-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.23.6-rc1+k3s1 fails to fully come up when installing via RPM with selinux enabled #5493
Comments
Summary For some reason, the change to containerd to strip inheritable capabilities (containerd/containerd@6940524) is causing only symlinks to be created as either WORKING /var/lib/kubelet/pods/621e6794-d0dc-4595-884a-814c1c043b89/volumes/kubernetes.io~projected/kube-api-access-md9wz/:
total 0
drwxrwxrwt. 3 root root system_u:object_r:container_file_t:s0:c709,c886 140 Apr 22 17:02 .
drwxr-xr-x. 3 root root system_u:object_r:container_file_t:s0 35 Apr 22 17:02 ..
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0:c709,c886 100 Apr 22 17:02 ..2022_04_22_21_02_58.1077793130
lrwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0:c709,c886 13 Apr 22 17:02 ca.crt -> ..data/ca.crt
lrwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0:c709,c886 32 Apr 22 17:02 ..data -> ..2022_04_22_21_02_58.1077793130
lrwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0:c709,c886 16 Apr 22 17:02 namespace -> ..data/namespace
lrwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0:c709,c886 12 Apr 22 17:02 token -> ..data/token WORKING /var/lib/kubelet/pods/1a4b5b86-d588-4a26-b08d-38f62aa7c03b/volumes/kubernetes.io~projected/kube-api-access-r7xcl/:
total 0
drwxrwxrwt. 3 root root system_u:object_r:container_file_t:s0:c441,c778 140 Apr 22 16:44 .
drwxr-xr-x. 3 root root system_u:object_r:container_file_t:s0 35 Apr 22 16:44 ..
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0:c441,c778 100 Apr 22 16:44 ..2022_04_22_20_44_45.716921218
lrwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0:c441,c778 13 Apr 22 16:44 ca.crt -> ..data/ca.crt
lrwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0:c441,c778 31 Apr 22 16:44 ..data -> ..2022_04_22_20_44_45.716921218
lrwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0:c441,c778 16 Apr 22 16:44 namespace -> ..data/namespace
lrwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0:c441,c778 12 Apr 22 16:44 token -> ..data/token WORKING /var/lib/kubelet/pods/7eee1ef2-f90f-464b-a5f0-6a818755dd64/volumes/kubernetes.io~projected/kube-api-access-rvrqb/:
total 0
drwxrwxrwt. 3 root root system_u:object_r:container_file_t:s0:c89,c620 140 Apr 22 17:01 .
drwxr-xr-x. 3 root root system_u:object_r:container_file_t:s0 35 Apr 22 17:01 ..
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0:c89,c620 100 Apr 22 17:01 ..2022_04_22_21_01_13.766655981
lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0 13 Apr 22 17:01 ca.crt -> ..data/ca.crt
lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0 31 Apr 22 17:01 ..data -> ..2022_04_22_21_01_13.766655981
lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0 16 Apr 22 17:01 namespace -> ..data/namespace
lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0 12 Apr 22 17:01 token -> ..data/token BROKEN /var/lib/kubelet/pods/11d7d712-43ee-4166-923a-bd39a0361fea/volumes/kubernetes.io~projected/kube-api-access-6pxb6/:
total 0
drwxrwxrwt. 3 root root system_u:object_r:container_file_t:s0:c123,c259 140 Apr 22 16:55 .
drwxr-xr-x. 3 root root system_u:object_r:container_file_t:s0 35 Apr 22 16:55 ..
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0:c123,c259 100 Apr 22 16:55 ..2022_04_22_20_55_15.1865202030
lrwxrwxrwx. 1 root root system_u:object_r:container_runtime_tmpfs_t:s0 13 Apr 22 16:55 ca.crt -> ..data/ca.crt
lrwxrwxrwx. 1 root root system_u:object_r:container_runtime_tmpfs_t:s0 32 Apr 22 16:55 ..data -> ..2022_04_22_20_55_15.1865202030
lrwxrwxrwx. 1 root root system_u:object_r:container_runtime_tmpfs_t:s0 16 Apr 22 16:55 namespace -> ..data/namespace
lrwxrwxrwx. 1 root root system_u:object_r:container_runtime_tmpfs_t:s0 12 Apr 22 16:55 token -> ..data/token Details
|
For the sake of experimentation, I installed vanilla containerd: [root@rock01 ~]# rpm -ivh https://download.docker.com/linux/centos/8/x86_64/stable/Packages/containerd.io-1.5.11-3.1.el8.x86_64.rpm
[root@rock01 ~]# rpm -qa | grep -E 'containerd|container-selinux'
containerd.io-1.5.11-3.1.el8.x86_64
container-selinux-2.173.0-1.module+el8.5.0+735+2f243138.noarch
[root@rock01 ~]# kubectl get node -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
rock01.lan.khaus Ready control-plane,master 19m v1.23.6-rc1+k3s1 10.0.1.156 <none> Rocky Linux 8.5 (Green Obsidian) 4.18.0-348.20.1.el8_5.x86_64 containerd://1.5.11
[root@rock01 ~]# kubectl get node -o yaml | grep node-arg
k3s.io/node-args: '["server","--selinux","--container-runtime-endpoint","/var/run/containerd/containerd.sock"]'
[root@rock01 ~]# cat /etc/containerd/config.toml
# Copyright 2018-2022 Docker Inc.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#disabled_plugins = ["cri"]
#root = "/var/lib/containerd"
#state = "/run/containerd"
#subreaper = true
#oom_score = 0
#[grpc]
# address = "/run/containerd/containerd.sock"
# uid = 0
# gid = 0
#[debug]
# address = "/run/containerd/debug.sock"
# uid = 0
# gid = 0
# level = "info"
[plugins.opt]
path = "/var/lib/rancher/k3s/agent/containerd"
[plugins.cri]
stream_server_address = "127.0.0.1"
stream_server_port = "10010"
enable_selinux = true
sandbox_image = "rancher/mirrored-pause:3.6"
[plugins.cri.containerd]
snapshotter = "overlayfs"
disable_snapshot_annotations = true
[plugins.cri.cni]
bin_dir = "/var/lib/rancher/k3s/data/current/bin"
conf_dir = "/var/lib/rancher/k3s/agent/etc/cni/net.d"
[plugins.cri.containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
[plugins.cri.containerd.runtimes.runc.options]
SystemdCgroup = false Everything is labeled as it was with 1.5.10: /var/lib/kubelet/pods/a9ec72f4-5ca5-4224-bdbe-c989528e745e/volumes/kubernetes.io~projected/kube-api-access-xsf4k/:
total 0
drwxrwxrwt. 3 root root system_u:object_r:container_file_t:s0:c61,c394 140 Apr 22 18:32 .
drwxr-xr-x. 3 root root system_u:object_r:container_file_t:s0 35 Apr 22 18:32 ..
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0:c61,c394 100 Apr 22 18:32 ..2022_04_22_22_32_03.1704908283
lrwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0:c61,c394 13 Apr 22 18:32 ca.crt -> ..data/ca.crt
lrwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0:c61,c394 32 Apr 22 18:32 ..data -> ..2022_04_22_22_32_03.1704908283
lrwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0:c61,c394 16 Apr 22 18:32 namespace -> ..data/namespace
lrwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0:c61,c394 12 Apr 22 18:32 token -> ..data/token
[root@rock01 ~]# ps -ZC coredns
LABEL PID TTY TIME CMD
system_u:system_r:container_t:s0:c61,c394 88334 ? 00:00:00 coredns |
I confirmed that both vanilla containerd and k3s containerd are running with the correct contexts and are setting the correct contexts on the files: [root@rock01 ~]# ps -ZC containerd
LABEL PID TTY TIME CMD
system_u:system_r:container_runtime_t:s0 5306 ? 00:00:01 containerd
[root@rock01 ~]# ls -la /proc/5306/exe
lrwxrwxrwx. 1 root root 0 Apr 22 19:09 /proc/5306/exe -> /var/lib/rancher/k3s/data/02651a664540b008a96d3eaf113024fda362eb58f9b7ea4f86bd533ea2905f30/bin/containerd I see k3s containerd setting the correct contexts on the files:
Here is the vanilla containerd behavior; note that it stats the files before setting their selinux contexts
However the end result is the same, both processes set the correct |
Root caused to opencontainers/selinux#172 - the issue was indeed with setting contexts on the symlinks vs symlink targets ( |
Validated using v1.23.6-rc3+k3s1
|
Same steps and failure as mentioned in rancher/rke2#2808.
The only difference is that with k3s the failure only presents itself when specifically including the
selinux: true
config flag.Note that the same posted workaround works:
The text was updated successfully, but these errors were encountered: