applying helm addon breaks ssh access to minishift vm

[jeka]

As title says: docker run --rm -v /home/docker:/root:z ... this volume mount screws selinux file contexts up of .ssh dir and its contents effectively prohibiting ssh access to the vm

before helm addon apply: [docker@minishift .ssh]$ ls -alZ drwx------. docker docker system_u:object_r:ssh_home_t:s0 . drwx------. docker docker unconfined_u:object_r:user_home_dir_t:s0 .. -rw-r--r--. docker docker system_u:object_r:ssh_home_t:s0 authorized_keys -rw-r--r--. docker docker system_u:object_r:ssh_home_t:s0 authorized_keys2

after addon apply: [docker@minishift .ssh]$ ls -alZ drwx------. docker docker system_u:object_r:container_file_t:s0 . drwx------. docker docker system_u:object_r:container_file_t:s0 .. -rw-r--r--. docker docker system_u:object_r:container_file_t:s0 authorized_keys -rw-r--r--. docker docker system_u:object_r:container_file_t:s0 authorized_keys2

(actually whole docker's home dir is messed up regarding selinux fc, plus .helm dir and its content is left root owned)

[LalatenduMohanty]

CC @firemanxbr can you take a look?

[firemanxbr]

In my tests this is not caused by minishift or another component, this is based in docker daemon that needs root privileges.

@jeka can you share what distribution you are using and versions of minishift and docker?

[jeka]

I have no clue how is my distribution relevant to the problem. Anyway its Fedora 28.

this is based in docker daemon that needs root privileges.

this makes no sense to me either. The problem is the way you invoke docker to install helm: -v /home/docker:/root:z effectively relabels docker home directory. I think better approach would be using a temp directory for this volume map and eventually copy back .helm to docker home dir.

Versions: $ minishift version minishift v1.20.0+53c500a

docker version is whatever it comes with centos image (v1.12.0) used by minishift to spawn the vm

[docker@minishift ~]$ docker version
Client:
 Version:         1.13.1
 API version:     1.26
 Package version: docker-1.13.1-63.git94f4240.el7.centos.x86_64
 Go version:      go1.9.4
 Git commit:      94f4240/1.13.1
 Built:           Fri May 18 15:44:33 2018
 OS/Arch:         linux/amd64

Server:
 Version:         1.13.1
 API version:     1.26 (minimum version 1.12)
 Package version: docker-1.13.1-63.git94f4240.el7.centos.x86_64
 Go version:      go1.9.4
 Git commit:      94f4240/1.13.1
 Built:           Fri May 18 15:44:33 2018
 OS/Arch:         linux/amd64

[somaritane]

I'm experiencing the same issue as @jeka after helm setup, had to revert file contexts to original state in docker's .ssh dir in order to restore passwordless ssh access. This issue also breaks helm installation, as it can't continue without ssh access.

minishift version: minishift v1.28.0+48e89ed minishift iso: centos\v1.13.0 | CentOS Linux release 7.5.1804 (Core) docker version:

Client:
 Version:         1.13.1
 API version:     1.26
 Package version: docker-1.13.1-75.git8633870.el7.centos.x86_64
 Go version:      go1.9.4
 Git commit:      8633870/1.13.1
 Built:           Fri Sep 28 19:45:08 2018
 OS/Arch:         linux/amd64

Server:
 Version:         1.13.1
 API version:     1.26 (minimum version 1.12)
 Package version: docker-1.13.1-75.git8633870.el7.centos.x86_64
 Go version:      go1.9.4
 Git commit:      8633870/1.13.1
 Built:           Fri Sep 28 19:45:08 2018
 OS/Arch:         linux/amd64
 Experimental:    false

[psimonski]

The issue https://github.com/minishift/minishift-addons/issues/161 is describing exactly the same. After executing > minishift addons apply helm the execution of a post quits (connection refused to localhost:8080) and afterwards, ssh access to minishift vm sadly isn't possible anymore (exit code 255).

I'll try to find out more about that things @firemanxbr mentioned before..