Bug 1594485

Summary:

SELinux denial in docker-registry pod where /etc/pki is mounted

Product:

Red Hat Enterprise Linux 7

Reporter:

Nicholas Schuetz <nick>

Component:

container-selinux

Assignee:

Jindrich Novy <jnovy>

Status:

CLOSED WONTFIX

QA Contact:

atomic-bugs <atomic-bugs>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

7.4

CC:

aos-bugs, dwalsh, jokerman, mmccomas, tsweeney

Target Milestone:

Keywords:

Extras

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2020-06-03 14:46:55 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
audit log	none

Description Nicholas Schuetz 2018-06-23 15:51:16 UTC

So i have a need for Openshift to use a self-signed cert for my internal docker registry.  During install, i modify my apiserver.yaml to include the volumeMount/hostPath for /etc/pki.  That works, although it's a hack.

For the next step, i have to add a similar config to the docker-registry pod (post-deployment).  To do that, i do this:

oc patch dc docker-registry -p '{"spec":{"template":{"spec":{"containers":[{"name":"registry","volumeMounts":[{"mountPath":"/etc/pki","name":"certs"}]}],"volumes":[{"hostPath":{"path":"/etc/pki","type":"Directory"},"name":"certs"}]}}}}'

and then adjust the scc to allow the hostPath:

oc adm policy add-scc-to-user hostaccess -z registry -n default

But that still doesnt work.  I have to 'setenforce 0' on all infra nodes to get this to work.  Obviously, SELinux is preventing me from mounting my pki directory in the docker-registry pod.  Note that i cannot pull-through the internal registry without doing this.

atomic-openshift-3.10.6-1

-Nick

Comment 1 Ben Parees 2018-06-23 15:58:16 UTC

you could also provide the /etc/pki/tls/cert.pem file(assuming it contains all your trusted CAs) via a configmap mount which would not require these permissions.

But I'm going to send this bug to the pod team for starters to see if they can offer guidance on why the selinux is preventing access to the mounted hostpath.

Comment 2 Nicholas Schuetz 2018-06-23 15:59:39 UTC

related:  https://bugzilla.redhat.com/show_bug.cgi?id=1592936

Comment 3 Nicholas Schuetz 2018-06-23 16:45:36 UTC

i was able to fix this by adjusting the context in /etc/pki on all my infra nodes.

chcon -R --type=container_t /etc/pki

Comment 4 Seth Jennings 2018-06-25 15:48:00 UTC

Relabeling /etc/pki on the host to be container accessible is not advised for security reasons.  A bad container could write to /etc/pki on the host and get the host trust bad certs.

Thus selinux is behaving as expected blocking container access to /etc/pki on the host.

I would recommend doing what Ben recommends and mounting your CAs in from a secret, not hostPathing them from the node.  Openshift has fairly (effectively) limited support for hostPath as many parts of the host filesystem are inaccessible to containers because of selinux.

For the docker-registry, this works.  However, you do have the issue of the apiserver static pods not being able to access secrets without the apiserver already being up, so mounting them in with a secret is chicken-egg problematic.

I am not experienced enough about the recommended config for using an external CA (in this cases, self-signed) in the cluster.

Back to Image Registry for additional guidance on how this could be done in 3.10.

Comment 5 Ben Parees 2018-06-25 16:18:26 UTC

> Thus selinux is behaving as expected blocking container access to /etc/pki on the host.

shouldn't selinux at least allow the read?  (I don't think a write is being attempted).

Comment 6 Seth Jennings 2018-06-25 16:58:07 UTC

What changed about v3.10 that introduced this? The apiserver being in a pod?

Was this pattern of installing custom certs in /etc/pki used in 3.9 since the apiserver ran as a host process (not in a container)?

If so, we should allow reads on cert_t from container_t and this bug should go to RHEL product container-selinux component.

Comment 7 Nicholas Schuetz 2018-06-25 17:03:34 UTC

Yes.  Also, the docker-registry pod(s) need access because the images are now "pulled-through" the internal registry.

Comment 8 Ben Parees 2018-06-25 17:27:40 UTC

The specific issue Nicholas ran into is that the imagestreams in 3.10 leverage pullthrough (in 3.9 they did not).  Pullthrough means now the internal registry is responsible for pulling the images from the external registry, instead of the host's docker daemon doing it.

That means the internal docker registry needs to be able to trust the external registry, which means including potentially self-signed certs in the docker-registry pod.  This was an issue that periodically came up before 3.10, but now that our out of box examples are using pullthrough it's a bit more likely for users to hit it (even so most users won't hit it because the imagestreams reference a trusted registry..but Nicholas has modified them to reference an untrusted registry).


The apiserver being in a pod is presenting similar problems, but it's worth noting that Nicholas did not hit any selinux problems when mounting host certs into the apiserver pod.  Only when mounting them into the docker-registry pod.

Anyway regardless of why it's coming up now and whether or not the configmap/secret mount approach is better than a hostmount, it still seems like the reads should be allowed.  And i'd like to understand why the apiserver pod is not having problems while the docker-registry pod is.  Is it related to SCCs?

Comment 9 Seth Jennings 2018-06-25 17:56:04 UTC

It is because the apiserver pod runs as a SPC (super privileged container, type spc_t) which has read access to most everything on the host.

# ps -feZ | grep "openshift start master"
system_u:system_r:spc_t:s0      root      93131  93115  4 17:35 ?        00:00:53 openshift start master api --config=/etc/origin/master/master-config.yaml --loglevel=2
system_u:system_r:spc_t:s0      root      93355  93340  5 17:35 ?        00:01:03 openshift start master controllers --config=/etc/origin/master/master-config.yaml --listen=https://0.0.0.0:8444 --loglevel=2
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 100528 97636  0 17:55 pts/0 00:00:00 grep --color=auto openshift start master

from apiserver.yaml:

    securityContext:
      privileged: true

Comment 10 Nicholas Schuetz 2018-06-25 18:02:53 UTC

Created attachment 1454446 [details]
audit log

Comment 11 Ben Parees 2018-06-25 18:29:36 UTC

Ok, i'm going to send this to container-selinux per comment 6, in that I believe /etc/pki should always be readable (but not necessarily writable) w/o special privileges.  Thanks Seth!

Meanwhile we'll continue to work on improving the experience around providing certs to the docker-registry pod w/o using hostmounts so users can avoid this problem entirely (step 1 for that is to document how to use a configmap or secret instead).

Comment 14 Daniel Walsh 2020-06-03 14:46:55 UTC

Since RHEL7 is no longer supported, I am going to close this as WONTFIX.
The way to probably handle this is with custom policy using udica.