Closed ezamriy closed 3 years ago
I investigated the problem: even if our build scripts are producing a correct image with properly defined SELinux context it doesn't help. The problem is in Amazon's vmimport which is executed automatically by Amazon when we import an AMI using the Packer's amazon-import
post-processor. The vmimport
tool launches a VM, performs some provisioning and among other steps it generates a new /etc/sysconfig/network-scripts/ifcfg-eth0
file with invalid context. Unfortunately, I can't find a way to fix it easily because vmimport
doesn't have any settings and it is executed automatically.
The problem is even worse because when vmimport
launches a VM a new /etc/machine-id
file is generated and a resulting AMI has it hardcoded. I will create another issue for that problem.
It seems we should change the way we build our AMIs so that vmimport
is not executed for our images. I believe we can find a suitable Packer builder/workflow for that: https://www.packer.io/docs/builders/amazon
There is a problem with our AWS AMIs: the
/etc/sysconfig/network-scripts/ifcfg-eth0
file has invalid SELinux context typesystem_u:object_r:unlabeled_t:s0
instead ofsystem_u:object_r:net_conf_t:s0
.This leads to the following error if a user tried to change network settings using the
nmcli
tool:Steps to reproduce
Run the following command on an AlmaLinux OS official AMI:
Manual fix instructions
Run the following command:
References
AlmaLinux bug tracker report: almbz#102.