zerkms
Repos
145
Followers
69
Following
9

Events

[prometheus-blackbox-exporter] Adding NET_RAW capability is not enough to run rootless container

Describe the bug a clear and concise description of what the bug is.

If just securityContext container added with NET_RAW capability it wouldn't be enough to run rootless.

Prober would fail with the following logs:

ts=2022-09-23T03:40:29.727021679Z caller=main.go:144 module=icmp target=xtr-srv05-idrac.wialus.co.nz level=info msg="Creating socket"
ts=2022-09-23T03:40:29.727065001Z caller=main.go:144 module=icmp target=xtr-srv05-idrac.wialus.co.nz level=debug msg="Unable to do unprivileged listen on socket, will attempt privileged" err="socket: permission denied"
ts=2022-09-23T03:40:29.727094666Z caller=main.go:144 module=icmp target=xtr-srv05-idrac.wialus.co.nz level=error msg="Error listening to socket" err="listen ip4:icmp 0.0.0.0: socket: operation not permitted"
ts=2022-09-23T03:40:29.727127158Z caller=main.go:352 module=icmp target=xtr-srv05-idrac.wialus.co.nz level=error msg="Probe failed" duration_seconds=0.049229119

What it's missing is setting net.ipv4.ping_group_range too in the pod's securityContext:

      securityContext:
        sysctls:
          - name: net.ipv4.ping_group_range
            value: "0 2147483647"

See also: https://github.com/prometheus/blackbox_exporter/issues/147#issuecomment-901302559

What's your helm version?

n/a

What's your kubectl version?

n/a

Which chart?

prometheus-blackbox-exporter

What's the chart version?

7.1.0

What happened?

.

What you expected to happen?

.

How to reproduce it?

.

Enter the changed values of values.yaml?

.

Enter the command that you execute and failing/misfunctioning.

.

Anything else we need to know?

No response

Created at 1 week ago
issue comment
Postgres: public should not be considered a "application schema" and should be ignored the same as other system schema from `getSchemaNames`

If you believe that the current behavior needs to change, please file a new issue and state a problem

https://github.com/doctrine/dbal/issues/1110 <--- it already was explained 7 years ago, the problem hasn't changed since then.

Created at 1 week ago

Skip unnecessary node events in config reconciler

The config controller watches node event to populate l2 and bgp advertisement objects with selected nodes based on node selector labels.

But currently a change in the node results in reprocessing the configuration, which results in reprocessing the services. This results in an unnecessary cpu load.

Hence this change skips processing unnecessary node events other than node create, node update (if its with new labels) and node delete events.

Signed-off-by: Periyasamy Palanisamy pepalani@redhat.com

Fixing broken link in configuration docs

The link references the markdown file that Hugo uses, which isn't the actual path to the API documentation.

Added missing group to the validating webhook deploy kustomization

Otherwise it reports

Error: accumulating resources: recursed accumulation of path 'metallb/base/config/native': accumulating resources: recursed accumulation of path 'metallb/base/config/webhook': no matches for OriginalId ~G_v1_ValidatingWebhookConfiguration|~X|validating-webhook-configuration; no matches for CurrentId ~G_v1_ValidatingWebhookConfiguration|~X|validating-webhook-configuration; failed to find unique target for patch ~G_v1_ValidatingWebhookConfiguration|validating-webhook-configuration

for the kustomize build ...

Created at 1 week ago
[suggestion] Omitting metrics if not success

@IMAGNUMI https://prometheus.io/docs/prometheus/latest/querying/basics/#offset-modifier

Created at 1 week ago
Created at 2 weeks ago
issue comment
Using version comparison instead of api availability check makes it less portable

/remove-lifecycle stale

Created at 2 weeks ago
issue comment
Added missing `group` to the validating webhook deploy kustomization

I'm conservative I know :-D

{Version:kustomize/v3.5.4 GitCommit:3af514fa9f85430f0c1557c4a0291e62112ab026 BuildDate:2020-01-11T03:12:59Z GoOs:linux GoArch:amd64}

Upgrading a version is a bit challenge in this environment, so I expected a feedback like yours but unfortunately could not easily verify it.

In that case - I think we just close it.

Created at 3 weeks ago
issue comment
RememberMe cookie should only contain the bare minimum of details

@nicolas-grekas

but in Symfony 7.1, we'll be able to deprecate passing 4 arguments to the constructor

is it not possible to deprecate it now in 6.x and entirely remove in 7.x?

Created at 3 weeks ago
issue comment
RememberMe cookie should only contain the bare minimum of details

@vasilvestre

May be wrong but it breaks your code (that's what BC is about)

it does not.

Created at 3 weeks ago
pull request opened
Added missing `group` to the validating webhook deploy kustomization

Otherwise it reports

Error: accumulating resources: recursed accumulation of path 'metallb/base/config/native': accumulating resources: recursed accumulation of path 'metallb/base/config/webhook': no matches for OriginalId ~G_v1_ValidatingWebhookConfiguration|~X|validating-webhook-configuration; no matches for CurrentId ~G_v1_ValidatingWebhookConfiguration|~X|validating-webhook-configuration; failed to find unique target for patch ~G_v1_ValidatingWebhookConfiguration|validating-webhook-configuration

for the kustomize build ...

Thanks for sending a pull request! A few things before we get started:

  1. If this is your first time, please read the contributing guide
  2. For non-trivial pull requests, please file an issue first, and get agreement that the change is a good idea, and a general guideline for how it should be implemented, before sending code. Large PRs that weren't first discussed and agreed upon in an issue won't be accepted.
  3. If the PR fixes a particular bug, please include the words "Fixed #" in the PR text, so that the bug auto-closes when the PR is merged.
Created at 3 weeks ago

Added missing group to the validating webhook deploy kustomization

Otherwise it reports

Error: accumulating resources: recursed accumulation of path 'metallb/base/config/native': accumulating resources: recursed accumulation of path 'metallb/base/config/webhook': no matches for OriginalId ~G_v1_ValidatingWebhookConfiguration|~X|validating-webhook-configuration; no matches for CurrentId ~G_v1_ValidatingWebhookConfiguration|~X|validating-webhook-configuration; failed to find unique target for patch ~G_v1_ValidatingWebhookConfiguration|validating-webhook-configuration

for the kustomize build ...

Created at 3 weeks ago

Bug #42343 [Security] Fix valid remember-me token exposure to the second consequent request

Close https://github.com/symfony/symfony/issues/42343 Fix https://github.com/symfony/symfony/pull/46760

Created at 3 weeks ago
issue comment
RememberMe cookie should only contain the bare minimum of details

RememberMe is a short living cookie, it's not a broken experience if a user needs to reauthenticate.

No need for any BC layers - just release it and make users reauthenticate.

Created at 3 weeks ago
issue comment
Fix double authentication via RememberMe resulting in wrong RememberMe cookie being set in client

https://github.com/symfony/symfony/pull/47488 PR is published.

Created at 3 weeks ago
pull request opened
Bug #42343 [Security] Fix valid remember-me token exposure to the second consequent request

Close https://github.com/symfony/symfony/issues/42343 Fix https://github.com/symfony/symfony/pull/46760

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #42343, Fix #46760 | License | MIT | Doc PR | symfony/symfony-docs#...

https://github.com/symfony/symfony/pull/46760 PR together with a fix produces a security vulnerability when a malicious actor may get a new and valid remember me token if makes a request right after the legit user.

Created at 3 weeks ago
create branch
zerkms create branch 42343-remember-me-cookie-2nd-request
Created at 3 weeks ago
issue comment
Fix double authentication via RememberMe resulting in wrong RememberMe cookie being set in client

PR is coming, it does not need a dedicated report, all details have already been exposed here.

Created at 3 weeks ago
issue comment
Fix double authentication via RememberMe resulting in wrong RememberMe cookie being set in client

Btw, PR is coming in next 10-15 minutes.

Created at 3 weeks ago
issue comment
RememberMe cookie should only contain the bare minimum of details

@wouterj how about removing it in a backward incompatible manner? There is Symfony 7, where it can be done.

Created at 3 weeks ago
delete branch
zerkms delete branch I42637-toctou-cachetokenverifier
Created at 3 weeks ago

[Serializer] Respect default context in DateTimeNormalizer::denormalize

fixes #29030

[HttpKernel] [HttpCache] Don't throw on 304 Not Modified

[Translation] [LocoProvider] Add content-type for POST translations

[Config] Fix using null values with config builders

[HttpClient] minor cs fix

[HttpClient] Move Content-Type after Content-Length

bug #45813 [HttpClient] Move Content-Type after Content-Length (nicolas-grekas)

This PR was merged into the 4.4 branch.

Discussion

[HttpClient] Move Content-Type after Content-Length

| Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | -

Some nitpicking found after opening php-src. See https://bugs.php.net/44603

Commits

b87868a6e7 [HttpClient] Move Content-Type after Content-Length

Improve testsuite

minor #45792 Improve testsuite (blueForman)

This PR was squashed before being merged into the 4.4 branch.

Discussion

Improve testsuite

| Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | | License | MIT | Doc PR | symfony/symfony-docs#...

Work done: Integration tests are excluded from unit testsuite because:

  • they are already tested in integration testsuite
  • they rely on enviroment and because of that they become skipped
  • they generate a huge list of false skipped tests in unit testsuite

Fixed Predis Client initialization in CombinedStoreTest because array_combine(['host', 'port'], explode(':', getenv('REDIS_HOST')) + [1 => null]) always results in localhost: as redis host which fails in host resolving

Commits

99c69e1f1c Improve testsuite

[HttpClient] Let curl handle Content-Length headers

bug #45814 [HttpClient] Let curl handle Content-Length headers (nicolas-grekas)

This PR was merged into the 4.4 branch.

Discussion

[HttpClient] Let curl handle Content-Length headers

| Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #45709 | License | MIT | Doc PR | -

Commits

63f8f1edb6 [HttpClient] Let curl handle Content-Length headers

[Mailer] Preserve case of headers

[Cache] Declaratively declare/hide DoctrineProvider to avoid breaking static analysis

minor #45703 [Cache] Declaratively declare/hide DoctrineProvider to avoid breaking static analysis (Jean85)

This PR was submitted for the 5.4 branch but it was squashed and merged into the 4.4 branch instead.

Discussion

[Cache] Declaratively declare/hide DoctrineProvider to avoid breaking static analysis

| Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | https://github.com/vimeo/psalm/issues/7680 | License | MIT

I encountered this issue while upgrading both Psalm and Symfony. The DoctrineProvider got deprecated, and dropped somehow the transient dependency on doctrine/common. This meant that the Psalm loading step breaks while reading vendor, even if the class is unused, due to its extension of a missing class:

Uncaught Error: Class "Doctrine\Common\Cache\CacheProvider" not found in /var/www/insight/core/vendor/symfony/cache/DoctrineProvider.php:23

This optional declaration solves the issue, without impacting the code, since it would be broken if we tried to load it outside that class_exists condition.

Commits

1643e250a8 [Cache] Declaratively declare/hide DoctrineProvider to avoid breaking static analysis

Merge branch '4.4' into 5.4

  • 4.4: [Cache] Declaratively declare/hide DoctrineProvider to avoid breaking static analysis [HttpClient] Let curl handle Content-Length headers Improve testsuite [HttpClient] Move Content-Type after Content-Length [HttpClient] minor cs fix

bug #45789 [Config] Fix using null values with config builders (HypeMC)

This PR was merged into the 5.4 branch.

Discussion

[Config] Fix using null values with config builders

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #45782 | License | MIT | Doc PR | -

The generated config builders will no longer discard null values.

Commits

1264225f4e [Config] Fix using null values with config builders

[FrameworkBundle] Fix exit codes in debug:translation command

The --only-missing and --only-unused options should be independent of each other.

When using the --only-missing option, only missing messages should be relevant to the outcome of the execution. If there are no missing messages, but some unused messages, the execution of the command was still successful and no non-zero exit code should be returned.

The same applies when using the --only-unused option. In this case, only unused messages should be relevant to the execution result, even if there are some missing messages.

bug #45787 [FrameworkBundle] Fix exit codes in debug:translation command (gndk)

This PR was merged into the 5.4 branch.

Discussion

[FrameworkBundle] Fix exit codes in debug:translation command

| Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | -

I noticed this bug while working on a CI job to check translations with debug:translation --only-missing. The output of the command was empty (no results in the table), so there were no missing messages. But the command still failed with non-zero exit code.

After a bit of investigation I noticed that there were no missing messages, but a few unused messages. And the command failed with the exit code for unused messages, despite running it with --only-missing. After confirming this as the problem, the fix was pretty straightforward.

The --only-missing and --only-unused options should be independent of each other.

When using the --only-missing option, only missing messages should be relevant to the outcome of the execution. If there are no missing messages, but some unused messages, the execution of the command was still successful and no non-zero exit code should be returned.

The same applies when using the --only-unused option. In this case, only unused messages should be relevant to the execution result, even if there are some missing messages.

Commits

5439bf299b [FrameworkBundle] Fix exit codes in debug:translation command

Revert "bug #45813 [HttpClient] Move Content-Type after Content-Length (nicolas-grekas)"

This reverts commit 13e0671ff9222d6797c5a44593c1a09f65e8a738, reversing changes made to 01f674975a2dd27340aab9b6e7402bc0aee8423f.

Merge branch '4.4' into 5.4

  • 4.4: Revert "bug #45813 [HttpClient] Move Content-Type after Content-Length (nicolas-grekas)"
Created at 3 weeks ago
issue comment
Fix double authentication via RememberMe resulting in wrong RememberMe cookie being set in client

@wouterj it's a security vulnerability report, do we really need a PR to explain how the series-based remember me works?

Created at 3 weeks ago
issue comment
[stable/node-problem-detector] Remove deprecated critical-pod annotation

Yep, done, thanks :-)

Created at 4 weeks ago

[stable/node-problem-detector] Remove deprecated critical-pod annotation

And set system-node-critical as a default priorityClass

Created at 4 weeks ago
issue comment
[stable/node-problem-detector] switch from scheduler.alpha.kubernetes.io/critical-pod to priorityClassName

https://github.com/deliveryhero/helm-charts/pull/374

Created at 4 weeks ago
pull request opened
[stable/node-problem-detector] Remove deprecated critical-pod annotation

And set system-node-critical as a default priorityClass

Description

In kubernetes v1.16 scheduler.alpha.kubernetes.io/critical-pod annotation was deprecated and priorityClassName is supposed to be used instead.

Checklist

  • [x] Title of the PR starts with chart name (e.g. [stable/mychartname])
  • [ x I have read the contribution instructions, bumped chart version and regenerated the docs
  • [x] Github actions are passing
Created at 4 weeks ago
zerkms create branch 373-npd-priotity-class
Created at 4 weeks ago