Merge pull request #2995 from nirs/guestagent-startup

AkihiroSuda · web-flow · commit 8826909289ac · 2024-12-10T17:42:07.000+09:00
Improve guestagent startup error handling and logging
diff --git a/pkg/guestagent/guestagent_linux.go b/pkg/guestagent/guestagent_linux.go
@@ -28,27 +28,30 @@ func New(newTicker func() (<-chan time.Time, func()), iptablesIdle time.Duration
 	}
 
 	auditClient, err := libaudit.NewMulticastAuditClient(nil)
-	switch {
-	// syscall.EPROTONOSUPPORT or syscall.EAFNOSUPPORT is returned when calling attempting to connect to NETLINK_AUDIT
-	// on a kernel built without auditing support.
-	// https://github.com/elastic/go-libaudit/blob/ec298e53a6841a1f7715abbc7122635622f349bd/audit.go#L112-L115
-	case errors.Is(err, syscall.EPROTONOSUPPORT), errors.Is(err, syscall.EAFNOSUPPORT):
-		return startGuestAgentRoutines(a, false)
-	case !errors.Is(err, nil):
-		return nil, err
+	if err != nil {
+		// syscall.EPROTONOSUPPORT or syscall.EAFNOSUPPORT is returned when calling attempting to connect to NETLINK_AUDIT
+		// on a kernel built without auditing support.
+		// https://github.com/elastic/go-libaudit/blob/ec298e53a6841a1f7715abbc7122635622f349bd/audit.go#L112-L115
+		if !errors.Is(err, syscall.EPROTONOSUPPORT) && !errors.Is(err, syscall.EAFNOSUPPORT) {
+			return nil, err
+		}
+		logrus.Infof("Auditing is not available: %s", err)
+		return startGuestAgentRoutines(a, false), nil
 	}
 
-	// syscall.EPERM is returned when using audit from a non-initial namespace
-	// https://github.com/torvalds/linux/blob/633b47cb009d09dc8f4ba9cdb3a0ca138809c7c7/kernel/audit.c#L1054-L1057
 	auditStatus, err := auditClient.GetStatus()
-	switch {
-	case errors.Is(err, syscall.EPERM):
-		return startGuestAgentRoutines(a, false)
-	case !errors.Is(err, nil):
-		return nil, err
+	if err != nil {
+		// syscall.EPERM is returned when using audit from a non-initial namespace
+		// https://github.com/torvalds/linux/blob/633b47cb009d09dc8f4ba9cdb3a0ca138809c7c7/kernel/audit.c#L1054-L1057
+		if !errors.Is(err, syscall.EPERM) {
+			return nil, err
+		}
+		logrus.Infof("Auditing is not permitted: %s", err)
+		return startGuestAgentRoutines(a, false), nil
 	}
 
 	if auditStatus.Enabled == 0 {
+		logrus.Info("Enabling auditing")
 		if err = auditClient.SetEnabled(true, libaudit.WaitForReply); err != nil {
 			return nil, err
 		}
@@ -66,22 +69,23 @@ func New(newTicker func() (<-chan time.Time, func()), iptablesIdle time.Duration
 	} else {
 		a.worthCheckingIPTables = true
 	}
-	return startGuestAgentRoutines(a, true)
+	logrus.Infof("Auditing enabled (%d)", auditStatus.Enabled)
+	return startGuestAgentRoutines(a, true), nil
 }
 
 // startGuestAgentRoutines sets worthCheckingIPTables to true if auditing is not supported,
 // instead of using setWorthCheckingIPTablesRoutine to dynamically set the value.
 //
 // Auditing is not supported in a kernels and is not currently supported outside of the initial namespace, so does not work
 // from inside a container or WSL2 instance, for example.
-func startGuestAgentRoutines(a *agent, supportsAuditing bool) (*agent, error) {
+func startGuestAgentRoutines(a *agent, supportsAuditing bool) *agent {
 	if !supportsAuditing {
 		a.worthCheckingIPTables = true
 	}
 	go a.kubernetesServiceWatcher.Start()
 	go a.fixSystemTimeSkew()
 
-	return a, nil
+	return a
 }
 
 type agent struct {
@@ -103,6 +107,7 @@ type agent struct {
 // setWorthCheckingIPTablesRoutine sets worthCheckingIPTables to be false
 // when no NETFILTER_CFG audit message was received for the iptablesIdle time.
 func (a *agent) setWorthCheckingIPTablesRoutine(auditClient *libaudit.AuditClient, iptablesIdle time.Duration) {
+	logrus.Info("setWorthCheckingIPTablesRoutine(): monitoring netfilter audit events")
 	var latestTrue time.Time
 	go func() {
 		for {
@@ -323,6 +328,7 @@ func (a *agent) Info(ctx context.Context) (*api.Info, error) {
 const deltaLimit = 2 * time.Second
 
 func (a *agent) fixSystemTimeSkew() {
+	logrus.Info("fixSystemTimeSkew(): monitoring system time skew")
 	for {
 		ok, err := timesync.HasRTC()
 		if !ok {
diff --git a/pkg/guestagent/kubernetesservice/kubernetesservice.go b/pkg/guestagent/kubernetesservice/kubernetesservice.go
@@ -56,6 +56,7 @@ func (s *ServiceWatcher) getServiceInformer() cache.SharedIndexInformer {
 }
 
 func (s *ServiceWatcher) Start() {
+	logrus.Info("Monitoring kubernetes services")
 	const retryInterval = 10 * time.Second
 	const pollImmediately = false
 	_ = wait.PollUntilContextCancel(context.TODO(), retryInterval, pollImmediately, func(ctx context.Context) (done bool, err error) {

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,7 @@ func (s *ServiceWatcher) getServiceInformer() cache.SharedIndexInformer {`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`func (s *ServiceWatcher) Start() {`
	`59`	`+ logrus.Info("Monitoring kubernetes services")`
`59`	`60`	`const retryInterval = 10 * time.Second`
`60`	`61`	`const pollImmediately = false`
`61`	`62`	`_ = wait.PollUntilContextCancel(context.TODO(), retryInterval, pollImmediately, func(ctx context.Context) (done bool, err error) {`