Closed kable-wilmoth closed 1 year ago
kable-wilmoth
commented
2 years ago Disabling apparmor and re-starting the OS fixes the permissions issue and then most of the features are found but check-config still fails now because of apparmor.
- apparmor: enabled, but apparmor_parser missing (fail)
(look for an "apparmor" package for your distribution)
brandond
commented
2 years ago What happens if you install the apparmor-parser package?
kable-wilmoth
commented
1 year ago I had wondered that as well (but forgot to specify it) It is already installed.
'apparmor-parser-3.0.4-150400.3.4.x86_64'. The highest available version is already installed.
dereknola
commented
1 year ago It appears that apparmor-parser is not officially released for 15.4 yet https://software.opensuse.org/package/apparmor
dereknola
commented
1 year ago Appears to pass just fine on Latest 15.4 release (all commands run as root)
smoke:/home/vagrant # uname -a
Linux smoke 5.14.21-150400.24.21-default #1 SMP PREEMPT_DYNAMIC Wed Sep 7 06:51:18 UTC 2022 (974d0aa) x86_64 x86_64 x86_64 GNU/Linux- apparmor: enabled and tools installedsmoke:/home/vagrant # apparmor_parser -V
AppArmor parser version 3.0.4
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2018 Canonical Ltd.@dereknola are you saying everything works for you?
I just refreshed and updated, re-installed k3s, still not working for me. -kable
kw-leap15-4-a:/home/kablewi # date
Thu Oct 27 16:54:07 PDT 2022
kw-leap15-4-a:/home/kablewi # uname -a
Linux kw-leap15-4-a 5.14.21-150400.24.21-default #1 SMP PREEMPT_DYNAMIC Wed Sep 7 06:51:18 UTC 2022 (974d0aa) x86_64 x86_64 x86_64 GNU/Linux
kw-leap15-4-a:/home/kablewi # apparmor_parser -V
AppArmor parser version 3.0.4
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2018 Canonical Ltd.
kw-leap15-4-a:/home/kablewi # curl -sfL https://get.k3s.io | sh -
[INFO] Finding release for channel stable
[INFO] Using v1.25.3+k3s1 as release
[INFO] Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.25.3+k3s1/sha256sum-amd64.txt
[INFO] Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.25.3+k3s1/k3s
[INFO] Verifying binary download
[INFO] Installing k3s to /usr/local/bin/k3s
[INFO] Skipping installation of SELinux RPM
[INFO] Creating /usr/local/bin/kubectl symlink to k3s
[INFO] Creating /usr/local/bin/crictl symlink to k3s
[INFO] Creating /usr/local/bin/ctr symlink to k3s
[INFO] Creating killall script /usr/local/bin/k3s-killall.sh
[INFO] Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO] env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO] systemd: Creating service file /etc/systemd/system/k3s.service
[INFO] systemd: Enabling k3s unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.
[INFO] systemd: Starting k3s
kw-leap15-4-a:/home/kablewi # # Check for Ready node, takes ~30 seconds
kw-leap15-4-a:/home/kablewi # k3s kubectl get node
NAME STATUS ROLES AGE VERSION
kw-leap15-4-a Ready control-plane,master 44s v1.25.3+k3s1
kw-leap15-4-a:/home/kablewi # k3s check-config
Verifying binaries in /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin:
- sha256sum: good
- links: good
System:
- /usr/sbin iptables v1.8.7 (legacy): ok
- swap: should be disabled
- routes: ok
Limits:
- /proc/sys/kernel/keys/root_maxkeys: 1000000
info: reading kernel config from /proc/config.gz ...
Generally Necessary:
- cgroup hierarchy: cgroups Hybrid mounted, cpuset|memory controllers status: good
- apparmor: enabled and tools installed
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_NAMESPACES: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_NET_NS: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_PID_NS: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_IPC_NS: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_UTS_NS: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_CGROUPS: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_CGROUP_CPUACCT: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_CGROUP_DEVICE: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_CGROUP_FREEZER: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_CGROUP_SCHED: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_CPUSETS: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_MEMCG: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_KEYS: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_VETH: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_BRIDGE: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_BRIDGE_NETFILTER: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_IP_NF_FILTER: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_IP_NF_TARGET_MASQUERADE: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_NETFILTER_XT_MATCH_CONNTRACK: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_NETFILTER_XT_MATCH_IPVS: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_IP_NF_NAT: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_NF_NAT: missing (fail)
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_POSIX_MQUEUE: missing (fail)
Optional Features:
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_USER_NS: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_SECCOMP: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_CGROUP_PIDS: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_BLK_CGROUP: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_BLK_DEV_THROTTLING: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_CGROUP_PERF: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_CGROUP_HUGETLB: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_NET_CLS_CGROUP: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_CGROUP_NET_PRIO: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_CFS_BANDWIDTH: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_FAIR_GROUP_SCHED: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_RT_GROUP_SCHED: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_IP_NF_TARGET_REDIRECT: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_IP_SET: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_IP_VS: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_IP_VS_NFCT: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_IP_VS_PROTO_TCP: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_IP_VS_PROTO_UDP: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_IP_VS_RR: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_EXT4_FS: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_EXT4_FS_POSIX_ACL: missing
- /usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
CONFIG_EXT4_FS_SECURITY: missing
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
enable these ext4 configs if you are using ext4 as backing filesystem
- Network Drivers:
- "overlay":
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
- CONFIG_VXLAN: missing
Optional (for encrypted networks):
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
- CONFIG_CRYPTO: missing
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
- CONFIG_CRYPTO_AEAD: missing
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
- CONFIG_CRYPTO_GCM: missing
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
- CONFIG_CRYPTO_SEQIV: missing
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
- CONFIG_CRYPTO_GHASH: missing
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
- CONFIG_XFRM: missing
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
- CONFIG_XFRM_USER: missing
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
- CONFIG_XFRM_ALGO: missing
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
- CONFIG_INET_ESP: missing
- CONFIG_INET_XFRM_MODE_TRANSPORT: missing
- Storage Drivers:
- "overlay":
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
/usr/bin/zgrep: line 271: /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin/gzip: Permission denied
- CONFIG_OVERLAY_FS: missing
STATUS: 24 (fail)I am unable to reproduce it either. Something is unusual on your host. Have you or someone else taken some additional steps to harden it beyond what opensuse comes with on a normal ISO install or VM image? fapolicyd, mounting things noexec, applying some sort of STIG hardening script to it?
kable-wilmoth
commented
1 year ago No I haven't done any extra steps or hardening BUT it is a VM running in Proxmox. I will find some time to reproduce in another virtualization center.
If I disable apparmor and restart, then everything is fine. Will work on reproducing.
kable-wilmoth
commented
1 year ago Was able to reproduce this in another installation.
Uploaded OS ISO - openSUSE-Leap-15.4-DVD-x86_64-Build243.2-Media to VMware Cloud Director (can't determine version). Created VM and installed the OS, Server role, default settings
leap15-4:/home/devlabs # uname -a
Linux leap15-4 5.14.21-150400.24.21-default #1 SMP PREEMPT_DYNAMIC Wed Sep 7 06:51:18 UTC 2022 (974d0aa) x86_64 x86_64 x86_64 GNU/Linuxleap15-4:/home/devlabs # apparmor_parser -V
AppArmor parser version 3.0.4I shutdown the VM and enabled Expose hardware-assisted CPU virtualization to guest OS thinking that might have something to do with it but no change. Was a stretch.
And again, if I disable apparmor and restart, then check-config works.
Same virtualization system w/ openSUSE Leap 15.3 works.
I really don't have bare metal to reproduce on. Is there some other virtualization scenario to try?
kable-wilmoth
commented
1 year ago I am not able to reproduce this on Azure using openSUSE Leap 15.4 Something seems specific to my media/virtualization/something.
Going to check a few more things out and then will probably come back here and close this.
kable-wilmoth
commented
1 year ago Working on Azure
kw-test:/home/azureuser # k3s check-config
Verifying binaries in /var/lib/rancher/k3s/data/2ef87ff954adbb390309ce4dc07500f29c319f84feec1719bfb5059c8808ec6a/bin:
- sha256sum: good
- links: good
System:
- /usr/sbin iptables v1.8.7 (legacy): ok
- swap: disabled
- routes: ok
Limits:
- /proc/sys/kernel/keys/root_maxkeys: 1000000
info: reading kernel config from /proc/config.gz ...
Generally Necessary:
- cgroup hierarchy: cgroups Hybrid mounted, cpuset|memory controllers status: good
- apparmor: enabled and tools installed
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled (as module)
- CONFIG_BRIDGE: enabled (as module)
- CONFIG_BRIDGE_NETFILTER: enabled (as module)
- CONFIG_IP_NF_FILTER: enabled (as module)
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled (as module)
- CONFIG_IP_NF_NAT: enabled (as module)
- CONFIG_NF_NAT: enabled (as module)
- CONFIG_POSIX_MQUEUE: enabled
Optional Features:
- CONFIG_USER_NS: enabled
- CONFIG_SECCOMP: enabled
- CONFIG_CGROUP_PIDS: enabled
- CONFIG_BLK_CGROUP: enabled
- CONFIG_BLK_DEV_THROTTLING: enabled
- CONFIG_CGROUP_PERF: enabled
- CONFIG_CGROUP_HUGETLB: enabled
- CONFIG_NET_CLS_CGROUP: enabled (as module)
- CONFIG_CGROUP_NET_PRIO: enabled
- CONFIG_CFS_BANDWIDTH: enabled
- CONFIG_FAIR_GROUP_SCHED: enabled
- CONFIG_RT_GROUP_SCHED: missing
- CONFIG_IP_NF_TARGET_REDIRECT: enabled (as module)
- CONFIG_IP_SET: enabled (as module)
- CONFIG_IP_VS: enabled (as module)
- CONFIG_IP_VS_NFCT: enabled
- CONFIG_IP_VS_PROTO_TCP: enabled
- CONFIG_IP_VS_PROTO_UDP: enabled
- CONFIG_IP_VS_RR: enabled (as module)
- CONFIG_EXT4_FS: enabled (as module)
- CONFIG_EXT4_FS_POSIX_ACL: enabled
- CONFIG_EXT4_FS_SECURITY: enabled
- Network Drivers:
- "overlay":
- CONFIG_VXLAN: enabled (as module)
Optional (for encrypted networks):
- CONFIG_CRYPTO: enabled
- CONFIG_CRYPTO_AEAD: enabled
- CONFIG_CRYPTO_GCM: enabled (as module)
- CONFIG_CRYPTO_SEQIV: enabled
- CONFIG_CRYPTO_GHASH: enabled (as module)
- CONFIG_XFRM: enabled
- CONFIG_XFRM_USER: enabled (as module)
- CONFIG_XFRM_ALGO: enabled (as module)
- CONFIG_INET_ESP: enabled (as module)
- CONFIG_INET_XFRM_MODE_TRANSPORT: missing
- Storage Drivers:
- "overlay":
- CONFIG_OVERLAY_FS: enabled (as module)
STATUS: pass
kw-test:/home/azureuser # cat /etc/os-release
NAME="openSUSE Leap"
VERSION="15.4"
ID="opensuse-leap"
ID_LIKE="suse opensuse"
VERSION_ID="15.4"
PRETTY_NAME="openSUSE Leap 15.4"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:leap:15.4"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Leap"
LOGO="distributor-logo-Leap"
kw-test:/home/azureuser #I just re-downloaded the media
c0a71062d0238ccba4874e2da1fb77847e99ae73cdb148933aeb411956bb35ec openSUSE-Leap-15.4-NET-x86_64-Build243.2-Media.isoProxmox VM Install, all defaults, server profile
Ran script from k3s.io k3s check-config fails (same failure)
So what could be different from Azure's openSUSE 15.4 and my installation/environment? I see this isn't a K3S issue but it for sure keeps me from being able to use K3S.
Any hints on what to look into w/ regards to AppArmor and the environment?
kable-wilmoth
commented
1 year ago Turns out that Azure doesn't have any AppArmor profiles. It is installed, but nothing is active. openSUSE Leap 15.3 defaults to 53 profiles in enforce mode openSUSE Leap 15.4 defaults to 55 profiles in enforce mode
These processes are now profiled as of 15.4
zgrep
zgrep//helper
zgrep//sedThis is the process that is erroring out in k3s check-config.
On the machines you guys couldn't reproduce on, were there any active profiles aa-status?
Going to look into what the profile is restricting.
brandond
commented
1 year ago Can you confirm which apparmor related packages you have installed on your host? We do most of our testing on cloud instances or VM images since they're easy to spin up and tear down for dev/QA work. I'm not sure how often we test on bare-metal installs from ISO media.
kable-wilmoth
commented
1 year ago Understandable Looks like the default media has these profiles installed. I will play around w/ removing zgrep.
Leap15.4
55 profiles are in enforce mode.
/usr/bin/lessopen.sh
apache2
apache2//DEFAULT_URI
apache2//HANDLING_UNTRUSTED_INPUT
apache2//phpsysinfo
avahi-daemon
cri-containerd.apparmor.d
dnsmasq
dnsmasq//libvirt_leaseshelper
dovecot
dovecot-anvil
dovecot-auth
dovecot-config
dovecot-deliver
dovecot-dict
dovecot-dovecot-auth
dovecot-dovecot-lda
dovecot-dovecot-lda//sendmail
dovecot-imap
dovecot-imap-login
dovecot-lmtp
dovecot-log
dovecot-managesieve
dovecot-managesieve-login
dovecot-pop3
dovecot-pop3-login
dovecot-script-login
dovecot-ssl-params
dovecot-stats
identd
klogd
lsb_release
mdnsd
nmbd
nscd
ntpd
nvidia_modprobe
nvidia_modprobe//kmod
php-fpm
ping
samba-bgqd
samba-dcerpcd
samba-rpcd
samba-rpcd-classic
samba-rpcd-spoolss
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
winbindd
zgrep
zgrep//helper
zgrep//sedLeap15.3
53 profiles are in enforce mode.
/usr/bin/lessopen.sh
/usr/bin/locate
/usr/bin/updatedb
/usr/lib/apache2/mpm-prefork/apache2
/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/dovecot-lda
/usr/lib/dovecot/dovecot-lda//sendmail
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/lmtp
/usr/lib/dovecot/log
/usr/lib/dovecot/managesieve
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/lib/dovecot/ssl-params
/usr/lib/dovecot/stats
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
apache2
apache2//DEFAULT_URI
apache2//HANDLING_UNTRUSTED_INPUT
apache2//phpsysinfo
avahi-daemon
cri-containerd.apparmor.d
dovecot
dovecot-script-login
identd
klogd
lsb_release
mdnsd
nmbd
nscd
ntpd
nvidia_modprobe
nvidia_modprobe//kmod
ping
samba-bgqd
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
winbinddThat is interesting. These profile restrictions don't seem to affect k3s otherwise, I wonder why they are specifically preventing zgrep from being used. We can take a look at what it would take to make profiles available for k3s.
kable-wilmoth
commented
1 year ago I am seeing the same thing, my customized install of k3s seems fine but I can't call check-config.
I can work around it by disabling the zgrep profile
aa-disable zgrep
Since it is a permissions issue zgrep calling gzip, I also was able to get around it by deleting the symlink from k3s/data/current/bin/gzip -> busybox and replacing it w/ a symlink to /usr/bin/gzip
kable-wilmoth
commented
1 year ago Will changing the symlink for gzip to not use busybox but instead use /usr/bin/gzip cause any issues?
I noticed your check-config caught me ;>)
Verifying binaries in /var/lib/rancher/k3s/data/ec00304416df58a8da2a883b1b87ab882b199ef11c4e01b28f07d643c8067d91/bin:
- sha256sum: good
- links: gzip should link to busybox (fail)
ShylajaDevadiga
commented
1 year ago Infrastructure: Cloud EC2 instance
Node(s) CPU architecture, OS, and Version: NAME="openSUSE Leap" VERSION="15.4"
Cluster Configuration: Single node
Steps:
Environmental Info: K3s Version: v1.24.6+k3s1
Node(s) CPU architecture, OS, and Version: Linux kw-leap15-4-a 5.14.21-150400.24.21-default #1 SMP PREEMPT_DYNAMIC Wed Sep 7 06:51:18 UTC 2022 (974d0aa) x86_64 x86_64 x86_64 GNU/Linux VM running in ProxMox
Cluster Configuration: Single node
Describe the bug: k3s check-config reports permissions denied when using zgrep to detect features.
Steps To Reproduce:
Installed K3s: As root I ran the default script on k3s.io
curl -sfL https://get.k3s.io | sh -k3s installed andget nodesorget pods -Alooks goodAs root run
k3s check-configExpected behavior: Should display installed OS features and 'pass'
Actual behavior: permission denied for each feature check
Additional context / logs: I am able to reproduce this on multiple Leap 15.4 'default' installations, but on Leap 15.3 it seems to work fine. check-config.txt