.io/websocket/internal/xsync from nhooyr.io/websocket
|
||||
L pault.ag/go/modprobe from tailscale.com/util/kmod
|
||||
L pault.ag/go/topsort from pault.ag/go/modprobe
|
||||
tailscale.com from tailscale.com/version
|
||||
tailscale.com/atomicfile from tailscale.com/ipn+
|
||||
LD tailscale.com/chirp from tailscale.com/cmd/tailscaled
|
||||
@@ -260,6 +264,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
|
||||
tailscale.com/util/dnsname from tailscale.com/hostinfo+
|
||||
LW tailscale.com/util/endian from tailscale.com/net/dns+
|
||||
tailscale.com/util/groupmember from tailscale.com/ipn/ipnserver
|
||||
L tailscale.com/util/kmod from tailscale.com/wgengine/router
|
||||
tailscale.com/util/lineread from tailscale.com/hostinfo+
|
||||
tailscale.com/util/multierr from tailscale.com/cmd/tailscaled+
|
||||
tailscale.com/util/netconv from tailscale.com/wgengine/magicsock
|
||||
@@ -329,6 +334,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
|
||||
bytes from bufio+
|
||||
compress/flate from compress/gzip+
|
||||
compress/gzip from golang.org/x/net/http2+
|
||||
L compress/zlib from debug/elf
|
||||
container/heap from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
|
||||
container/list from crypto/tls+
|
||||
context from crypto/tls+
|
||||
@@ -352,6 +358,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
|
||||
crypto/tls from github.com/aws/aws-sdk-go-v2/aws/transport/http+
|
||||
crypto/x509 from crypto/tls+
|
||||
crypto/x509/pkix from crypto/x509+
|
||||
L debug/dwarf from debug/elf
|
||||
L debug/elf from pault.ag/go/modprobe
|
||||
embed from crypto/elliptic+
|
||||
encoding from encoding/json+
|
||||
encoding/asn1 from crypto/x509+
|
||||
@@ -366,6 +374,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
|
||||
flag from tailscale.com/cmd/tailscaled+
|
||||
fmt from compress/flate+
|
||||
hash from crypto+
|
||||
L hash/adler32 from compress/zlib
|
||||
hash/crc32 from compress/gzip+
|
||||
hash/fnv from gvisor.dev/gvisor/pkg/tcpip/network/ipv6+
|
||||
hash/maphash from go4.org/mem
|
||||
|
Reference in New Issue
Block a user