-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Unable to install the operator on CentOS Stream 8 with SELinux enforcing #115
Comments
@wainersm Could you provide the AVC related messages from the |
Does it help @hbrueckner ?
|
Unfortunately I'd say that's "expected" as it's never been tested. We'll need to probably work on two fronts here:
The first step is, IMHO, figuring out which are all the failures we may be hitting, and for doing so I'd recommend to do the following:
@wainersm, would you be able to get the full logs of failures so we can start properly tracking all the issues? |
agree on switching to permissive mode and sorting out the failures. Based on the logs above, my first impression is that containerd binaries are not correctly labeled (e.g. compared to what they should be in https://github.com/containers/container-selinux/blob/main/container.fc), e.g. |
Interesting behavior... if I set to permissive mode (
When I look at the events of the same daemon-install pod I see the reason is related with still containerd reboot:
I could swear I had the operator installed correctly without selinux on permissive mode. Next: I will boot the VM and set to permissive right away, even before installa and start k8s. |
Ok, set selinux to permissive mode even before to start the cluster and everything. Where are the audit messages that got logged after the operator was installed:
|
@dcmiddle, @fitzthum, could we add this bug as a limitation as part of the release notes? Just something saying that "Support for running on clusters that are using SELinux on Enforcing mode is node supported." Then we'll need to break this down and evaluate what will make into the coming releases, although I don't see this as having the highest priority. |
From above AVC messages,
Is there any specific reason to install containerd in |
It's an attempt to do a non-destructive install since we overwrite "normal" containerd with our patched version. |
Hi @dcmiddle
Understood... and in that case, the SELinux context for |
The operator does not work(**) with SELinux enabled and enforced. Added a note about it on the prequisites section. (**) confidential-containers/operator#115 Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
The operator does not work(**) with SELinux enabled and enforced. Added a note about it on the prequisites section. (**) confidential-containers/operator#115 Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
The operator does not work(**) with SELinux enabled and enforced. Added a note about it on the prequisites section. (**) confidential-containers/operator#115 Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
The operator does not work(**) with SELinux enabled and enforced. Added a note about it on the prequisites section. (**) confidential-containers/operator#115 Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
The operator does not work(**) with SELinux enabled and enforced. Added a note about it on the prequisites section. (**) confidential-containers/operator#115 Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
This bug has been open for a while now and things changed a little bit. E.g., the operator is now installing kata under |
Describe the bug
When I create
kubectl create -f config/samples/ccruntime.yaml
in CentOS Stream 8 with SELinux on enforcing mode, the runtime is not fully installed because it fails to restart containerd.That bug might be not exclusive to CentOS Stream 8.
To Reproduce
Steps to reproduce the behavior:
kcli
(kcli create vm -p centos8stream -P memory=$((4096*2)) -P numcpus=4 my-vm -P disks=['{"size": 20, "interface": "sata"}']
)sudo dnf update -y && sudo dnf install git ansible-core -y
git clone https://github.com/confidential-containers/operator && cd operator/tests/e2e
ansible-galaxy collection install community.docker
ansible-playbook -i localhost, -c local --tags untagged ansible/main.yml
sudo -E PATH="$PATH" bash -c './cluster/up.sh' && export KUBECONFIG=/etc/kubernetes/admin.conf
sudo -E PATH=$PATH:/usr/local/bin bash -c 'kubectl label node "$(hostname)" "node-role.kubernetes.io/worker="'
sudo -E PATH=$PATH:/usr/local/bin bash -c 'kubectl apply -f https://raw.githubusercontent.com/confidential-containers/operator/v0.1.0/deploy/deploy.yaml'
sudo -E PATH=$PATH:/usr/local/bin bash -c 'kubectl apply -f https://raw.githubusercontent.com/confidential-containers/operator/v0.1.0/config/samples/ccruntime.yaml'
Describe the results you expected
Have the operator installed.
Describe the results you received:
The pre-install pod gets running:
Although the pre-install pod is running, it got only the containerd binary installed:
The
journal -xe
give us more details:I cannot get the logs from the pre-install pod:
The text was updated successfully, but these errors were encountered: