search

rancher / rke2-selinux

RKE2 selinux + RPM packaging for selinux
Apache License 2.0
21 stars 21 forks source link

rke2-selinux policy fails to install on SLE Micro #46

Open rdoxenham opened 1 year ago

rdoxenham commented 1 year ago

On SLE Micro 5.4 I'm unable to install this RPM via transactional-update:

Refreshing service 'SUSE_Linux_Enterprise_Micro_5.4_x86_64'.
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW package is going to be installed:
  rke2-selinux

The following package has no support information from its vendor:
  rke2-selinux

1 new package to install.
Overall download size: 0 B. Already cached: 20.5 KiB. After the operation, additional 99.3 KiB will be used.
Continue? [y/n/v/...? shows all options] (y): y
In cache rke2-selinux-0.14-1.slemicro.noarch.rpm                                                                                                                                                                                                                                       (1/1),  20.5 KiB

Checking for file conflicts: ........................................................................................................................................................................................................................................................................[done]
warning: /var/cache/zypper/RPMS/rke2-selinux-0.14-1.slemicro.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID e257814a: NOKEY
cp: cannot create regular file '/var/lib/rpm-state/file_contexts.pre': No such file or directory
error: %prein(rke2-selinux-0.14-1.slemicro.noarch) scriptlet failed, exit status 1
error: rke2-selinux-0.14-1.slemicro.noarch: install failed
(1/1) Installing: rke2-selinux-0.14-1.slemicro.noarch ..............................................................................................................................................................................................................................................[error]
Installation of rke2-selinux-0.14-1.slemicro.noarch failed:
Error: Subprocess failed. Error: RPM failed: Command exited with status 1.
Abort, retry, ignore? [a/r/i] (a): a
Warning: %posttrans scripts skipped while aborting:
    rke2-selinux-0.14-1.slemicro.noarch.rpm

Problem occurred during or after installation or removal of packages:
Installation has been aborted as directed.
Please see the above error message for a hint.

The contents of the sle vs slemicro RPM's is the same, and I'm able to install the sle RPM just fine. Not sure what the difference is between the resulting RPM's and why slemicro RPM is unable to install.

Kristian-ZH commented 1 year ago

/cc @galal-hussein as owner of the SLE Micro support

josephoaks commented 1 year ago

I can confirm the rke2-selinux rpm fails on SLE-Micro 5.3 as well, but the 0.14 and 0.12 `Refreshing service 'SUSE_Linux_Enterprise_Micro_5.3_x86_64'. Loading repository data... Reading installed packages... Resolving package dependencies...

The following NEW package is going to be installed: rke2-selinux

The following package has no support information from its vendor: rke2-selinux

1 new package to install. Overall download size: 21.0 KiB. Already cached: 0 B. After the operation, additional 119.9 KiB will be used. Continue? [y/n/v/...? shows all options] (y):

Checking for file conflicts: [...done] Warning: 1 package had to be excluded from file conflicts check because it is not yet download.

Note: Checking for file conflicts requires not installed packages to be downloaded in advance in
order to access their file lists. See option '--download-in-advance / --dry-run --download-only'
in the zypper manual page for details.

Retrieving: rke2-selinux-0.12-1.slemicro.noarch (Plain RPM files cache) (1/1), 21.0 KiB (1/1) Installing: rke2-selinux-0.12-1.slemicro.noarch [.. cp: cannot create regular file '/var/lib/rpm-state/file_contexts.pre': No such file or directory error: %prein(rke2-selinux-0.12-1.slemicro.noarch) scriptlet failed, exit status 1 error: rke2-selinux-0.12-1.slemicro.noarch: install failed error] Installation of rke2-selinux-0.12-1.slemicro.noarch failed: Error: Subprocess failed. Error: RPM failed: Command exited with status 1.`

galal-hussein commented 1 year ago

can you post the steps of trying to install the rpms also the content of the zypper repos that you have, I am not seeing an issue when trying to reproduce, here are my steps:

ip-172-31-40-142:~ # cat /etc/os-release 
NAME="SLE Micro"
VERSION="5.4"
VERSION_ID="5.4"
PRETTY_NAME="SUSE Linux Enterprise Micro 5.4"
ID="sle-micro"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sle-micro:5.4"
VARIANT_ID="sle-micro"
VARIANT_VERSION="20230720"

ip-172-31-40-142:~ # curl -sfL https://get.rke2.io | sudo INSTALL_RKE2_CHANNEL=testing INSTALL_RKE2_METHOD=rpm sh -
[WARN]  /usr/local is read-only or a mount point; installing to /opt/rke2
transactional-update 4.1.4 started
Options: --no-selfupdate -d run mkdir -p /var/lib/rpm-state
Separate /var detected.
2023-08-09 16:56:35 tukit 4.1.4 started
2023-08-09 16:56:35 Options: --discard -c1 open 
2023-08-09 16:56:35 Using snapshot 1 as base for new snapshot 2.
2023-08-09 16:56:35 No previous snapshot to sync with - skipping
ID: 2
2023-08-09 16:56:35 Transaction completed.
2023-08-09 16:56:35 tukit 4.1.4 started
2023-08-09 16:56:35 Options: --discard call 2 mkdir -p /var/lib/rpm-state 
2023-08-09 16:56:36 Executing `mkdir -p /var/lib/rpm-state`:
2023-08-09 16:56:36 Application returned with exit status 0.
2023-08-09 16:56:37 Transaction completed.
2023-08-09 16:56:37 tukit 4.1.4 started
2023-08-09 16:56:37 Options: --discard close 2 
2023-08-09 16:56:37 No changes to the root file system - discarding snapshot.
2023-08-09 16:56:37 Merging changes in /etc into the running system.
2023-08-09 16:56:38 Discarding snapshot 2.
2023-08-09 16:56:38 Transaction completed.
transactional-update finished
[INFO]  finding release for channel testing
[INFO]  using 1.27 series from channel testing
transactional-update 4.1.4 started
Options: --no-selfupdate -d run zypper --gpg-auto-import-keys install -y rke2-server-1.27.4~rc1~rke2r1
Separate /var detected.
2023-08-09 16:56:38 tukit 4.1.4 started
2023-08-09 16:56:38 Options: --discard -c1 open 
2023-08-09 16:56:38 Using snapshot 1 as base for new snapshot 2.
2023-08-09 16:56:38 No previous snapshot to sync with - skipping
ID: 2
2023-08-09 16:56:38 Transaction completed.
2023-08-09 16:56:39 tukit 4.1.4 started
2023-08-09 16:56:39 Options: --discard call 2 zypper --gpg-auto-import-keys install -y rke2-server-1.27.4~rc1~rke2r1 
2023-08-09 16:56:39 Executing `zypper --gpg-auto-import-keys install -y rke2-server-1.27.4~rc1~rke2r1`:
Building repository 'Rancher RKE2 1.27 (testing)' cache [....done]
Building repository 'Rancher RKE2 Common (testing)' cache [...done]
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following 3 NEW packages are going to be installed:
  rke2-common rke2-selinux rke2-server

The following 3 packages have no support information from their vendor:
  rke2-common rke2-selinux rke2-server

3 new packages to install.
Overall download size: 17.9 MiB. Already cached: 0 B. After the operation, additional 83.7 MiB will be used.
Continue? [y/n/v/...? shows all options] (y): y
Retrieving: rke2-selinux-0.14-1.slemicro.noarch (Rancher RKE2 Common (testing)) (1/3),  20.5 KiB    
Retrieving: rke2-selinux-0.14-1.slemicro.noarch.rpm [..done]
rke2-selinux-0.14-1.slemicro.noarch.rpm:
    Header V3 RSA/SHA256 Signature, key ID 089fa20ed161f542: NOKEY
    V3 RSA/SHA256 Signature, key ID 089fa20ed161f542: NOKEY

warning: /var/tmp/AP_0x5x1NOF/rke2-selinux-0.14-1.slemicro.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID d161f542: NOKEY
Looking for gpg key ID D161F542 in cache /var/cache/zypp/pubkeys.
Looking for gpg key ID D161F542 in repository Rancher RKE2 Common (testing).
  gpgkey=https://rpm-testing.rancher.io/public.key
Retrieving: public.key [.done (2.4 KiB/s)]

Automatically importing the following key:

  Repository:       Rancher RKE2 Common (testing)
  Key Fingerprint:  856A 0069 529C A63B 21AA 4E0A 089F A20E D161 F542
  Key Name:         Rancher (CI) <ci@rancher.com>
  Key Algorithm:    RSA 3072
  Key Created:      Thu Jul 23 17:56:35 2020
  Key Expires:      (does not expire)
  Subkey:           0F86B5880F368A45 2020-07-23 [does not expire]
  Rpm Name:         gpg-pubkey-d161f542-5f19cf53

    Note: A GPG pubkey is clearly identified by its fingerprint. Do not rely on the key's name. If
    you are not sure whether the presented key is authentic, ask the repository provider or check
    their web site. Many providers maintain a web page showing the fingerprints of the GPG keys they
    are using.
Retrieving: rke2-common-1.27.4~rc1~rke2r1-0.slemicro.x86_64 (Rancher RKE2 1.27 (testing)) (2/3),  17.9 MiB    
Retrieving: rke2-common-1.27.4~rc1~rke2r1-0.slemicro.x86_64.rpm [........done (15.9 MiB/s)]
Retrieving: rke2-server-1.27.4~rc1~rke2r1-0.slemicro.x86_64 (Rancher RKE2 1.27 (testing)) (3/3),  10.4 KiB    
Retrieving: rke2-server-1.27.4~rc1~rke2r1-0.slemicro.x86_64.rpm [..done (10.4 KiB/s)]

Checking for file conflicts: [..done]
(1/3) Installing: rke2-selinux-0.14-1.slemicro.noarch [...done]
(2/3) Installing: rke2-common-1.27.4~rc1~rke2r1-0.slemicro.x86_64 [.........................done]
(3/3) Installing: rke2-server-1.27.4~rc1~rke2r1-0.slemicro.x86_64 [..
Running in chroot, ignoring command 'daemon-reload'
done]
Executing %posttrans script 'rke2-selinux-0.14-1.slemicro.noarch.rpm' [...done]
2023-08-09 16:57:03 Application returned with exit status 0.
2023-08-09 16:57:06 Transaction completed.
2023-08-09 16:57:06 tukit 4.1.4 started
2023-08-09 16:57:06 Options: --discard close 2 
2023-08-09 16:57:06 New default snapshot is #2 (/.snapshots/2/snapshot).
2023-08-09 16:57:06 Transaction completed.

Please reboot your machine to activate the changes and avoid data loss.
New default snapshot is #2 (/.snapshots/2/snapshot).
transactional-update finished
josephoaks commented 1 year ago

I'm unsure of the original poster, but for SLE Micro 5.3 this does not work, there seems to have been a patch but not backported. A ticket was re-opened on the SUSE side about that.

galal-hussein commented 1 year ago

@josephoaks I am actually not seeing the issue also on 5.3:

ip-172-31-12-243:~ # cat /etc/os-release 
NAME="SLE Micro"
VERSION="5.3"
VERSION_ID="5.3"
PRETTY_NAME="SUSE Linux Enterprise Micro 5.3"
ID="sle-micro"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sle-micro:5.3"
VARIANT_ID="sle-micro"
VARIANT_VERSION="20230127"

ip-172-31-12-243:~ # curl -sfL https://get.rke2.io | sudo INSTALL_RKE2_CHANNEL=testing INSTALL_RKE2_METHOD=rpm sh -
[WARN]  /usr/local is read-only or a mount point; installing to /opt/rke2
transactional-update 4.0.1 started
Options: --no-selfupdate -d run mkdir -p /var/lib/rpm-state
Separate /var detected.
2023-08-09 19:55:01 tukit 4.0.1 started
2023-08-09 19:55:01 Options: --discard -c1 open 
2023-08-09 19:55:01 Using snapshot 1 as base for new snapshot 2.
2023-08-09 19:55:01 No previous snapshot to sync with - skipping
ID: 2
2023-08-09 19:55:03 Transaction completed.
2023-08-09 19:55:03 tukit 4.0.1 started
2023-08-09 19:55:03 Options: --discard call 2 mkdir -p /var/lib/rpm-state 
2023-08-09 19:55:07 Executing `mkdir -p /var/lib/rpm-state`:
2023-08-09 19:55:07 Application returned with exit status 0.
2023-08-09 19:55:10 Transaction completed.
2023-08-09 19:55:10 tukit 4.0.1 started
2023-08-09 19:55:10 Options: --discard close 2 
2023-08-09 19:55:10 No changes to the root file system - discarding snapshot.
2023-08-09 19:55:11 Discarding snapshot 2.
2023-08-09 19:55:11 Transaction completed.
transactional-update finished
[INFO]  finding release for channel testing
[INFO]  using 1.27 series from channel testing
transactional-update 4.0.1 started
Options: --no-selfupdate -d run zypper --gpg-auto-import-keys install -y rke2-server-1.27.4~rc1~rke2r1
Separate /var detected.
2023-08-09 19:55:11 tukit 4.0.1 started
2023-08-09 19:55:11 Options: --discard -c1 open 
2023-08-09 19:55:12 Using snapshot 1 as base for new snapshot 2.
2023-08-09 19:55:12 No previous snapshot to sync with - skipping
ID: 2
2023-08-09 19:55:12 Transaction completed.
2023-08-09 19:55:12 tukit 4.0.1 started
2023-08-09 19:55:12 Options: --discard call 2 zypper --gpg-auto-import-keys install -y rke2-server-1.27.4~rc1~rke2r1 
2023-08-09 19:55:13 Executing `zypper --gpg-auto-import-keys install -y rke2-server-1.27.4~rc1~rke2r1`:
Building repository 'Rancher RKE2 1.27 (testing)' cache [....done]
Building repository 'Rancher RKE2 Common (testing)' cache [....done]
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following 3 NEW packages are going to be installed:
  rke2-common rke2-selinux rke2-server

The following 3 packages have no support information from their vendor:
  rke2-common rke2-selinux rke2-server

3 new packages to install.
Overall download size: 17.9 MiB. Already cached: 0 B. After the operation, additional 83.7 MiB will be used.
Continue? [y/n/v/...? shows all options] (y): y
Retrieving package rke2-selinux-0.14-1.slemicro.noarch (1/3),  20.5 KiB ( 99.3 KiB unpacked)
Retrieving: rke2-selinux-0.14-1.slemicro.noarch.rpm [done]
rke2-selinux-0.14-1.slemicro.noarch.rpm:
    Header V3 RSA/SHA256 Signature, key ID 089fa20ed161f542: NOKEY
    V3 RSA/SHA256 Signature, key ID 089fa20ed161f542: NOKEY

warning: /var/tmp/AP_0xxWgyBu/rke2-selinux-0.14-1.slemicro.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID d161f542: NOKEY
Looking for gpg key ID D161F542 in cache /var/cache/zypp/pubkeys.
Looking for gpg key ID D161F542 in repository Rancher RKE2 Common (testing).
  gpgkey=https://rpm-testing.rancher.io/public.key
Retrieving: public.key [done]

Automatically importing the following key:

  Repository:       Rancher RKE2 Common (testing)
  Key Fingerprint:  856A 0069 529C A63B 21AA 4E0A 089F A20E D161 F542
  Key Name:         Rancher (CI) <ci@rancher.com>
  Key Algorithm:    RSA 3072
  Key Created:      Thu Jul 23 17:56:35 2020
  Key Expires:      (does not expire)
  Subkey:           0F86B5880F368A45 2020-07-23 [does not expire]
  Rpm Name:         gpg-pubkey-d161f542-5f19cf53

    Note: A GPG pubkey is clearly identified by its fingerprint. Do not rely on the key's name. If
    you are not sure whether the presented key is authentic, ask the repository provider or check
    their web site. Many providers maintain a web page showing the fingerprints of the GPG keys they
    are using.
Retrieving package rke2-common-1.27.4~rc1~rke2r1-0.slemicro.x86_64 (2/3),  17.9 MiB ( 83.6 MiB unpacked)
Retrieving: rke2-common-1.27.4~rc1~rke2r1-0.slemicro.x86_64.rpm [.done (97.5 KiB/s)]
Retrieving package rke2-server-1.27.4~rc1~rke2r1-0.slemicro.x86_64 (3/3),  10.4 KiB (  887   B unpacked)
Retrieving: rke2-server-1.27.4~rc1~rke2r1-0.slemicro.x86_64.rpm [done]

Checking for file conflicts: [....done]
(1/3) Installing: rke2-selinux-0.14-1.slemicro.noarch [.......done]
(2/3) Installing: rke2-common-1.27.4~rc1~rke2r1-0.slemicro.x86_64 [............done]
(3/3) Installing: rke2-server-1.27.4~rc1~rke2r1-0.slemicro.x86_64 [.....
Running in chroot, ignoring command 'daemon-reload'
done]
Executing %posttrans script 'rke2-selinux-0.14-1.slemicro.noarch.rpm' [....done]
2023-08-09 19:55:44 Application returned with exit status 0.
2023-08-09 19:55:49 Transaction completed.
2023-08-09 19:55:49 tukit 4.0.1 started
2023-08-09 19:55:49 Options: --discard close 2 
2023-08-09 19:55:49 New default snapshot is #2 (/.snapshots/2/snapshot).
2023-08-09 19:55:49 Transaction completed.

Please reboot your machine to activate the changes and avoid data loss.
New default snapshot is #2 (/.snapshots/2/snapshot).
transactional-update finished

ip-172-31-12-243:~ # uname -a
Linux ip-172-31-12-243 5.14.21-150400.24.41-default #1 SMP PREEMPT_DYNAMIC Fri Jan 13 08:55:22 UTC 2023 (1d4442d) x86_64 x86_64 x86_64 GNU/Linux
galal-hussein commented 1 year ago

After investigating the issue, I found out that its the way of installing the rpm is causing a problem in slemicro, slemicro doesn't create rpm-state dir which saves state between scriptlets by default, we worked around this issue in the install script by creating that dir manually https://github.com/rancher/rke2/pull/4303/files#diff-043df5bdbf6639d7a77e1d44c5226fd7371e5259a1e4df3a0dd5d64c30dca44fR483-R488

if you insist to run the rpm manually without the install script, then I recommend creating that dir first and then install the rpm:

transactional-update --no-selfupdate -d run mkdir -p /var/lib/rpm-state
transactional-update run zypper install <path-to-rpm>

@Kristian-ZH can you confirm that the above workaround works for you

Kristian-ZH commented 1 year ago

The workaround did not work, it still leads to the same error:

(1/1) Installing: rke2-selinux-0.0~1cc12f2cdirty-0.slemicro.noarch [..
cp: cannot create regular file '/var/lib/rpm-state/file_contexts.pre': No such file or directory
error: %prein(rke2-selinux-0.0~1cc12f2cdirty-0.slemicro.noarch) scriptlet failed, exit status 1
error: rke2-selinux-0.0~1cc12f2cdirty-0.slemicro.noarch: install failed
error]
Installation of rke2-selinux-0.0~1cc12f2cdirty-0.slemicro.noarch failed:
Error: Subprocess failed. Error: RPM failed: Command exited with status 1.