Open tsde opened 2 years ago
Did you find a solution to this? I think rke is installing this package automatic on rpm distroes, but flatcar is not one of those. How is this done on other non-rpm distroes?
Should this be lifted to https://github.com/rancher/rke2-selinux, and a request for adding flatcar? Anyone know how this works together?
@xeor i didn't find a solution yet. I naively tried to register the SE module extracted from the rpm directly in a flatcar instance and, obviously, it failed as /usr
is read-only on Flatcar.
I'm also considering opening an issue on Flatcar side and see what's their opinion about this and what would be the best approach. Maybe opening a request for a new package to be included in Flatcar, but don't know if it meets Flatcar requirements for new packages ?
In the meantime, it would be interesting to have a feedback from the rancher/rke team about this ^^
And yes, I imagine the same situation occurs with rke2-linux
rpm package.
This issue/PR has been automatically marked as stale because it has not had activity (commit/comment/label) for 60 days. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
Any progress so far?
@bitfisher I opened an issue on Flatcar side too (see https://github.com/flatcar-linux/Flatcar/issues/598). The current workaround is to have selinux disabled for the docker service. This is of course not ideal but work seems currently on-going on Flatcar side to smooth out SELinux related stuff https://github.com/flatcar-linux/Flatcar/issues/673
We have the same issue in our production cluster, and we are stuck in v1.21.X. but I tried to disable SELinux
in a test cluster by adding a systemd dropin and it works without issue.
systemd:
units:
- name: "docker.service"
enabled: true
dropins:
- name: "01-selinux.conf"
contents: |
[Service]
Environment=DOCKER_SELINUX=--selinux-enabled=false
But I don't want to disable SELinux
in my production clusters.
Any updates? Disabling SELinux in production clusters isn't really an option!
Is there any other option than disabling SELinux
?
This repository uses an automated workflow to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the issue in 14 days. Thank you for your contributions.
Unstale please
Any Updates?
Is there any other option than disabling SELinux?
This repository uses an automated workflow to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the issue in 14 days. Thank you for your contributions.
This is still an issue, so unstale please!
A response from anyone at Rancher would be highly appreciated!
Anyone managed updating k8s to >= 1.22 without disabling SELinux?
Any guiadance from Rancher regarding this issue?
This repository uses an automated workflow to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the issue in 14 days. Thank you for your contributions.
Unfortunately this is still an issue, so unstale please!
A response from anyone at Rancher would be highly appreciated!
Anyone managed updating k8s to >= 1.22 without disabling SELinux?
Any guidance from Rancher regarding this issue?
The thing is that Rancher/SUSE will pull out their support matrix and say Flatcar is not supported officially .. and they don't provide so far any support for any other immutable container OS. (sic!)
That's bad news :(
I haven't seen any comment from Rancher/SUSE that Flatcar-Support will be dropped. Even in their docs it's still mentioned as supported. (weird)
So we will either have to switch to another OS or drop RKE :(
Any other options you see?
As @mikekuzak is not associated with SUSE or Rancher, this statement is not helping in any way...
Flatcar has never been officially supported, and I guess they are busy with other issues. So Flatcar will never be a priority.
Remember, this is open source, means you could contribute a SELinux solution. Though I would do that for RKE2.
But this is also not an official statement, give them some slack, Rancher is a nice project.
Same issue with Fedora CoreOS 37 on OpenStack:
Failed running cluster err:[[selinux] Host [192.168.3.104] does not recognize SELinux label [label=type:rke_container_t]. This is required for Kubernetes version [>=1.22.0-rancher0]. Please install rancher-selinux RPM package and try again]
Installing rancher-selinux from GitHub does not solve the issue.
The only solution for now is to use a 1.21 kubernetes-rancher version (e.g., v1.21.14-rancher1-1).
I found a similar issue #2792 . It was closed because it was just stale.....
Another which may help is #1966 .
This repository uses an automated workflow to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the issue in 14 days. Thank you for your contributions.
+1
On Mon, 22 May 2023, 03:29 github-actions[bot], @.***> wrote:
This repository uses an automated workflow to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the issue in 14 days. Thank you for your contributions.
— Reply to this email directly, view it on GitHub https://github.com/rancher/rke/issues/2788#issuecomment-1556425525, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEOPPA6YWVMX2MBL2MULJ5LXHLFPBANCNFSM5K2UKABQ . You are receiving this because you were mentioned.Message ID: @.***>
unstale
Same issue here while moving from unsupported RancherOS to Flatcar with recent Kubernetes versions (1.24+)
There are no mentions about specific SELinux requirements here or here.
There are no statements that Flatcar-Linux isn't supported.
There's still not any comment or advice from any of the maintainers or team members since Dec 27, 2021!
@lazyfrosch I know it's open source and i could contribute, but that's not so easy for a little team that is busy with a lot of other stuff :( I think most of rke's users have chosen it because of it's ease of use, good feature set and good maintenance. And in my point of view this is totally broken now. Even worse ... users left alone and stuck ... no official comments/advises or any help so far :(
Has anyone figured out why this new SELinux requirement was introduced?
Has anyone figured out how to upgrade to k8s >= 1.22 without disabling SELinux?
Was anyone successful, switching from Flatcar-Linux to OpenSuse MicroOS?
Has anyone successfully migrated from rke to k0sctl?
It seems that #2541 is the root cause of the problem.
@superseb @cmurphy @kinarashah @StrongMonkey @nickgerace It seems to me that #2750 needs to be reverted also in release/v1.3 or maybe some opt-out for flatcar can be used in v1.4? The extra SELinux-Label is still used in rke v1.4 here and here
This repository uses an automated workflow to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the issue in 14 days. Thank you for your contributions.
unstale
This repository uses an automated workflow to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the issue in 14 days. Thank you for your contributions.
Unstale again please. There still isn't a way to upgrade past 1.21 on Fedora CoreOS.
disable SELinux on docker ...
On Mon, 4 Dec 2023, 15:54 tailtwo, @.***> wrote:
Unstale again please. There still isn't a way to upgrade past 1.21 on CoreOS.
— Reply to this email directly, view it on GitHub https://github.com/rancher/rke/issues/2788#issuecomment-1838939294, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEOPPA427OUWQ7NAPUSZW63YHXW4PAVCNFSM5K2UKAB2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBTHA4TGOJSHE2A . You are receiving this because you were mentioned.Message ID: @.***>
This repository uses an automated workflow to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the issue in 14 days. Thank you for your contributions.
Unstale again please
This repository uses an automated workflow to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the issue in 14 days. Thank you for your contributions.
unstale
On Mon, 27 May 2024, 05:18 github-actions[bot], @.***> wrote:
This repository uses an automated workflow to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the issue in 14 days. Thank you for your contributions.
— Reply to this email directly, view it on GitHub https://github.com/rancher/rke/issues/2788#issuecomment-2132527077, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEOPPA5MS73P3IVPRD3ZSPLZEKJWFAVCNFSM5K2UKAB2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMJTGI2TENZQG43Q . You are receiving this because you were mentioned.Message ID: @.***>
RKE version:
1.3.3 (using terraform RKE provider v1.3.0)
Docker version: (
docker version
,docker info
preferred)Operating system and kernel: (
cat /etc/os-release
,uname -r
preferred)Type/provider of hosts: (VirtualBox/Bare-metal/AWS/GCE/DO)
Master/Worker nodes provisionned by terraform using the RKE provider v1.3.0. Nodes are vSphere virtual machines based on the Flatcar OVA.
cluster.yml file: As I'm using the terraform provider, here's the tf
rke_cluster
declarationSteps to Reproduce:
Try to update a kubernetes cluster from 1.21 (or possibly earlier versions) to 1.22 when using Flatcar OS 3033.2.0. I imagine that a fresh 1.22 installation would lead to the same result.
Results:
The following error occurs:
As shown in
docker info
above, SELinux is enabled on dockerd, triggering this specific step from RKE. Starting from 1.22, a dedicated custom SELinux policy must be installed on SELinux-enabled nodes. As I'm using Flatcar Linux, it's not possible to deploy this RPM as-is.I'm quite a newbie when it comes to SELinux and I don't see how I can easily work around this as disabling SELinux on the docker daemon is not an option for me. Is there any plan on RKE side to better integrate this with Flatcar Linux ? I may be missing a simple way to circumvent this so don't hesitate to tell me ^^
Thanks