validateScheduledClusterScan panic seen when creating/applying changes to cluster from RKE template with CIS scan enabled #26616

chrisreed87 · 2020-04-13T20:39:02Z

What kind of request is this (question/bug/enhancement/feature request):
Bug

Steps to reproduce (least amount of steps as possible):

Create RKE Template using openstack cloud provider:
e.g.

  cloud_provider:
    name: openstack
    openstack_cloud_provider:
      block_storage:
        ignore-volume-az: false
        trust-device-path: false
      global:
        auth-url: 'https://<auth_url>:5000/v3'
        domain-name: <domain>
        region: <region>
        tenant-id: <tenant>
        username: <username>
      load_balancer:
        create-monitor: false
        manage-security-groups: false
        monitor-delay: '0'
        monitor-max-retries: 0
        monitor-timeout: '0'
        use-octavia: false
      metadata:
        request-timeout: 0

Attempt to create a new cluster using this template

Result:

UI should display a garbled error message:

Rancher logs a goroutine panic:

2020-04-06T20:12:48.306018197Z W0406 20:12:48.305842       6 reflector.go:326] github.com/rancher/norman/controller/generic_controller.go:229: watch of *v1.Endpoints ended with: too old resource version: 66771545 (66772271)
2020-04-06T20:27:29.904602192Z 2020/04/06 20:27:29 [ERROR] Panic serving api request:
2020-04-06T20:27:29.904648081Z goroutine 1008668 [running]:
2020-04-06T20:27:29.904658150Z runtime/debug.Stack(0xc0101067f8, 0x3683900, 0x6c320a0)
2020-04-06T20:27:29.904666310Z  /usr/local/go/src/runtime/debug/stack.go:24 +0x9d
2020-04-06T20:27:29.904674385Z github.com/rancher/rancher/vendor/github.com/rancher/norman/api.(*Server).ServeHTTP.func1(0x46b1b20, 0xc009190370)
2020-04-06T20:27:29.904682246Z  /go/src/github.com/rancher/rancher/vendor/github.com/rancher/norman/api/server.go:175 +0x7a
2020-04-06T20:27:29.904690155Z panic(0x3683900, 0x6c320a0)
2020-04-06T20:27:29.904697499Z  /usr/local/go/src/runtime/panic.go:679 +0x1b2
2020-04-06T20:27:29.904705226Z github.com/rancher/rancher/pkg/api/customization/cluster.(*Validator).validateScheduledClusterScan(0xc000be05a0, 0xc032340b00, 0xc032340b00, 0x0)
2020-04-06T20:27:29.904713021Z  /go/src/github.com/rancher/rancher/pkg/api/customization/cluster/validator.go:67 +0x70
2020-04-06T20:27:29.904720630Z github.com/rancher/rancher/pkg/api/customization/cluster.(*Validator).Validator(0xc000be05a0, 0xc03277d8c0, 0xc039cc50e0, 0xc040ebe9c0, 0x0, 0xc040ebe9c0)
2020-04-06T20:27:29.904728402Z  /go/src/github.com/rancher/rancher/pkg/api/customization/cluster/validator.go:56 +0x23d
2020-04-06T20:27:29.904750455Z github.com/rancher/rancher/vendor/github.com/rancher/norman/parse/builder.(*Builder).Construct(0xc040ebe7b0, 0xc039cc50e0, 0xc0425be9c0, 0x3e6af47, 0x6, 0x3e66cdc, 0x3e66cdc, 0x3)
2020-04-06T20:27:29.904758334Z  /go/src/github.com/rancher/rancher/vendor/github.com/rancher/norman/parse/builder/builder.go:58 +0xe2
2020-04-06T20:27:29.904765064Z github.com/rancher/rancher/vendor/github.com/rancher/norman/api/handler.ParseAndValidateBody(0xc03277d8c0, 0x0, 0x0, 0xc010106c00, 0x252a828)
2020-04-06T20:27:29.904771823Z  /go/src/github.com/rancher/rancher/vendor/github.com/rancher/norman/api/handler/validate.go:36 +0x233
2020-04-06T20:27:29.904778450Z github.com/rancher/rancher/vendor/github.com/rancher/norman/api/handler.UpdateHandler(0xc03277d8c0, 0x3ff2130, 0x0, 0xc039cc50e0)
2020-04-06T20:27:29.904785241Z  /go/src/github.com/rancher/rancher/vendor/github.com/rancher/norman/api/handler/update.go:11 +0x34
2020-04-06T20:27:29.904791921Z github.com/rancher/rancher/vendor/github.com/rancher/norman/api.(*Server).handle(0xc000716580, 0x46b1b20, 0xc009190370, 0xc0394f5900, 0xc010106d08, 0x425b612a, 0xf68f6a17932937c)
2020-04-06T20:27:29.904798961Z  /go/src/github.com/rancher/rancher/vendor/github.com/rancher/norman/api/server.go:249 +0x2a2
2020-04-06T20:27:29.904807739Z github.com/rancher/rancher/vendor/github.com/rancher/norman/api.(*Server).ServeHTTP(0xc000716580, 0x46b1b20, 0xc009190370, 0xc0394f5900)
2020-04-06T20:27:29.904814850Z  /go/src/github.com/rancher/rancher/vendor/github.com/rancher/norman/api/server.go:180 +0x99
2020-04-06T20:27:29.904821517Z github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/responsewriter.ContentTypeOptions.func1(0x46b1b20, 0xc009190370, 0xc0394f5900)
2020-04-06T20:27:29.904828283Z  /go/src/github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/responsewriter/cache.go:47 +0x131
2020-04-06T20:27:29.904834965Z net/http.HandlerFunc.ServeHTTP(0xc005ad4fc0, 0x46b1b20, 0xc009190370, 0xc0394f5900)
2020-04-06T20:27:29.904841690Z  /usr/local/go/src/net/http/server.go:2007 +0x44
2020-04-06T20:27:29.904848231Z github.com/rancher/rancher/vendor/github.com/gorilla/mux.(*Router).ServeHTTP(0xc0001bbb00, 0x46b1b20, 0xc009190370, 0xc0394f5700)
2020-04-06T20:27:29.904854891Z  /go/src/github.com/rancher/rancher/vendor/github.com/gorilla/mux/mux.go:212 +0xe2
2020-04-06T20:27:29.904861541Z github.com/rancher/rancher/pkg/auth/requests.authHeaderHandler.ServeHTTP(0x468d560, 0xc001c3bac0, 0x46502e0, 0xc0001bbb00, 0x468d520, 0xc001ca06c0, 0x46b1b20, 0xc009190370, 0xc0394f5700)
2020-04-06T20:27:29.904876063Z  /go/src/github.com/rancher/rancher/pkg/auth/requests/filter.go:62 +0x4eb
2020-04-06T20:27:29.904882801Z github.com/rancher/rancher/pkg/rbac.NewAccessControlHandler.func1(0x46b1b20, 0xc009190370, 0xc0394f5600, 0x464f420, 0xc001cae3f0)
2020-04-06T20:27:29.904889521Z  /go/src/github.com/rancher/rancher/pkg/rbac/user_based.go:32 +0x194
2020-04-06T20:27:29.904896093Z github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/auth.Middleware.Wrap.func1(0x46b1b20, 0xc009190370, 0xc0394f5600)
2020-04-06T20:27:29.904902841Z  /go/src/github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/auth/filter.go:36 +0x55
2020-04-06T20:27:29.904915411Z net/http.HandlerFunc.ServeHTTP(0xc001c3bc80, 0x46b1b20, 0xc009190370, 0xc0394f5600)
2020-04-06T20:27:29.904922351Z  /usr/local/go/src/net/http/server.go:2007 +0x44
2020-04-06T20:27:29.904928927Z github.com/rancher/rancher/pkg/websocket.websocketHandler.ServeHTTP(0x46572a0, 0xc0
8000
01c3bc80, 0x46b1b20, 0xc009190370, 0xc0394f5600)
2020-04-06T20:27:29.904935584Z  /go/src/github.com/rancher/rancher/pkg/websocket/handler.go:35 +0xa0
2020-04-06T20:27:29.904942612Z github.com/rancher/rancher/pkg/audit.auditHandler.ServeHTTP(0x464f660, 0xc00037f8a0, 0xc000797480, 0x46c71a0, 0xc010486c80, 0xc0394f5500)
2020-04-06T20:27:29.904949395Z  /go/src/github.com/rancher/rancher/pkg/audit/filter.go:47 +0x2ed
2020-04-06T20:27:29.904956419Z github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/responsewriter.ContentType.func1(0x46b5520, 0xc03edaa9f0, 0xc0394f5500)
2020-04-06T20:27:29.904970755Z  /go/src/github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/responsewriter/content.go:33 +0x93
2020-04-06T20:27:29.904977738Z net/http.HandlerFunc.ServeHTTP(0xc001cde560, 0x46b5520, 0xc03edaa9f0, 0xc0394f5500)
2020-04-06T20:27:29.904984348Z  /usr/local/go/src/net/http/server.go:2007 +0x44
2020-04-06T20:27:29.904990871Z github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/responsewriter.Gzip.func1(0x46c6020, 0xc00169c0e0, 0xc0394f5500)
2020-04-06T20:27:29.904997896Z  /go/src/github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/responsewriter/gzip.go:60 +0x1f5
2020-04-06T20:27:29.905004547Z net/http.HandlerFunc.ServeHTTP(0xc001cde580, 0x46c6020, 0xc00169c0e0, 0xc0394f5500)
2020-04-06T20:27:29.905011197Z  /usr/local/go/src/net/http/server.go:2007 +0x44
2020-04-06T20:27:29.905017587Z github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/responsewriter.ContentTypeOptions.func1(0x46c6020, 0xc00169c0e0, 0xc0394f5500)
2020-04-06T20:27:29.905024575Z  /go/src/github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/responsewriter/cache.go:47 +0x131
2020-04-06T20:27:29.905031315Z net/http.HandlerFunc.ServeHTTP(0xc005ad4f20, 0x46c6020, 0xc00169c0e0, 0xc0394f5500)
2020-04-06T20:27:29.905037842Z  /usr/local/go/src/net/http/server.go:2007 +0x44
2020-04-06T20:27:29.905044247Z github.com/rancher/rancher/vendor/github.com/gorilla/mux.(*Router).ServeHTTP(0xc0001bba40, 0x46c6020, 0xc00169c0e0, 0xc0394f5300)
2020-04-06T20:27:29.905050920Z  /go/src/github.com/rancher/rancher/vendor/github.com/gorilla/mux/mux.go:212 +0xe2
2020-04-06T20:27:29.905057806Z github.com/rancher/rancher/vendor/github.com/gorilla/mux.(*Router).ServeHTTP(0xc003ba0180, 0x46c6020, 0xc00169c0e0, 0xc0394f5100)
2020-04-06T20:27:29.905064484Z  /go/src/github.com/rancher/rancher/vendor/github.com/gorilla/mux/mux.go:212 +0xe2
2020-04-06T20:27:29.905071029Z github.com/rancher/rancher/vendor/github.com/gorilla/mux.(*Router).ServeHTTP(0xc003ba0240, 0x46c6020, 0xc00169c0e0, 0xc0394f4f00)
2020-04-06T20:27:29.905077783Z  /go/src/github.com/rancher/rancher/vendor/github.com/gorilla/mux/mux.go:212 +0xe2
2020-04-06T20:27:29.905090023Z github.com/rancher/rancher/vendor/github.com/gorilla/mux.(*Router).ServeHTTP(0xc003ba0300, 0x46c6020, 0xc00169c0e0, 0xc0394f4c00)
2020-04-06T20:27:29.905097151Z  /go/src/github.com/rancher/rancher/vendor/github.com/gorilla/mux/mux.go:212 +0xe2
2020-04-06T20:27:29.905103819Z github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/dashboard.Route.func2(0x46c6020, 0xc00169c0e0, 0xc0394f4c00)
2020-04-06T20:27:29.905113770Z  /go/src/github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/dashboard/ui.go:56 +0xe5
2020-04-06T20:27:29.905120753Z net/http.HandlerFunc.ServeHTTP(0xc007eccc40, 0x46c6020, 0xc00169c0e0, 0xc0394f4c00)
2020-04-06T20:27:29.905127386Z  /usr/local/go/src/net/http/server.go:2007 +0x44
2020-04-06T20:27:29.905133811Z github.com/rancher/rancher/vendor/github.com/gorilla/mux.(*Router).ServeHTTP(0xc00073de00, 0x46c6020, 0xc00169c0e0, 0xc0336c0700)
2020-04-06T20:27:29.905140466Z  /go/src/github.com/rancher/rancher/vendor/github.com/gorilla/mux/mux.go:212 +0xe2
2020-04-06T20:27:29.905147031Z github.com/rancher/rancher/vendor/github.com/rancher/dynamiclistener/server.wrapHandler.func1(0x46c6020, 0xc00169c0e0, 0xc0336c0700)
2020-04-06T20:27:29.905153722Z  /go/src/github.com/rancher/rancher/vendor/github.com/rancher/dynamiclistener/server/server.go:187 +0x95
2020-04-06T20:27:29.905160339Z net/http.HandlerFunc.ServeHTTP(0xc009923b00, 0x46c6020, 0xc00169c0e0, 0xc0336c0700)
2020-04-06T20:27:29.905166867Z  /usr/local/go/src/net/http/server.go:2007 +0x44
2020-04-06T20:27:29.905173390Z github.com/rancher/rancher/vendor/github.com/rancher/dynamiclistener.HTTPRedirect.func1(0x46c6020, 0xc00169c0e0, 0xc0336c0700)
2020-04-06T20:27:29.905180202Z  /go/src/github.com/rancher/rancher/vendor/github.com/rancher/dynamiclistener/redirect.go:20 +0x221
2020-04-06T20:27:29.905186777Z net/http.HandlerFunc.ServeHTTP(0xc007d6ca60, 0x46c6020, 0xc00169c0e0, 0xc0336c0700)
2020-04-06T20:27:29.905200351Z  /usr/local/go/src/net/http/server.go:2007 +0x44
2020-04-06T20:27:29.905207129Z net/http.serverHandler.ServeHTTP(0xc0001d29a0, 0x46c6020, 0xc00169c0e0, 0xc0336c0700)
2020-04-06T20:27:29.905213611Z  /usr/local/go/src/net/http/server.go:2802 +0xa4
2020-04-06T20:27:29.905220008Z net/http.(*conn).serve(0xc0077a4e60, 0x46e8a60, 0xc005724e00)
2020-04-06T20:27:29.905226486Z  /usr/local/go/src/net/http/server.go:1890 +0x875
2020-04-06T20:27:29.905233011Z created by net/http.(*Server).Serve
2020-04-06T20:27:29.905239401Z  /usr/local/go/src/net/http/server.go:2927 +0x38e

Other details that may be helpful:

Rancher Server Operating System: RancherOS v1.5.4
Creating/editing a cluster with openstack_provider manually (i.e. not using an RKE Template) is fine

Environment information

Rancher version (rancher/rancher/rancher/server image tag or shown bottom left in the UI): v2.4.2
Installation option (single install/HA): HA

Cluster information

Cluster type (Hosted/Infrastructure Provider/Custom/Imported): Infrastructure Provider, Openstack
Machine type (cloud/VM/metal) and specifications (CPU/memory):
Kubernetes version (use kubectl version):

v1.15.6

Docker version (use docker version): 18.09.2

18.09.2

The text was updated successfully, but these errors were encountered:

Just-Insane · 2020-04-29T10:23:51Z

Per #26845

Steps to reproduce:

Create a template from Cluster (Custom - Metal)
Clone revision v1 of template
Modify the template to allow the user to change ETCD S3 storage answers (folder, access key, secret access key)
Attempt to apply the new revision to the cluster

Current cluster template (v1) (as shown in Global > Tools > RKE Templates):

# 
# Cluster Config
# 
default_pod_security_policy_template_id: unrestricted
docker_root_dir: /var/lib/docker
enable_cluster_alerting: false
enable_cluster_monitoring: false
enable_network_policy: false
local_cluster_auth_endpoint:
  enabled: true
# 
# Rancher Config
# 
rancher_kubernetes_engine_config:
  addon_job_timeout: 30
  authentication:
    strategy: x509|webhook
  bastion_host:
    ssh_agent_auth: false
  dns:
    nodelocal:
      ip_address: ''
  ignore_docker_version: true
# 
# # Currently only nginx ingress provider is supported.
# # To disable ingress controller, set `provider: none`
# # To enable ingress on specific nodes, use the node_selector, eg:
#    provider: nginx
#    node_selector:
#      app: ingress
# 
  ingress:
    provider: nginx
  kubernetes_version: v1.17.4-rancher1-3
  monitoring:
    provider: metrics-server
    replicas: 1
# 
#   If you are using calico on AWS
# 
#    network:
#      plugin: calico
#      calico_network_provider:
#        cloud_provider: aws
# 
# # To specify flannel interface
# 
#    network:
#      plugin: flannel
#      flannel_network_provider:
#      iface: eth1
# 
# # To specify flannel interface for canal plugin
# 
#    network:
#      plugin: canal
#      canal_network_provider:
#        iface: eth1
# 
  network:
    mtu: 0
    options:
      flannel_backend_type: vxlan
    plugin: canal
  nodes:
    - address: 10.0.40.43
      hostname_override: t620-4
      node_id: 'c-7r82m:m-887bd52ecde7'
      port: '22'
      role:
        - worker
      ssh_agent_auth: false
      user: root
    - address: 10.0.40.40
      hostname_override: t620-1
      node_id: 'c-7r82m:m-923e9db9577a'
      port: '22'
      role:
        - etcd
        - controlplane
        - worker
      ssh_agent_auth: false
      user: root
    - address: 10.0.40.42
      hostname_override: t620-3
      node_id: 'c-7r82m:m-9cabfe43cf2a'
      port: '22'
      role:
        - etcd
        - controlplane
        - worker
      ssh_agent_auth: false
      user: root
    - address: 10.0.40.41
      hostname_override: t620-2
      node_id: 'c-7r82m:m-b83494e356ee'
      port: '22'
      role:
        - etcd
        - controlplane
        - worker
      ssh_agent_auth: false
      user: root
  restore:
    restore: false
# 
#    services:
#      kube-api:
#        service_cluster_ip_range: 10.43.0.0/16
#      kube-controller:
#        cluster_cidr: 10.42.0.0/16
#        service_cluster_ip_range: 10.43.0.0/16
#      kubelet:
#        cluster_domain: cluster.local
#        cluster_dns_server: 10.43.0.10
# 
  services:
    etcd:
      backup_config:
        enabled: true
        interval_hours: 6
        retention: 40
        s3_backup_config:
          access_key: <REMOVED>
          bucket_name: <REMOVED>
          endpoint: nyc3.digitaloceanspaces.com
        safe_timestamp: false
      creation: 12h
      extra_args:
        election-timeout: '5000'
        heartbeat-interval: '500'
      gid: 0
      retention: 72h
      snapshot: false
      uid: 0
    kube_api:
      always_pull_images: false
      pod_security_policy: true
      service_node_port_range: 30000-32767
    kubelet:
      fail_swap_on: false
      generate_serving_certificate: false
  ssh_agent_auth: false
  upgrade_strategy:
    drain: false
    max_unavailable_controlplane: '1'
    max_unavailable_worker: 10%
    node_drain_input:
      delete_local_data: 'false'
      force: false
      grace_period: -1
      ignore_daemon_sets: true
      timeout: 120
scheduled_cluster_scan:
  enabled: true
  scan_config:
    cis_scan_config:
      debug_master: false
      debug_worker: false
      override_benchmark_version: rke-cis-1.4
      profile: permissive
  schedule_config:
    cron_schedule: 0 0 * * *
    retention: 40
windows_prefered_cluster: false

Updated RKE Template (v2) (As shown in Global > Tools > RKE Templates):

# 
# Cluster Config
# 
default_pod_security_policy_template_id: unrestricted
docker_root_dir: /var/lib/docker
enable_cluster_alerting: false
enable_cluster_monitoring: false
enable_network_policy: false
local_cluster_auth_endpoint:
  enabled: true
# 
# Rancher Config
# 
rancher_kubernetes_engine_config:
  addon_job_timeout: 30
  authentication:
    strategy: x509|webhook
  bastion_host:
    ssh_agent_auth: false
  dns:
    nodelocal:
      ip_address: ''
  ignore_docker_version: true
# 
# # Currently only nginx ingress provider is supported.
# # To disable ingress controller, set `provider: none`
# # To enable ingress on specific nodes, use the node_selector, eg:
#    provider: nginx
#    node_selector:
#      app: ingress
# 
  ingress:
    provider: nginx
  kubernetes_version: v1.17.4-rancher1-3
  monitoring:
    provider: metrics-server
    replicas: 1
# 
#   If you are using calico on AWS
# 
#    network:
#      plugin: calico
#      calico_network_provider:
#        cloud_provider: aws
# 
# # To specify flannel interface
# 
#    network:
#      plugin: flannel
#      flannel_network_provider:
#      iface: eth1
# 
# # To specify flannel interface for canal plugin
# 
#    network:
#      plugin: canal
#      canal_network_provider:
#        iface: eth1
# 
  network:
    mtu: 0
    options:
      flannel_backend_type: vxlan
    plugin: canal
  nodes:
    - address: 10.0.40.43
      hostname_override: t620-4
      node_id: 'c-7r82m:m-887bd52ecde7'
      port: '22'
      role:
        - worker
      ssh_agent_auth: false
      user: root
    - address: 10.0.40.40
      hostname_override: t620-1
      node_id: 'c-7r82m:m-923e9db9577a'
      port: '22'
      role:
        - etcd
        - controlplane
        - worker
      ssh_agent_auth: false
      user: root
    - address: 10.0.40.42
      hostname_override: t620-3
      node_id: 'c-7r82m:m-9cabfe43cf2a'
      port: '22'
      role:
        - etcd
        - controlplane
        - worker
      ssh_agent_auth: false
      user: root
    - address: 10.0.40.41
      hostname_override: t620-2
      node_id: 'c-7r82m:m-b83494e356ee'
      port: '22'
      role:
        - etcd
        - controlplane
        - worker
      ssh_agent_auth: false
      user: root
  restore:
    restore: false
# 
#    services:
#      kube-api:
#        service_cluster_ip_range: 10.43.0.0/16
#      kube-controller:
#        cluster_cidr: 10.42.0.0/16
#        service_cluster_ip_range: 10.43.0.0/16
#      kubelet:
#        cluster_domain: cluster.local
#        cluster_dns_server: 10.43.0.10
# 
  services:
    etcd:
      backup_config:
        enabled: true
        interval_hours: 6
        retention: 40
        s3_backup_config:
          access_key: <REMOVED>
          bucket_name: <REMOVED>
          endpoint: nyc3.digitaloceanspaces.com
          folder: <REMOVED>
        safe_timestamp: false
      creation: 12h
      extra_args:
        election-timeout: '5000'
        heartbeat-interval: '500'
      gid: 0
      retention: 72h
      snapshot: false
      uid: 0
    kube_api:
      always_pull_images: false
      pod_security_policy: true
      service_node_port_range: 30000-32767
    kubelet:
      fail_swap_on: false
      generate_serving_certificate: false
  ssh_agent_auth: false
  upgrade_strategy:
    drain: false
    max_unavailable_controlplane: '1'
    max_unavailable_worker: 10%
    node_drain_input:
      delete_local_data: 'false'
      force: false
      grace_period: -1
      ignore_daemon_sets: true
      timeout: 120
scheduled_cluster_scan:
  enabled: true
  scan_config:
    cis_scan_config:
      debug_master: false
      debug_worker: false
      override_benchmark_version: rke-cis-1.4
      profile: permissive
  schedule_config:
    cron_schedule: 0 0 * * *
    retention: 40
windows_prefered_cluster: false

superseb · 2020-04-29T13:08:56Z

Was the cluster created in v2.4.2 or in an earlier version? How was the cluster created (manual/automated), with what config? Were only the three toggles changed on revision clone?

Just-Insane · 2020-04-29T23:50:30Z

Cluster was created within the last three days using the latest version. Created using the Custom option for hosts with automated deployment with Rancher (running the join command on each node).

I’m not sure what you mean by config, the v1 RKE template is from the original deployment.

Only those 3 toggles were changed.

superseb · 2020-04-30T12:38:28Z

Based on current findings, this seems to happen when creating a cluster from an RKE template that has CIS scan enabled.

Just-Insane · 2020-04-30T12:40:28Z

Just to clarify, I created the RKE V1 template after installing the cluster, this error only occurred when trying to update the template for the cluster.

sowmyav27 · 2020-04-30T18:21:43Z

Hit the issue on 2.4.2 and 2.4.3-rc2

Create an RKE template with Scheduled CIS scan enabled.
Deploy an RKE DO cluster using the template
User is not able to create the cluster

Panic seen the rancher logs:

2020/04/30 18:20:45 [ERROR] Panic serving api request: 
goroutine 2502716 [running]:
runtime/debug.Stack(0xc07ad86938, 0x3683900, 0x6c320a0)
	/usr/local/go/src/runtime/debug/stack.go:24 +0x9d
github.com/rancher/rancher/vendor/github.com/rancher/norman/api.(*Server).ServeHTTP.func1(0x46c71a0, 0xc0518eb270)
	/go/src/github.com/rancher/rancher/vendor/github.com/rancher/norman/api/server.go:175 +0x7a
panic(0x3683900, 0x6c320a0)
	/usr/local/go/src/runtime/panic.go:679 +0x1b2
github.com/rancher/rancher/pkg/api/customization/cluster.(*Validator).validateScheduledClusterScan(0xc000d1fae0, 0xc0434f9080, 0xc0434f9080, 0x0)
	/go/src/github.com/rancher/rancher/pkg/api/customization/cluster/validator.go:67 +0x70
github.com/rancher/rancher/pkg/api/customization/cluster.(*Validator).Validator(0xc000d1fae0, 0xc07a9fd320, 0xc08533dc20, 0xc040a982a0, 0x0, 0xc040a982a0)
	/go/src/github.com/rancher/rancher/pkg/api/customization/cluster/validator.go:56 +0x23d
github.com/rancher/rancher/vendor/github.com/rancher/norman/parse/builder.(*Builder).Construct(0xc0404f0cc0, 0xc08533dc20, 0xc03fed2270, 0x3e6a1eb, 0x6, 0x3e676be, 0x4, 0xc07a9fd401)
	/go/src/github.com/rancher/rancher/vendor/github.com/rancher/norman/parse/builder/builder.go:58 +0xe2
github.com/rancher/rancher/vendor/github.com/rancher/norman/api/handler.ParseAndValidateBody(0xc07a9fd320, 0xc07ad86d01, 0x252a5de, 0xc00111b088, 0xc07a9fd320)
	/go/src/github.com/rancher/rancher/vendor/github.com/rancher/norman/api/handler/validate.go:36 +0x233
github.com/rancher/rancher/vendor/github.com/rancher/norman/api/handler.CreateHandler(0xc07a9fd320, 0x3ff2110, 0xc08533dc20, 0x0)
	/go/src/github.com/rancher/rancher/vendor/github.com/rancher/norman/api/handler/create.go:13 +0x34
github.com/rancher/rancher/vendor/github.com/rancher/norman/api.(*Server).handle(0xc0006c5970, 0x46c71a0, 0xc0518eb270, 0xc0061de900, 0xc07ad86e38, 0x5c905857, 0x923be0288ba0e19b)
	/go/src/github.com/rancher/rancher/vendor/github.com/rancher/norman/api/server.go:249 +0x2a2
github.com/rancher/rancher/vendor/github.com/rancher/norman/api.(*Server).ServeHTTP(0xc0006c5970, 0x46c71a0, 0xc0518eb270, 0xc0061de900)
	/go/src/github.com/rancher/rancher/vendor/github.com/rancher/norman/api/server.go:180 +0x99
github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/responsewriter.ContentTypeOptions.func1(0x46c71a0, 0xc0518eb270, 0xc0061de900)
	/go/src/github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/responsewriter/cache.go:47 +0x131
net/http.HandlerFunc.ServeHTTP(0xc08389c900, 0x46c71a0, 0xc0518eb270, 0xc0061de900)
	/usr/local/go/src/net/http/server.go:2007 +0x44
github.com/rancher/rancher/vendor/github.com/gorilla/mux.(*Router).ServeHTTP(0xc0008a80c0, 0x46c71a0, 0xc0518eb270, 0xc0061de400)
	/go/src/github.com/rancher/rancher/vendor/github.com/gorilla/mux/mux.go:212 +0xe2
github.com/rancher/rancher/pkg/auth/requests.authHeaderHandler.ServeHTTP(0x468d560, 0xc0003d2460, 0x46502e0, 0xc0008a80c0, 0x468d520, 0xc001032510, 0x46c71a0, 0xc0518eb270, 0xc0061de400)
	/go/src/github.com/rancher/rancher/pkg/auth/requests/filter.go:62 +0x4eb
github.com/rancher/rancher/pkg/rbac.NewAccessControlHandler.func1(0x46c71a0, 0xc0518eb270, 0xc0061de300, 0x464f420, 0xc000c7db90)
	/go/src/github.com/rancher/rancher/pkg/rbac/user_based.go:32 +0x194
github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/auth.Middleware.Wrap.func1(0x46c71a0, 0xc0518eb270, 0xc0061de300)
	/go/src/github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/auth/filter.go:36 +0x55
net/http.HandlerFunc.ServeHTTP(0xc0003d2760, 0x46c71a0, 0xc0518eb270, 0xc0061de300)
	/usr/local/go/src/net/http/server.go:2007 +0x44
github.com/rancher/rancher/pkg/websocket.websocketHandler.ServeHTTP(0x46572a0, 0xc0003d2760, 0x46c71a0, 0xc0518eb270, 0xc0061de300)
	/go/src/github.com/rancher/rancher/pkg/websocket/handler.go:35 +0xa0
github.com/rancher/rancher/pkg/audit.auditHandler.ServeHTTP(0x464f660, 0xc0000a16b0, 0x0, 0x46c71a0, 0xc0518eb270, 0xc0061de300)
	/go/src/github.com/rancher/rancher/pkg/audit/filter.go:31 +0x623
github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/responsewriter.ContentType.func1(0x46b5520, 0xc03f80fd40, 0xc0061de300)
	/go/src/github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/responsewriter/content.go:33 +0x93
net/http.HandlerFunc.ServeHTTP(0xc00032b8a0, 0x46b5520, 0xc03f80fd40, 0xc0061de300)
	/usr/local/go/src/net/http/server.go:2007 +0x44
github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/responsewriter.Gzip.func1(0x46c6020, 0xc085946b60, 0xc0061de300)
	/go/src/github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/responsewriter/gzip.go:60 +0x1f5
net/http.HandlerFunc.ServeHTTP(0xc00032b8c0, 0x46c6020, 0xc085946b60, 0xc0061de300)
	/usr/local/go/src/net/http/server.go:2007 +0x44
github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/responsewriter.ContentTypeOptions.func1(0x46c6020, 0xc085946b60, 0xc0061de300)
	/go/src/github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/responsewriter/cache.go:47 +0x131
net/http.HandlerFunc.ServeHTTP(0xc08389c840, 0x46c6020, 0xc085946b60, 0xc0061de300)
	/usr/local/go/src/net/http/server.go:2007 +0x44
github.com/rancher/rancher/vendor/github.com/gorilla/mux.(*Router).ServeHTTP(0xc0008a8000, 0x46c6020, 0xc085946b60, 0xc0061de000)
	/go/src/github.com/rancher/rancher/vendor/github.com/gorilla/mux/mux.go:212 +0xe2
github.com/rancher/rancher/vendor/github.com/gorilla/mux.(*Router).ServeHTTP(0xc0008a9bc0, 0x46c6020, 0xc085946b60, 0xc007c13d00)
	/go/src/github.com/rancher/rancher/vendor/github.com/gorilla/mux/mux.go:212 +0xe2
github.com/rancher/rancher/vendor/github.com/gorilla/mux.(*Router).ServeHTTP(0xc0008a9c80, 0x46c6020, 0xc085946b60, 0xc007c13700)
	/go/src/github.com/rancher/rancher/vendor/github.com/gorilla/mux/mux.go:212 +0xe2
github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/dashboard.Route.func2(0x46c6020, 0xc085946b60, 0xc007c13700)
	/go/src/github.com/rancher/rancher/vendor/github.com/rancher/steve/pkg/dashboard/ui.go:56 +0xe5
net/http.HandlerFunc.ServeHTTP(0xc00049bb80, 0x46c6020, 0xc085946b60, 0xc007c13700)
	/usr/local/go/src/net/http/server.go:2007 +0x44
github.com/rancher/rancher/vendor/github.com/gorilla/mux.(*Router).ServeHTTP(0xc0008a8780, 0x46c6020, 0xc085946b60, 0xc007c12400)
	/go/src/github.com/rancher/rancher/vendor/github.com/gorilla/mux/mux.go:212 +0xe2
github.com/rancher/rancher/vendor/github.com/rancher/dynamiclistener/server.wrapHandler.func1(0x46c6020, 0xc085946b60, 0xc007c12400)
	/go/src/github.com/rancher/rancher/vendor/github.com/rancher/dynamiclistener/server/server.go:187 +0x95
net/http.HandlerFunc.ServeHTTP(0xc004758d80, 0x46c6020, 0xc085946b60, 0xc007c12400)
	/usr/local/go/src/net/http/server.go:2007 +0x44
github.com/rancher/rancher/vendor/github.com/rancher/dynamiclistener.HTTPRedirect.func1(0x46c6020, 0xc085946b60, 0xc007c12400)
	/go/src/github.com/rancher/rancher/vendor/github.com/rancher/dynamiclistener/redirect.go:20 +0x221
net/http.HandlerFunc.ServeHTTP(0xc002e00b60, 0x46c6020, 0xc085946b60, 0xc007c12400)
	/usr/local/go/src/net/http/server.go:2007 +0x44
net/http.serverHandler.ServeHTTP(0xc002e7c2a0, 0x46c6020, 0xc085946b60, 0xc007c12400)
	/usr/local/go/src/net/http/server.go:2802 +0xa4
net/http.(*conn).serve(0xc0030ebea0, 0x46e8a60, 0xc00449b000)
	/usr/local/go/src/net/http/server.go:1890 +0x875
created by net/http.(*Server).Serve
	/usr/local/go/src/net/http/server.go:2927 +0x38e

sangeethah · 2020-05-02T20:56:59Z

[2.4] Do not validate CIS on cluster from template #26890

sowmyav27 · 2020-05-03T00:38:41Z

On a fresh install of 2.4.3-rc5

Deploy a cluster using rke template with CIS schedule scan enabled.
Cluster is deployed successfully.
Schedule scan runs successfully on the cluster
No panic seen in the rancher logs
Deploy a cluster using rke template with CIS schedule scan disabled.
Cluster is deployed successfully.
No panic seen in the rancher logs

Upgrade from 2.3.2 to 2.4.3-rc5

Bring up 2 clusters - 1.14 and 1.15 clusters - 1 node all roles RKE do cluster in 2.3.2
Upgrade cluster to 2.4.3-rc5
Run CIS scan on a 1.14 cluster, error is seen

RunSecurityScan Error
minimum k8s version 1.15 needed for running cis scan

User is able to run scan on a 1.15 cluster
No panic seen in the rancher logs
User is Enable schedule scan on a 1.15 cluster
Schedule scan run on the cluster as expected.
Enabling schedule scan for a 1.14 cluster from the UI and API gives error

{
"baseType": "error",
"code": "InvalidBodyContent",
"message": "minimum k8s version 1.15 needed for running cis scan",
"status": 422,
"type": "error"
}

Fresh install of master-head - commit id: `9b15c4b14`

Deploy a cluster using rke template with CIS schedule scan enabled.
Cluster is deployed successfully.
Schedule scan runs successfully on the cluster
No panic seen in the rancher logs
Deploy a cluster using rke template with CIS schedule scan disabled.
Cluster is deployed successfully.
No panic seen in the rancher logs

Not able to test the upgrade use case from 2.3.2 to master - because of issue -- #26894

maggieliu added [zube]: Team Red Backlog internal labels Apr 16, 2020

superseb mentioned this issue Apr 29, 2020

Unable to update cluster RKE Template version #26845

Closed

superseb changed the title ~~RKE Template using Openstack provider causes goroutine panic~~ validateScheduledClusterScan panic seen when creating/applying changes to cluster from RKE template Apr 29, 2020

superseb changed the title ~~validateScheduledClusterScan panic seen when creating/applying changes to cluster from RKE template~~ validateScheduledClusterScan panic seen when creating/applying changes to cluster from RKE template with CIS scan enabled Apr 30, 2020

maggieliu assigned superseb Apr 30, 2020

maggieliu added the [zube]: Next Up label Apr 30, 2020

zube bot removed the [zube]: Team Red Backlog label Apr 30, 2020

maggieliu added this to the v2.4.3 milestone Apr 30, 2020

sangeethah assigned sowmyav27 Apr 30, 2020

maggieliu added [zube]: Working and removed [zube]: Next Up labels May 1, 2020

superseb mentioned this issue May 1, 2020

Do not validate CIS on cluster from template #26887

Merged

superseb added [zube]: Review and removed [zube]: Working labels May 1, 2020

sangeethah added the [zube]: To Test label May 2, 2020

zube bot removed the [zube]: Review label May 2, 2020

sangeethah closed this as completed May 3, 2020

zube bot added [zube]: Done and removed [zube]: To Test labels May 3, 2020

superseb mentioned this issue May 7, 2021

Single (Docker) Install: Unable to save cluster settings, HTTP 500 ([ERROR] Panic serving api request) #32618

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

validateScheduledClusterScan panic seen when creating/applying changes to cluster from RKE template with CIS scan enabled #26616

validateScheduledClusterScan panic seen when creating/applying changes to cluster from RKE template with CIS scan enabled #26616

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

validateScheduledClusterScan panic seen when creating/applying changes to cluster from RKE template with CIS scan enabled #26616

validateScheduledClusterScan panic seen when creating/applying changes to cluster from RKE template with CIS scan enabled #26616

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

On a fresh install of 2.4.3-rc5

Upgrade from 2.3.2 to 2.4.3-rc5

Fresh install of master-head - commit id: 9b15c4b14

Uh oh!

Fresh install of master-head - commit id: `9b15c4b14`