Open dajester2013 opened 3 years ago
dweomer
commented
3 years ago A requirement not noted in the above issue is that I will eventually need to relocate the rke2 data dir outside of /var (due to disk partition issues). I just need to get it started first.
This will require custom policy and/or an adaptation of #11
dajester2013
commented
3 years ago We had some success in the following
The first server we tried it on was still having difficulty (likely due to artifacts of all our other failed attempts), so we just used audit2allow to correct the remaining issues there. However, it worked flawlessly on the second server. The third server we tried it on did not seem to have permissions issues, but was still having a hard time connecting to the etcd cluster. We're going to try to get a fourth server running today.
dweomer
commented
3 years ago We had some success in the following
- Install rke2/rke2-selinux and configure
- mkdir /path/to/data/dir
- semanage fcontext -a -e /var/lib/rancher/rke2 /path/to/data/dir
Is there a missing transition?
dajester2013
commented
3 years ago Is there a missing transition?
I did forget to write that we did a restorecon on the new data dir, if that's what you are asking? I do know that this RKE did not seem to attempt making those selinux changes for the custom data directory.
There seems to be a problem with SELinux on STIG'd RHEL 7.9 servers, such that prevents etcd from starting. This is what I've been dealing with: https://github.com/rancher/rke2/issues/1494
TL;DR; With selinux in enforcing mode, I cannot start rke2 with selinux=true OR profile=cis-.... With selinux in permissive mode, I can.
A requirement not noted in the above issue is that I will eventually need to relocate the rke2 data dir outside of /var (due to disk partition issues). I just need to get it started first.