Skip to content

qcs-sensor chart not compatible with our IPv6 EKS cluster #4

New issue
New issue
Open
Open
qcs-sensor chart not compatible with our IPv6 EKS cluster#4
@cnemo-cenic

Description

@cnemo-cenic
cnemo-cenic
opened on Feb 28, 2025

When deploying on our IPv6 EKS cluster with pretty standard values, pods keep crashing and log error messages about URL format.

values:

1221             qualys: {
1222                 namespace: namespace.metadata.name,
1223                 customerID: config.getSecret("qualys-container-security-customer-id"),
1224                 activationID: config.getSecret("qualys-container-security-activation-id"),
1225                 pod_url: config.getSecret("qualys-container-security-pod-url"),
1226                 args: {
1227                     withoutPersistentStorage: true,
1228                     enableConsoleLogs: true,
1229                 },
1230             },

Logs:

2025-02-28 22:34:01.070 [qpa-1.36.1-0][8]:[Information]:[7f6f3371c880] All the logs are re-directed to the console. No logs data will be written in persistent storage.
2025-02-28 22:34:01.074 [qpa-1.36.1-0][8]:[Information]:[7f6f3371c880] Initializing sensor monitoring service: '/usr/local/qualys/qpa/bin/qpamon --k8s-mode --container-runtime containerd --sensor-without-persistent-storage --enable-console-logs --optimize-image-scans --scan-thread-pool-size 4 --log-filepurgecount 5 --log-filesize 10M --log-level 3 --sca-scan-timeout-in-seconds 900 --storage-driver-type overlay '
2025-02-28 22:34:01.074 [qpa-1.36.1-0][8]:[Information]:[7f6f3371c880] Initialized sensor monitoring service
2025-02-28 22:34:01.074 [qpa-1.36.1-0][8]:[Information]:[7f6f3371c880] Sensor monitoring service started.
2025-02-28 22:34:01.075 [qpa-1.36.1-0][8]:[Information]:[7f6f3371c880] Launching sensor service
2025-02-28 22:34:01.204 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] Initializing sensor service: '/usr/local/qualys/qpa/bin/qpa --k8s-mode --container-runtime containerd --sensor-without-persistent-storage --optimize-image-scans --scan-thread-pool-size 4 --log-filepurgecount 5 --log-filesize 10M --log-level 3 --sca-scan-timeout-in-seconds 900 --storage-driver-type overlay '
2025-02-28 22:34:01.204 [qpa-1.36.1-0][9]:[Warning]:[7f58a9773300] "--disable-features" will not be used as SCA scan is disabled
2025-02-28 22:34:01.205 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] Initialized sensor service
2025-02-28 22:34:01.209 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] Kubernetes API server uri is https://fd55:1111:2222::1:443
2025-02-28 22:34:01.404 [qpa-1.36.1-0][9]:[Error]:[7f58a9773300] Failed to read Retry Count from Config db:not an error
2025-02-28 22:34:01.406 [qpa-1.36.1-0][9]:[Warning]:[7f58a9773300] Invalid failover server uri, set to :
2025-02-28 22:34:01.406 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] Failover settings: server uri: , port: 443, useSecureChannel: true
2025-02-28 22:34:01.406 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] It's a public POD container image, disble binary download as well as AU even if autoupdate is enabled
2025-02-28 22:34:01.406 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] Loading throttle intervals from config db
2025-02-28 22:34:01.406 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] GeneralSensor
2025-02-28 22:34:01.406 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] THROTTLE_EVENT_SCAN : 100
2025-02-28 22:34:01.406 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] INTERVAL_EVENT_COMM_UPLOAD : 0
2025-02-28 22:34:01.406 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] THROTTLE_EVENT_COMM_DOWNLOAD : 0
2025-02-28 22:34:01.406 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] RegistrySensor
2025-02-28 22:34:01.407 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] THROTTLE_EVENT_SCAN : 100
2025-02-28 22:34:01.407 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] INTERVAL_EVENT_COMM_UPLOAD : 0
2025-02-28 22:34:01.407 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] THROTTLE_EVENT_COMM_DOWNLOAD : 0
2025-02-28 22:34:01.407 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] CICDSensor
2025-02-28 22:34:01.407 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] THROTTLE_EVENT_SCAN : 0
2025-02-28 22:34:01.407 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] INTERVAL_EVENT_COMM_UPLOAD : 0
2025-02-28 22:34:01.407 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] THROTTLE_EVENT_COMM_DOWNLOAD : 0
2025-02-28 22:34:01.407 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] SERVERLESS_FARGATE
2025-02-28 22:34:01.407 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] THROTTLE_EVENT_SCAN : 0
2025-02-28 22:34:01.407 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] INTERVAL_EVENT_COMM_UPLOAD : 0
2025-02-28 22:34:01.407 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] THROTTLE_EVENT_COMM_DOWNLOAD : 0
2025-02-28 22:34:01.410 [qpa-1.36.1-0][9]:[Warning]:[7f58a9773300] INTERVAL_EVENT_UPLOAD_DOCKER_INVENTORY_INFO- interval:0 seconds is less than minimal value, set to minimal val:30 seconds
2025-02-28 22:34:01.410 [qpa-1.36.1-0][9]:[Warning]:[7f58a9773300] INTERVAL_EVENT_MONITOR_UPGRADE- interval:120 seconds is greater than max value, set to max val:60 seconds
2025-02-28 22:34:01.410 [qpa-1.36.1-0][9]:[Warning]:[7f58a9773300] INTERVAL_EVENT_JAPI- interval:0 seconds is less than minimal value, set to minimal val:60 seconds
2025-02-28 22:34:01.410 [qpa-1.36.1-0][9]:[Warning]:[7f58a9773300] INTERVAL_EVENT_LOG_SENSOR_PERFORMANCE_STATS- interval:0 seconds is less than minimal value, set to minimal val:30 seconds
2025-02-28 22:34:01.414 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] Sensor will be running with POD_URL = [https://<redacted>.apps.qualys.com/ContainerSensor]
2025-02-28 22:34:01.432 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] DOWNWARD API, QUALYS_POD_NAME :: qualys-container-sensor-bgjsl, QUALYS_POD_NAMESPACE :: qualys-container-security
2025-02-28 22:34:01.434 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] Web service uri: 'https://fd55:1111:2222::1:443/api/v1/namespaces/qualys-container-security/pods/qualys-container-sensor-bgjsl/status'
2025-02-28 22:34:01.437 [qpa-1.36.1-0][9]:[Error]:[7f58a9773300] CURL error message:URL rejected: Port number was not a decimal number between 0 and 65535
2025-02-28 22:34:01.437 [qpa-1.36.1-0][9]:[Error]:[7f58a9773300] Web service uri: 'https://fd55:1111:2222::1:443/api/v1/namespaces/qualys-container-security/pods/qualys-container-sensor-bgjsl/status' failed, error code: 0
2025-02-28 22:34:01.438 [qpa-1.36.1-0][9]:[Error]:[7f58a9773300] CURL error code:3, Error message : URL using bad/illegal format or missing URL
2025-02-28 22:34:06.438 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] DOWNWARD API, QUALYS_POD_NAME :: qualys-container-sensor-bgjsl, QUALYS_POD_NAMESPACE :: qualys-container-security
2025-02-28 22:34:06.438 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] Web service uri: 'https://fd55:1111:2222::1:443/api/v1/namespaces/qualys-container-security/pods/qualys-container-sensor-bgjsl/status'
2025-02-28 22:34:06.438 [qpa-1.36.1-0][9]:[Error]:[7f58a9773300] CURL error message:URL rejected: Port number was not a decimal number between 0 and 65535
2025-02-28 22:34:06.438 [qpa-1.36.1-0][9]:[Error]:[7f58a9773300] Web service uri: 'https://fd55:1111:2222::1:443/api/v1/namespaces/qualys-container-security/pods/qualys-container-sensor-bgjsl/status' failed, error code: 0
2025-02-28 22:34:06.438 [qpa-1.36.1-0][9]:[Error]:[7f58a9773300] CURL error code:3, Error message : URL using bad/illegal format or missing URL
2025-02-28 22:34:06.439 [qpa-1.36.1-0][9]:[Error]:[7f58a9773300] Sensor container id not found from sensor status api response.
2025-02-28 22:34:06.439 [qpa-1.36.1-0][9]:[Error]:[7f58a9773300] Error: Cannot read sensor id from CGroups v1!
2025-02-28 22:34:06.447 [qpa-1.36.1-0][9]:[Error]:[7f58a9773300] QPACRIContainerRuntimeClient::InspectContainer container status request failed  , code : 2 , message : an error occurred when try to find container "": prefix can't be empty , details :
2025-02-28 22:34:06.447 [qpa-1.36.1-0][9]:[Error]:[7f58a9773300] QPAContainerdHandler::qscSensorInfo'qualys-container-sensor' container not found
2025-02-28 22:34:06.447 [qpa-1.36.1-0][9]:[Error]:[7f58a9773300] Invalid instance of sensor, exiting
2025-02-28 22:34:06.459 [qpa-1.36.1-0][8]:[Error]:[7f6f3371c880] Sensor service terminated with irrecoverable error : 10

These four lines in particular are concerning:

2025-02-28 22:34:01.434 [qpa-1.36.1-0][9]:[Information]:[7f58a9773300] Web service uri: 'https://fd55:1111:2222::1:443/api/v1/namespaces/qualys-container-security/pods/qualys-container-sensor-bgjsl/status'
2025-02-28 22:34:01.437 [qpa-1.36.1-0][9]:[Error]:[7f58a9773300] CURL error message:URL rejected: Port number was not a decimal number between 0 and 65535
2025-02-28 22:34:01.437 [qpa-1.36.1-0][9]:[Error]:[7f58a9773300] Web service uri: 'https://fd55:1111:2222::1:443/api/v1/namespaces/qualys-container-security/pods/qualys-container-sensor-bgjsl/status' failed, error code: 0
2025-02-28 22:34:01.438 [qpa-1.36.1-0][9]:[Error]:[7f58a9773300] CURL error code:3, Error message : URL using bad/illegal format or missing URL

Seems like the IPv6 address is being shoved into a URL raw instead of using the customary square brackets. The URL should be https://[fd55:1111:2222::1]:443/api/v1/namespaces/qualys-container-security/pods/qualys-container-sensor-bgjsl/status AIUI.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions