brandond
commented
4 years ago cc @dweomer
Closed pgonin closed 4 years ago
brandond
commented
4 years ago cc @dweomer
dweomer
commented
4 years ago @pgonin the install script is swallowing the output from:
sudo chcon -u system_u -r object_r -t container_runtime_exec_t /usr/local/bin/k3sCan you please try that command and provide the output here?
pgonin
commented
4 years ago here it is
[root@k3s-2 ~]# sudo chcon -u system_u -r object_r -t container_runtime_exec_t /usr/local/bin/k3s
chcon: can't apply partial context to unlabeled file ‘/usr/local/bin/k3s’sudo restorecon -v /usr/local/bin/k3s && ls -Z /usr/local/bin/k3s ? also what does getenforce return?
pgonin
commented
4 years ago [root@k3s-2 ~]# restorecon -v /usr/local/bin/k3s && ls -Z /usr/local/bin/k3s
-rwxr-xr-x root root ? /usr/local/bin/k3s
[root@k3s-2 ~]# getenforce
Disabledand still
[root@k3s-2 ~]# sudo chcon -u system_u -r object_r -t container_runtime_exec_t /usr/local/bin/k3s
chcon: can't apply partial context to unlabeled file ‘/usr/local/bin/k3s’Ah, so, $(getenforce) = "Disabled" is something that we should be checking for in the install.sh and bypassing selinux if that is the case. It looks like we are relying on /etc/selinux/config having SELINUX=enforcing which is the likely miscue here. The workaround for you is to fix your /etc/selinux/config. Or, if you WANT SELINUX=enforcing, make sure that the /sys/fs/selinux filesystem is mounted.
I use this script commonly to easily toggle between all three SELinux "modes":
#!/usr/bin/env bash
set -eux -o pipefail
if ! type -p getenforce setenforce &>/dev/null; then
echo SELinux is Disabled
exit 0
fi
case "${SELINUX}" in
Disabled)
if mountpoint -q /sys/fs/selinux; then
setenforce 0
umount -v /sys/fs/selinux
fi
;;
Enforcing)
mountpoint -q /sys/fs/selinux || mount -o rw,relatime -t selinuxfs selinuxfs /sys/fs/selinux
setenforce 1
;;
Permissive)
mountpoint -q /sys/fs/selinux || mount -o rw,relatime -t selinuxfs selinuxfs /sys/fs/selinux
setenforce 0
;;
*)
echo "SELinux mode not supported: ${SELINUX}" >&2
exit 1
;;
esac
echo SELinux is $(getenforce)Ah, so,
$(getenforce) = "Disabled"is something that we should be checking for in theinstall.shand bypassing selinux if that is the case. It looks like we are relying on/etc/selinux/confighavingSELINUX=enforcingwhich is the likely miscue here. The workaround for you is to fix your/etc/selinux/config. Or, if you WANTSELINUX=enforcing, make sure that the/sys/fs/selinuxfilesystem is mounted.I use this script commonly to easily toggle between all three SELinux "modes":
#!/usr/bin/env bash set -eux -o pipefail if ! type -p getenforce setenforce &>/dev/null; then echo SELinux is Disabled exit 0 fi case "${SELINUX}" in Disabled) if mountpoint -q /sys/fs/selinux; then setenforce 0 umount -v /sys/fs/selinux fi ;; Enforcing) mountpoint -q /sys/fs/selinux || mount -o rw,relatime -t selinuxfs selinuxfs /sys/fs/selinux setenforce 1 ;; Permissive) mountpoint -q /sys/fs/selinux || mount -o rw,relatime -t selinuxfs selinuxfs /sys/fs/selinux setenforce 0 ;; *) echo "SELinux mode not supported: ${SELINUX}" >&2 exit 1 ;; esac echo SELinux is $(getenforce)
The thing is, centos usually has selinux enforcing enabled by default. I imagine it is disabled for rpi3 to minimize writes to an fs commonly backed by an sd-card.
pgonin
commented
4 years ago Indeed I disabled SELinux in /etc/selinux/config with SELINUX=disabled and k3s configuration & start is now ok
I actually used a CentOS7 image with Armbian kernel from https://project31.github.io/pine64/ So the issue might be specific to this image. I could give a try to a regular CentOS image on rpi to check if it has the same issue.
But from my perspective, issue can be closed. Thanks a lot !
bertreyking
commented
1 year ago I disabled SELinux in /etc/selinux/config with SELINUX=disabled and k3s configuration & start is now ok
os Kylin Linux Advanced Server release V10 (Sword) sp2
kernel 4.19.90-25.24.v2101.ky10.aarch64
k3s version k3s version v1.26.2+k3s1 (ea094d1d) go version go1.19.6
output [INFO] Skipping k3s download and verify [INFO] Skipping installation of SELinux RPM [INFO] Creating /usr/local/bin/kubectl symlink to k3s [INFO] Creating /usr/local/bin/crictl symlink to k3s [INFO] Skipping /usr/local/bin/ctr symlink to k3s, already exists [INFO] Creating killall script /usr/local/bin/k3s-killall.sh [INFO] Creating uninstall script /usr/local/bin/k3s-uninstall.sh [INFO] env: Creating environment file /etc/systemd/system/k3s.service.env [INFO] systemd: Creating service file /etc/systemd/system/k3s.service [INFO] systemd: Enabling k3s unit Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service. [INFO] systemd: Starting k3s
Environmental Info: K3s Version: 1.18.8
Node(s) CPU architecture, OS, and Version: Linux k3s-2 4.14.40-sunxi64 rancher/k3s#180 SMP Mon May 14 23:27:03 CEST 2018 aarch64 aarch64 aarch64 GNU/Linux
Cluster Configuration: 1 master deployed on raspberry pi 3b / openSUSE MicroOS Linux k3s-1 5.8.0-1-default rancher/k3s#1 SMP Tue Aug 4 07:30:59 UTC 2020 (9bc0044) aarch64 aarch64 aarch64 GNU/Linux
Deploying first worker on pine64 / CentOS7
Describe the bug: Deployment of k3s worker on Centos7 / aarch64 pine64 fails because of SELinux [ERROR] Failed to apply container_runtime_exec_t to /usr/local/bin/k3s
Steps To Reproduce:
Additional context / logs: Requested packages are installed and deployment is still failing