Sysdig Monitor On Premises Install Troubleshooting

Docker Connectivity Issues (Ipv4/Ipv6)

We have seen some issues with ipv4 and Ipv6 interconnectivity issues between our on premises containers and the outside world.  

IP packet forwarding is governed by the ip_forward system parameter. Packets can only pass between containers if this parameter is 1. Usually you will simply leave the Docker server at its default setting --ip-forward=true and Docker will go set ip_forward to 1 for you when the server starts up. If you set --ip-forward=false and your system’s kernel has it enabled, the --ip-forward=false option has no effect. To check the setting on your kernel or to turn it on manually:

sysctl net.ipv4.conf.all.forwarding net.ipv4.conf.all.forwarding = 0

sysctl net.ipv4.conf.all.forwarding=1

sysctl net.ipv4.conf.all.forwarding net.ipv4.conf.all.forwarding = 1

Please see this article from docker for more details on Docker Connectivity.  

Proxy/Firewall Issues

Proxy


Prior to install ensure your proxy settings are valid for the session and you can curl, lynx, or wget to test internet connectivity 

export http_proxy="http://user:password@proxy_server:port"

export https_proxy="https://user:password@proxy_server:port"

echo $http_proxy

You can then attempt a curl or docker hub call to ensure outside connectivity

Firewall

Prior to install, you may want to disable local firewall (iptables) to rule out local connectivity issues,
however here is some details around sysdig connectivity and backend connectivity requirements.

Sysdig Connectivity:
6443  Agent communication
443    Sysdig Monitor user interface access
8800  Administration console access

here are specifics around what is used for connectivity for our backend for on premises Solution:
https://www.replicated.com/docs/kb/supporting-your-customers/firewalls/

File Write Permissions Issues (SELINUX or APP ARMOR)

During the install,you may see issues with writing to volumes such as (/var or /opt) from either the onprem install scripts or docker.  you may want to disable SELINUX (CENTOS/RHEL) or Apparmor (UBUNTU/DEBIAN) during the course of install so that the valid directories are created.  

This can be accomplished by:

Centos (SELINUX)

From the command line, you can edit the /etc/sysconfig/selinux file. This file is a symlink to /etc/selinux/config. The configuration file is self-explanatory. Changing the value of SELINUX or SELINUXTYPEchanges the state of SELinux and the name of the policy to be used the next time the system boots.

[root@host2a ~]# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

More info here

U
BUNTU/Debian (AppArmor)
AppArmor can be disabled, and the kernel module unloaded by entering the following:
sudo systemctl stop apparmor.service
sudo update-rc.d -f apparmor remove

To re-enable AppArmor enter:

sudo systemctl start apparmor.service
sudo update-rc.d apparmor defaults

More info here
Have more questions? Submit a request