Bug 1413100
Summary: | Issues with Docker, Kubernetes, and SELinux | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Devan Goodwin <dgoodwin> |
Component: | Node | Assignee: | Paul Morie <pmorie> |
Status: | CLOSED ERRATA | QA Contact: | DeShuai Ma <dma> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.5.0 | CC: | amurdaca, aos-bugs, bbennett, decarr, eparis, jminter, jokerman, lsm5, mmccomas, tdawson |
Target Milestone: | --- | Keywords: | Extras |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-04-12 19:09:14 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Devan Goodwin
2017-01-13 15:48:44 UTC
https://github.com/eparis/kubernetes/commit/ddd43b1f4345eb7c80a62ed0bef49dda2645cf4f Seems like it would help the : vs = thing, but the real problem is how we got the duplicate. So I'm not going to try to fix this. Just something for pmorie to think/know about. Issue in upstream: https://github.com/kubernetes/kubernetes/issues/37807 @Eric Paris Could you help look at another selinux issue too? thanks https://github.com/kubernetes/kubernetes/issues/37809 We can't change the separator wholesale without losing compatibility with older dockers. There is already code in kubelet that deals with the separator differences based on the docker version, but it looks like it is applied to the security opt before the SELinux options are set by the security context provider. I'll make a change to apply the separator code later, which I believe should fix it. Created https://github.com/kubernetes/kubernetes/pull/40179 to fix this I'm using docker-1.10.3-45.gite03ddb8.fc23.x86_64, and https://github.com/openshift/origin/pull/12831 means I can't run pods any more: Error syncing pod, skipping: failed to "StartContainer" for "POD" with RunContainerError: "runContainer: Error response from daemon: Invalid --security-opt: \"label=level:s0:c8,c2\"" Is this intended? This has been merged into ocp and is in OCP v3.5.0.31 or newer. Verify on openshift v3.5.0.32-1+4f84c83 [root@ip-172-18-12-128 ~]# docker version Client: Version: 1.12.5 API version: 1.24 Package version: docker-common-1.12.5-14.el7.x86_64 Go version: go1.7.4 Git commit: 047e51b/1.12.5 Built: Wed Jan 11 17:53:20 2017 OS/Arch: linux/amd64 Server: Version: 1.12.5 API version: 1.24 Package version: docker-common-1.12.5-14.el7.x86_64 Go version: go1.7.4 Git commit: 047e51b/1.12.5 Built: Wed Jan 11 17:53:20 2017 OS/Arch: linux/amd64 //Steps 1. Add privileged to user oadm policy add-scc-to-user privileged dma 2. Create a pod with selinux oc create -f https://raw.githubusercontent.com/mdshuai/testfile-openshift/master/k8s/securityContext/pod-selinux.yaml 3. Check selinux options in container oc get pod hello-pod -o json docker inspect $container-id [root@dhcp-128-7 Desktop]# oc get pod hello-pod -o json ..... spec.containers.securityContext "securityContext": { "privileged": false, "seLinuxOptions": { "level": "s0:c25,c968", "role": "unconfined_r", "user": "unconfined_u" } }, ...... spec.securityContext "securityContext": { "seLinuxOptions": { "level": "s0:c25,c968", "role": "unconfined_r", "user": "unconfined_u" } }, ...... //no node inspect container check detail info docker inspect 388ae9a17c9f "SecurityOpt": [ "seccomp=unconfined", "label=user:unconfined_u", "label=role:unconfined_r", "label=level:s0:c25,c968", "label=user:unconfined_u", "label=role:unconfined_r", "label=type:svirt_lxc_net_t", "label=level:s0:c25,c968" ], //note theres is still small issue When `docker inspect $container-id`, label shows twice,this will be fiexed by https://github.com/docker/docker/pull/30652 info https://github.com/kubernetes/kubeadm/issues/107#issuecomment-278979359 This can't affect the function, I'll make the bug verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884 |