Solved: LD_PRELOAD problem on OKD4

janos_vincze · ‎30 Apr 2021

Dear All,

We experiencing an issue with LD_PRELOAD on OKD4.

When a contianer tries to ld preload iboneagentproc.so get the following error:

toolbox@w14-alpine-user:/opt/dynatrace$ ls
ERROR: ld.so: object '/opt/dynatrace/oneagent/agent/bin/current/linux-x86-64/liboneagentproc.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
oneagent

We get this error message after every command inside the container.

OKD version: Server Version: 4.7.0-0.okd-2021-03-07-090821

OS release:

NAME=Fedora
VERSION="33.20210217.3.0 (CoreOS)"

This error message caused by permission denied when accessing the "/opt/dynatrace/oneagent" directory:

toolbox@w14-alpine-user:/opt$ ls -laZ
ERROR: ld.so: object '/opt/dynatrace/oneagent/agent/bin/current/linux-x86-64/liboneagentproc.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
total 0
drwxr-xr-x. 1 root root system_u:object_r:container_file_t:s0:c25,c40 23 Apr 30 08:06 .
drwxr-xr-x. 1 root root system_u:object_r:container_file_t:s0:c25,c40 62 Apr 30 08:06 ..
drwxr-xr-x. 3 root root system_u:object_r:container_file_t:s0:c25,c40 22 Apr 30 08:06 dynatrace

toolbox@w14-alpine-user:/opt$ cd dynatrace/
toolbox@w14-alpine-user:/opt/dynatrace$ ls -laZ
ERROR: ld.so: object '/opt/dynatrace/oneagent/agent/bin/current/linux-x86-64/liboneagentproc.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
total 0
drwxr-xr-x. 3 root root system_u:object_r:container_file_t:s0:c25,c40 22 Apr 30 08:06 .
drwxr-xr-x. 1 root root system_u:object_r:container_file_t:s0:c25,c40 23 Apr 30 08:06 ..
drwxr-xr-x. 4 root root system_u:object_r:var_t:s0                    79 Apr 28 14:15 oneagent


toolbox@w14-alpine-user:/opt/dynatrace$ cd oneagent/
toolbox@w14-alpine-user:/opt/dynatrace/oneagent$ ls -laZ
ERROR: ld.so: object '/opt/dynatrace/oneagent/agent/bin/current/linux-x86-64/liboneagentproc.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ls: cannot open directory '.': Permission denied
toolbox@w14-alpine-user:/opt/dynatrace/oneagent$

Additional information: We find that running the container in privileged mode solves this issue, but this is not an option for us for security reasons.

Also for security reasons we use custom user inside the containers specified in Dockerfiles (eg.: USER toolbox). Without specifying the user inside the docker file the ld preload error message is gone.

So lowering the security level is not an option for us.

Any help is appreciated!

Best Regards,

Janos Vincze

The_AM · ‎03 May 2021

Hi Janos,

For right now, the OKD4 is not listed on the supported Kubernetes distributions.

Dynatrace Support may still be able to assist you, but will be limited what they can offer here in this case.

I'd recommend opening a product idea topic to suggest support for OKD4 distributions.

As for the issue you are facing, you may find the OneAgent permissions on Linux Help topic to be helpful. The OneAgent installer is responsible for setting up the LD_PRELOAD to include in the Linux system libraries. For the OneAgent directories, these will have had permissions set up to enable appropriate read/write access for the processes that load the libraries, as they run under another user context. If these had been modified by anyone/anything else after installation, then that won't be supported and may cause issues as you are facing.

There's also alternative deployment strategies for Kubernetes/OpenShift as described on this topic.

Regards,
Andrew M.