30 Apr 2021 10:01 AM - last edited on 17 Nov 2021 01:39 PM by MaciejNeumann
Dear All,
We experiencing an issue with LD_PRELOAD on OKD4.
When a contianer tries to ld preload iboneagentproc.so get the following error:
toolbox@w14-alpine-user:/opt/dynatrace$ ls
ERROR: ld.so: object '/opt/dynatrace/oneagent/agent/bin/current/linux-x86-64/liboneagentproc.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
oneagent
We get this error message after every command inside the container.
OKD version: Server Version: 4.7.0-0.okd-2021-03-07-090821
OS release:
NAME=Fedora
VERSION="33.20210217.3.0 (CoreOS)"
This error message caused by permission denied when accessing the "/opt/dynatrace/oneagent" directory:
toolbox@w14-alpine-user:/opt$ ls -laZ
ERROR: ld.so: object '/opt/dynatrace/oneagent/agent/bin/current/linux-x86-64/liboneagentproc.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
total 0
drwxr-xr-x. 1 root root system_u:object_r:container_file_t:s0:c25,c40 23 Apr 30 08:06 .
drwxr-xr-x. 1 root root system_u:object_r:container_file_t:s0:c25,c40 62 Apr 30 08:06 ..
drwxr-xr-x. 3 root root system_u:object_r:container_file_t:s0:c25,c40 22 Apr 30 08:06 dynatrace
toolbox@w14-alpine-user:/opt$ cd dynatrace/
toolbox@w14-alpine-user:/opt/dynatrace$ ls -laZ
ERROR: ld.so: object '/opt/dynatrace/oneagent/agent/bin/current/linux-x86-64/liboneagentproc.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
total 0
drwxr-xr-x. 3 root root system_u:object_r:container_file_t:s0:c25,c40 22 Apr 30 08:06 .
drwxr-xr-x. 1 root root system_u:object_r:container_file_t:s0:c25,c40 23 Apr 30 08:06 ..
drwxr-xr-x. 4 root root system_u:object_r:var_t:s0 79 Apr 28 14:15 oneagent
toolbox@w14-alpine-user:/opt/dynatrace$ cd oneagent/
toolbox@w14-alpine-user:/opt/dynatrace/oneagent$ ls -laZ
ERROR: ld.so: object '/opt/dynatrace/oneagent/agent/bin/current/linux-x86-64/liboneagentproc.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ls: cannot open directory '.': Permission denied
toolbox@w14-alpine-user:/opt/dynatrace/oneagent$
Additional information: We find that running the container in privileged mode solves this issue, but this is not an option for us for security reasons.
Also for security reasons we use custom user inside the containers specified in Dockerfiles (eg.: USER toolbox). Without specifying the user inside the docker file the ld preload error message is gone.
So lowering the security level is not an option for us.
Any help is appreciated!
Best Regards,
Janos Vincze
Solved! Go to Solution.
03 May 2021 02:33 AM - edited 03 May 2021 02:33 AM
Hi Janos,
For right now, the OKD4 is not listed on the supported Kubernetes distributions.
Dynatrace Support may still be able to assist you, but will be limited what they can offer here in this case.
I'd recommend opening a product idea topic to suggest support for OKD4 distributions.
As for the issue you are facing, you may find the OneAgent permissions on Linux Help topic to be helpful. The OneAgent installer is responsible for setting up the LD_PRELOAD to include in the Linux system libraries. For the OneAgent directories, these will have had permissions set up to enable appropriate read/write access for the processes that load the libraries, as they run under another user context. If these had been modified by anyone/anything else after installation, then that won't be supported and may cause issues as you are facing.
There's also alternative deployment strategies for Kubernetes/OpenShift as described on this topic.