SELinux prevents access to edge-hub-server-cert.pfx

[ralarcon]

• V2 issue

• OS version and architecture used: RHEL 7 / x86_64

• Version used: iotedgectl 1.0.0_rc22

• V2 Docker version and container type Docker 1.13.1 on linux (Package version: docker-1.13.1-63.git94f4240.el7.x86_64)

Description of the issue:

Edge Hub is not able to copy the certificate due to insufficient permissions. This happens due to the selinux do not allow to share the volume among the containers.

Edge Hub Server Certificate File: /mnt/edgehub/edge-hub-server.cert.pfx Edge Hub CA Server Certificate File: /mnt/edgehub/edge-chain-ca.cert.pem SSL_CERTIFICATE_PATH=/mnt/edgehub SSL_CERTIFICATE_NAME=edge-hub-server.cert.pfx Executing: cp /mnt/edgehub/edge-chain-ca.cert.pem /usr/local/share/ca-certificates/edge-chain-ca.crt cp: cannot stat '/mnt/edgehub/edge-chain-ca.cert.pem': Permission denied Failed to Copy Edge Chain CA Certificate

We have a workaround for this by modifying the file lib/python2.7/site-packages/edgectl/deployment/deploymentdocker.py

Line 134 volume_dict[self._EDGE_HUB_VOL_NAME] = {'bind': hub_vol_path, 'mode': 'rw'} Replace by volume_dict[self._EDGE_HUB_VOL_NAME] = {'bind': hub_vol_path, 'mode': 'z'}

Line 137 volume_dict[self._EDGE_MODULE_VOL_NAME] = {'bind': module_vol_path, 'mode': 'rw'} Replace by volume_dict[self._EDGE_MODULE_VOL_NAME] = {'bind': module_vol_path, 'mode': 'z'}

We are trying to use IoT Edge in a corporate environment and to modify this file for each deployment is unmanageable.

[roicostas]

Another workaround through selinux labels: chcon -R -t svirt_sandbox_file_t /var/lib/docker/volumes/edgemodule chcon -R -t svirt_sandbox_file_t /var/lib/docker/volumes/edgehub

[ralarcon]

@roicostas looks like that approach is stale and that configuration will be lost after a machine restart.

[avranju]

In the upcoming GA release this issue should become moot because the way Edge Hub acquires its server cert is being changed. There will be a daemon running on the host that the Edge Hub communicates with to fetch its TLS server cert.

[damonbarry]

Please reopen if this is still an issue with the GA bits (using IoT Edge Security Daemon, aka iotedged, rather than the preview-only iotedgectl). Note RHEL is not officially supported at this time, but certainly we're interested in knowing about issues with IoT Edge and SELinux...