Add knob to install rke2 clusters if selinux is disabled on the system

[alknopfler]

Describe the solution you'd like: create a flag, knob or any other implementation to be able to disable the selinux lines to be applied on the rke2 (using ignition) if we're disabling from kernel args selinux.

Why do you want this feature: The current implementation assumes that by default on ignition and slemicro selinux is enabled by default. But in some cases, for a performance issue on the Telco environments (running low latency apps) selinux has to be disabled on the kernel-args but the implementation to deploy a rke2 cluster is assuming is enable to modify the labels of rke2-server.service file: https://github.com/rancher-sandbox/cluster-api-provider-rke2/blob/77622c991b9cc830a36ee516c0a175eab67c3623/bootstrap/internal/ignition/ignition.go#L35-L51

Anything else you would like to add: Attached the journalctl logs when you've got selinux disabled in kernel args:

Mar 19 19:42:40 flexran-demo sh[4152]: "rancher-charts" has been added to your repositories
Mar 19 19:42:41 flexran-demo rke2-install.sh[3907]: [WARN]  /usr/local is read-only or a mount point; installing to /opt/rke2
Mar 19 19:42:42 flexran-demo rke2-install.sh[3907]: [INFO]  using v1.28.3+rke2r1 as release
Mar 19 19:42:42 flexran-demo rke2-install.sh[3907]: [INFO]  downloading checksums at https://github.com/rancher/rke2/releases/download/v1.28.3+rke2r1/sha256sum-amd64.txt
Mar 19 19:42:42 flexran-demo sh[4171]: /bin/sh: /var/lib/rancher/rke2/bin/kubectl: No such file or directory
Mar 19 19:42:42 flexran-demo rke2-install.sh[3907]: [INFO]  downloading tarball at https://github.com/rancher/rke2/releases/download/v1.28.3+rke2r1/rke2.linux-amd64.tar.gz
Mar 19 19:42:42 flexran-demo rke2-install.sh[3907]: [INFO]  verifying tarball
Mar 19 19:42:43 flexran-demo rke2-install.sh[3907]: [INFO]  unpacking tarball file to /opt/rke2
Mar 19 19:42:44 flexran-demo rke2-install.sh[3907]: [INFO]  updating tarball contents to reflect install path
Mar 19 19:42:44 flexran-demo rke2-install.sh[3907]: [INFO]  moving systemd units to /etc/systemd/system
Mar 19 19:42:44 flexran-demo rke2-install.sh[3907]: [INFO]  install complete; you may want to run:  export PATH=$PATH:/opt/rke2/bin
Mar 19 19:42:44 flexran-demo systemd[1]: Reloading.
Mar 19 19:42:44 flexran-demo sh[4188]: /bin/sh: /var/lib/rancher/rke2/bin/kubectl: No such file or directory
Mar 19 19:42:46 flexran-demo sh[4217]: /bin/sh: /var/lib/rancher/rke2/bin/kubectl: No such file or directory
Mar 19 19:42:47 flexran-demo /semanage[4215]: Successful:  resrc=fcontext op=add tglob="/usr/lib/systemd/system/rke2-server.service" ftype=any tcontext=system_u:object_r:systemd_unit_file_t:
Mar 19 19:42:47 flexran-demo rke2-install.sh[4223]: setenforce: SELinux is disabled
Mar 19 19:42:47 flexran-demo systemd[1]: rke2-install.service: Main process exited, code=exited, status=1/FAILURE
Mar 19 19:42:47 flexran-demo systemd[1]: rke2-install.service: Failed with result 'exit-code'.
Mar 19 19:42:47 flexran-demo systemd[1]: Failed to start rke2-install.

[Danil-Grigorev]

Can’t this be achieved by specifying preRKE2Commands and postRKE2Commands via ignition config? A dedicated field for this means that underlying functionality will have to be implemented for other underlying systems, not only slemicro.

I think that these lines has to be excluded from hard-coded configuration and passed conditionally via preRKE2Commands and postRKE2Commands. Alternatively we can think about bootstrap extension mechanism, allowing to modify all default commands based on some label selector matching a resource with commands included in the spec (a ConfigMap?).

[alknopfler]

The reason to include into the hardcoded Block is because with pre and post it was not working fine (already tested).

Let me test it again now that we've got more context.

[kkaempf]

Dropping priority as there's no immediate need right now. Might revisit later.

[alexander-demicev]

@alknopfler Can we close this issue for now?