search

k3s-io / k3s-selinux

SELinux policy for k3s
Apache License 2.0
66 stars 20 forks source link

Not working on AlmaLinux... #27

Closed guyomog78 closed 2 years ago

guyomog78 commented 2 years ago

Hello,

Did you have managed the AlmaLinux distribution for CentOS8 like OS?

Here is a fresh install on almaLinux

cat /etc/redhat-release
AlmaLinux release 8.5 (Arctic Sphynx)

setenforce 1

curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--selinux --no-deploy traefik" sh -
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install ingress-nginx ingress-nginx/ingress-nginx --namespace ingress-nginx --create-namespace

Deployment is good without error, but on check:

kubectl get pods -A
NAMESPACE       NAME                                        READY   STATUS             RESTARTS         AGE
kube-system     local-path-provisioner-84bb864455-sg96h     1/1     Running            0                110m
kube-system     coredns-96cc4f57d-7qzjv                     1/1     Running            0                110m
kube-system     metrics-server-ff9dbcb6c-kmgdf              1/1     Running            0                110m
ingress-nginx   svclb-ingress-nginx-controller-cj9hq        0/2     CrashLoopBackOff   36 (2m33s ago)   69m
ingress-nginx   ingress-nginx-controller-6dc9476ccf-zv25z   0/1     Running            23 (59s ago)     69m

The describe is more explicite:

 kubectl describe pod ingress-nginx-controller-6dc9476ccf-zv25z -n ingress-nginx

-------------------------------------------------------------------------------
  Warning  RELOAD  2m54s (x18 over 3m50s)  nginx-ingress-controller  Error reloading NGINX:
-------------------------------------------------------------------------------
Error: exit status 127
Error relocating /usr/local/lib/libluajit-5.1.so.2: RELRO protection failed: Permission denied
Error relocating /usr/lib/libpcre.so.1: RELRO protection failed: Permission denied
Error relocating /lib/libssl.so.1.1: RELRO protection failed: Permission denied
Error relocating /lib/libcrypto.so.1.1: RELRO protection failed: Permission denied
Error relocating /lib/libz.so.1: RELRO protection failed: Permission denied
Error relocating /usr/lib/libGeoIP.so.1: RELRO protection failed: Permission denied
Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: Permission denied
Error relocating /usr/lib/libgcc_s.so.1: RELRO protection failed: Permission denied
Error relocating /usr/local/nginx/sbin/nginx: RELRO protection failed: Permission denied

Check on first K3S folders

[root@xxxxx /]# ls -llZ /etc/systemd/system/k3s.*
-rw-r--r--. 1 root root unconfined_u:object_r:systemd_unit_file_t:s0 881 Feb 21 15:36 /etc/systemd/system/k3s.service
-rw-------. 1 root root unconfined_u:object_r:systemd_unit_file_t:s0   0 Feb 21 15:36 /etc/systemd/system/k3s.service.env

Is it possible to provide an Almalinux compatible version?

Thanks for your support

Blackclaws commented 2 years ago

This seems to be a rather recent development. I've had it for about two weeks as well. Seems the last round of updates for almalinux broke something.

This is double surprising as Almalinux is supposed to be binary compatible to RHEL so anything that works there should work on Almalinux as well. Is this issue also happening on RHEL? I don't have an instance to check with.

guyomog78 commented 2 years ago

I have also tested on a CentOS 8.5 2111 (no Stream) and it's working good. No RHEL instance available for me too

Blackclaws commented 2 years ago

I've made a bug on the Almalinux tracker. Not sure whether its an issue on their side or this side:

https://bugs.almalinux.org/view.php?id=190

dweomer commented 2 years ago

My guess is that AlmaLinux picked up a recent change that we instigated for the container-selinux package: https://github.com/containers/container-selinux/pull/162. Such would be present :upside_down_face: in container-selinux 2.172.1 and later. I've just cut a new stable release of k3s-selinux policy that had some refactoring that we were testing but now looks good to us. Please try the installation(s) again and let us know if you continue to see this problem.

guyomog78 commented 2 years ago

Well Done!! It's working good now!

Blackclaws commented 2 years ago

Unfortunately the issue remains for me for some reason. I still have trouble running most containers without setenforce 0.