Closed pgonin closed 4 years ago
cc @dweomer
@pgonin the install script is swallowing the output from:
sudo chcon -u system_u -r object_r -t container_runtime_exec_t /usr/local/bin/k3s
Can you please try that command and provide the output here?
here it is
[root@k3s-2 ~]# sudo chcon -u system_u -r object_r -t container_runtime_exec_t /usr/local/bin/k3s
chcon: can't apply partial context to unlabeled file ‘/usr/local/bin/k3s’
sudo restorecon -v /usr/local/bin/k3s && ls -Z /usr/local/bin/k3s
? also what does getenforce
return?
[root@k3s-2 ~]# restorecon -v /usr/local/bin/k3s && ls -Z /usr/local/bin/k3s
-rwxr-xr-x root root ? /usr/local/bin/k3s
[root@k3s-2 ~]# getenforce
Disabled
and still
[root@k3s-2 ~]# sudo chcon -u system_u -r object_r -t container_runtime_exec_t /usr/local/bin/k3s
chcon: can't apply partial context to unlabeled file ‘/usr/local/bin/k3s’
Ah, so, $(getenforce) = "Disabled"
is something that we should be checking for in the install.sh
and bypassing selinux if that is the case. It looks like we are relying on /etc/selinux/config
having SELINUX=enforcing
which is the likely miscue here. The workaround for you is to fix your /etc/selinux/config
. Or, if you WANT SELINUX=enforcing
, make sure that the /sys/fs/selinux
filesystem is mounted.
I use this script commonly to easily toggle between all three SELinux "modes":
#!/usr/bin/env bash
set -eux -o pipefail
if ! type -p getenforce setenforce &>/dev/null; then
echo SELinux is Disabled
exit 0
fi
case "${SELINUX}" in
Disabled)
if mountpoint -q /sys/fs/selinux; then
setenforce 0
umount -v /sys/fs/selinux
fi
;;
Enforcing)
mountpoint -q /sys/fs/selinux || mount -o rw,relatime -t selinuxfs selinuxfs /sys/fs/selinux
setenforce 1
;;
Permissive)
mountpoint -q /sys/fs/selinux || mount -o rw,relatime -t selinuxfs selinuxfs /sys/fs/selinux
setenforce 0
;;
*)
echo "SELinux mode not supported: ${SELINUX}" >&2
exit 1
;;
esac
echo SELinux is $(getenforce)
Ah, so,
$(getenforce) = "Disabled"
is something that we should be checking for in theinstall.sh
and bypassing selinux if that is the case. It looks like we are relying on/etc/selinux/config
havingSELINUX=enforcing
which is the likely miscue here. The workaround for you is to fix your/etc/selinux/config
. Or, if you WANTSELINUX=enforcing
, make sure that the/sys/fs/selinux
filesystem is mounted.I use this script commonly to easily toggle between all three SELinux "modes":
#!/usr/bin/env bash set -eux -o pipefail if ! type -p getenforce setenforce &>/dev/null; then echo SELinux is Disabled exit 0 fi case "${SELINUX}" in Disabled) if mountpoint -q /sys/fs/selinux; then setenforce 0 umount -v /sys/fs/selinux fi ;; Enforcing) mountpoint -q /sys/fs/selinux || mount -o rw,relatime -t selinuxfs selinuxfs /sys/fs/selinux setenforce 1 ;; Permissive) mountpoint -q /sys/fs/selinux || mount -o rw,relatime -t selinuxfs selinuxfs /sys/fs/selinux setenforce 0 ;; *) echo "SELinux mode not supported: ${SELINUX}" >&2 exit 1 ;; esac echo SELinux is $(getenforce)
The thing is, centos usually has selinux enforcing enabled by default. I imagine it is disabled for rpi3 to minimize writes to an fs commonly backed by an sd-card.
Indeed I disabled SELinux in /etc/selinux/config
with SELINUX=disabled
and k3s configuration & start is now ok
I actually used a CentOS7 image with Armbian kernel from https://project31.github.io/pine64/ So the issue might be specific to this image. I could give a try to a regular CentOS image on rpi to check if it has the same issue.
But from my perspective, issue can be closed. Thanks a lot !
I disabled SELinux in /etc/selinux/config with SELINUX=disabled and k3s configuration & start is now ok
os Kylin Linux Advanced Server release V10 (Sword) sp2
kernel 4.19.90-25.24.v2101.ky10.aarch64
k3s version k3s version v1.26.2+k3s1 (ea094d1d) go version go1.19.6
output [INFO] Skipping k3s download and verify [INFO] Skipping installation of SELinux RPM [INFO] Creating /usr/local/bin/kubectl symlink to k3s [INFO] Creating /usr/local/bin/crictl symlink to k3s [INFO] Skipping /usr/local/bin/ctr symlink to k3s, already exists [INFO] Creating killall script /usr/local/bin/k3s-killall.sh [INFO] Creating uninstall script /usr/local/bin/k3s-uninstall.sh [INFO] env: Creating environment file /etc/systemd/system/k3s.service.env [INFO] systemd: Creating service file /etc/systemd/system/k3s.service [INFO] systemd: Enabling k3s unit Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service. [INFO] systemd: Starting k3s
Environmental Info: K3s Version: 1.18.8
Node(s) CPU architecture, OS, and Version: Linux k3s-2 4.14.40-sunxi64 rancher/k3s#180 SMP Mon May 14 23:27:03 CEST 2018 aarch64 aarch64 aarch64 GNU/Linux
Cluster Configuration: 1 master deployed on raspberry pi 3b / openSUSE MicroOS Linux k3s-1 5.8.0-1-default rancher/k3s#1 SMP Tue Aug 4 07:30:59 UTC 2020 (9bc0044) aarch64 aarch64 aarch64 GNU/Linux
Deploying first worker on pine64 / CentOS7
Describe the bug: Deployment of k3s worker on Centos7 / aarch64 pine64 fails because of SELinux [ERROR] Failed to apply container_runtime_exec_t to /usr/local/bin/k3s
Steps To Reproduce:
Additional context / logs: Requested packages are installed and deployment is still failing