-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incompatible with container-selinux > 2.188 #36
Comments
The actual problem that I'm trying to solve, is that |
Having this problem as well. From the CIL, the offending statement is (typetransition container_runtime_t container_var_lib_t dir "snapshots" container_share_t) which comes from k3s-selinux/policy/centos8/k3s.te Line 36 in d97be9f
I tried looking through container-selinux for anything that would conflict from the previous integration of k3s rules, but didn't find anything. This is occurring in 37.20221225.3.0 as well. Here are the package versions used:
These were manually upgraded to the latest release version and made no difference. |
@brandond Having the exact same issue on OpenSUSE MicroOS latest! Our project just came to an halt. See kube-hetzner/terraform-hcloud-kube-hetzner#528 (comment) When trying with It gives those issues: Please, how do we fix this? It's kind of urgent as many daily installs are now failing. |
The EL8 policy should work with container-selinux For MicroOS, it should work with container-selinux |
@brandond Yes, we suspected that too, as it was working yesterday, and since the latest release that just dropped, the problem showed up! Will have a look at those packages' versions, and at ways to downgrade them. |
With regards to selinux and local-path-provisioner, that is maintained by another team - the same team that owns Longhorn, to be specific. I believe they have an issue in their backlog to improve its compatibility with selinux and PSA. |
@brandond Indeed the versions on MicroOS are significantly more recent. I will investigate which of these packages were updated since yesterday. |
@brandond Thanks for your tips, as always very helpful! After investigating the aforementioned packages here https://download.opensuse.org/tumbleweed/repo/oss/noarch/. We can see that it was So, downgrading with After that, applying However, I blocked future automated upgrades of But will that affect the security of the node and/or future versions of k3s? And is it really necessary to do so (lock the version)? Just so you understand the context, our nodes on Kube-Hetzner are meant to remain evergreen, by combining MicroOS's automatic upgrades, and the system-upgrade-controller for k3s. Since the policy has been built successfully already, if we leave the automatic upgrade on for that package, would it fail to run under the more recent container-selinux 2.198 ? |
The updates are listed at https://build.opensuse.org/request/show/1059620 but I don't see anything obvious that would break it, so I'll take some additional research. I believe that some of the suspicions I saw about the problem being the same as whatever's affecting Fedora CoreOS are correct. |
Ok, good to know! If you need any command outputs or logs, please don't hesitate! 🙏 |
I can reproduce the issue with the following versions:
Compiling the policy revealed the same error, and the contexts are not applied to the processes or the files:
Investigating the root cause now |
Please correct me if anything seems inaccurate or wrong, but I think I found the root cause, as @wranders mentioned, the problem was in that line:
so looking further into what changed recently in container-selinux, I found this commit which seems to be the problem: specifically the conflict line will be here:
which makes the snapshot dir writable, at first I was confused why this conflict didnt happen before in previous versions since the original line in container-selinux was:
and I found that
So I think the suggested fix will be changing the snapshots filetranspattern to match the container-selinux one. |
Good find! I think we'll need to figure out how to handle this strategically, given that we do not need and cannot land this fix for EL8 or SLE Micro users (as those don't have the updated container-selinux version), but we don't have separate yum repos for EL8/Fedora Coreos and SLE Micro/MicroOS. We may need to create additional repos and add detection support to the install script. |
@brandond Not sure how it all works, but if the updated |
Sorry what is the suggested fix? |
FYI folks, the source PR containers/container-selinux#82, where they explain their thinking. |
The fix would be appropriate to land there for MicroOS, but not for EL8. |
Just FYI @galal-hussein, I built it locally (from #37) for However, I did notice this new relabeling activity going on, which was not there before to my knowledge. Please let me know if it's ok 🙏 And the final re-building of the policy (we do it after installing k3s, just in case): |
@AkihiroSuda yes the suggested fix will label |
@mysticaltech good to know that its working, however I am not really sure about this relabeling activity, can you post the the final labels of these dirs for example:
|
@galal-hussein Here you go: |
@mysticaltech the labels looks fine as far as I can see |
@galal-hussein Perfect, thanks for confirming! Maybe this relabeling happens during the installation of the RPM because we actually install k3s after (because of the need to reboot into the new MicroOS snapshot). So the k3s directories are not there yet. And after having rebooted into the new snapshot, we install k3s without SELinux, and immediately build the policy again with |
It appears we also have the same issue on CentOS 9 Stream which (at this time) has container-selinux-2.198.0-1.el9.noarch. |
@galal-hussein Very happy to see the 1.3.testing, just so we know what to expect, is this coming to stable anytime soon? |
This is being tested currently and we'll update this issue with results as we find them! Hoping to be able to have it stable by March or April patch releases, pending results. |
Any news here? rke2-selinux has a fix in the works... |
This bug affects "normal" Fedora as well.
|
Same on Fedora 38. These are the two packages the k3s installer wants to install:
|
Same here on a fresh Fedora 38 server.
|
The updated k3s-selinux package has not yet been released to the stable channel, pending QA validation. If you'd like to try it out, please install the package from https://github.com/k3s-io/k3s-selinux/releases/tag/v1.3.testing.7 or by using |
Thanks @brandond. I just tried installing I installed anyway, it still failed building the binary policy and still didn't work after rebooting and re-running semodule on k3s.pp |
@philipsparrow Can you try the RPM from https://download.opensuse.org/repositories/home:/ojkastl_buildservice:/Branch_devel_microos/openSUSE_Tumbleweed/? This is the package for openSUSE, based on the 1.3.testing.7 tag. |
@johanneskastl that package installed without issue and I re-ran I then installed k3s and it was mostly working. Unfortunately my original issue still persists: I'm still seeing an issue with local-path-provisioner being unable to create |
@johanneskastl it's working with your RPM. Will this RPM be making its way into the stable channel? |
@philipsparrow This one should work too https://github.com/k3s-io/k3s-selinux/releases/download/v1.3.testing.7/k3s-selinux-1.3-7.sle.noarch.rpm, and yes as @brandond announced, it's on its way to stable soon, pending some QA. |
@philipsparrow regarding this comment:
Did you reboot your system after install? It's easy to miss, but this should be in the output of the install script now:
Without this reboot, most of the selinux contexts don't write appropriately. However with it, it seems to be working for me in my tests:
The conditions of the OS for this test are as follows, but the same should be true for container-selinux 2.211:
Hoping to have all validations for this completed by tonight or tomorrow (so far the results have been promising), and then we will push out the changes to |
This is wonderful news! My challenge is to ensure it works inside a Combustion first-boot script with a custom mirror. What I do is install the dependencies (e.g. |
This worked for me without reboot, as long as I installed k3s (inside Combustion/Ignition) with:
Probably worked without a reboot because after Combustion (Ignition first-boot) completes, it loads the transactional snapshot. Only errors I see are about invalid ELF headers and unlikely to be related to Thanks very much for the help. |
Hi, I had to run Some info:
|
Hi everyone! I wrote some more details on what was tested in k3s-io/k3s#7307 (comment), but the tl;dr is that this should be working and available now in the |
Feedback for RHEL8: k3s-selinux-1.3-1.el8.noarch works with container-selinux-2:2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch, but I had to delete k3s-selinux, upgrading it was not enough. |
@galal-hussein So the latest stable fixes this completely, correct? |
I'm running Fedora CoreOS 37.20221211.3.0, and I've installed both
container-selinux-2.193.0
as well ask3s-selinux-1.2-2.el8
(from https://github.com/k3s-io/k3s-selinux/releases/download/v1.2.stable.2/k3s-selinux-1.2-2.el8.noarch.rpm). However, thek3s
module doesn't appear to be getting loaded on the system, the output ofsemodule -l
does not containk3s
. Additionally, if I try to install the module manually withsemodule -i <path>
, it fails due to a conflict:The error leads me to believe that one of rules specified in this package is conflicting with a rule in one of the existing modules.
The text was updated successfully, but these errors were encountered: