Bug 2079454
| Summary: | [4.10] conditionally relabel volumes given annotation not working - SELinux context match is wrong | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Peter Hunt <pehunt> | |
| Component: | Node | Assignee: | Peter Hunt <pehunt> | |
| Node sub component: | CRI-O | QA Contact: | Sunil Choudhary <schoudha> | |
| Status: | CLOSED ERRATA | Docs Contact: | ||
| Severity: | high | |||
| Priority: | medium | CC: | algonzal, aos-bugs, dmunneor, pehunt, ramon.gordillo, schoudha, svanka | |
| Version: | 4.8 | |||
| Target Milestone: | --- | |||
| Target Release: | 4.10.z | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 2071033 | |||
| : | 2079461 (view as bug list) | Environment: | ||
| Last Closed: | 2022-06-28 11:50:26 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 2071033 | |||
| Bug Blocks: | 2079461, 2086098 | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.10.20 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:5172 |
% oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.10.0-0.nightly-2022-06-08-150219 True False 19m Cluster version is 4.10.0-0.nightly-2022-06-08-150219 % oc get nodes NAME STATUS ROLES AGE VERSION sunil410z-tz9fr-master-0 Ready master 44m v1.23.5+3afdacb sunil410z-tz9fr-master-1 Ready master 44m v1.23.5+3afdacb sunil410z-tz9fr-master-2 Ready master 44m v1.23.5+3afdacb sunil410z-tz9fr-worker-northcentralus-527v7 Ready worker 33m v1.23.5+3afdacb sunil410z-tz9fr-worker-northcentralus-kfwn9 Ready worker 34m v1.23.5+3afdacb sunil410z-tz9fr-worker-northcentralus-z9kwm Ready worker 34m v1.23.5+3afdacb % oc get nodes NAME STATUS ROLES AGE VERSION sunil410z-tz9fr-master-0 Ready master 44m v1.23.5+3afdacb sunil410z-tz9fr-master-1 Ready master 44m v1.23.5+3afdacb sunil410z-tz9fr-master-2 Ready master 44m v1.23.5+3afdacb sunil410z-tz9fr-worker-northcentralus-527v7 Ready worker 33m v1.23.5+3afdacb sunil410z-tz9fr-worker-northcentralus-kfwn9 Ready worker 34m v1.23.5+3afdacb sunil410z-tz9fr-worker-northcentralus-z9kwm Ready worker 34m v1.23.5+3afdacb % cat mcs.yaml apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: labels: machineconfiguration.openshift.io/role: worker name: 99-worker-selinux-configuration spec: config: ignition: version: 3.2.0 storage: files: - contents: source: data:text/plain;charset=utf-8;base64,W2NyaW8ucnVudGltZS5ydW50aW1lcy5zZWxpbnV4XQpydW50aW1lX3BhdGggPSAiL3Vzci9iaW4vcnVuYyIKcnVudGltZV9yb290ID0gIi9ydW4vcnVuYyIKcnVudGltZV90eXBlID0gIm9jaSIKYWxsb3dlZF9hbm5vdGF0aW9ucyA9IFsiaW8ua3ViZXJuZXRlcy5jcmktby5UcnlTa2lwVm9sdW1lU0VMaW51eExhYmVsIl0K mode: 0640 overwrite: true path: /etc/crio/crio.conf.d/01-selinux.conf osImageURL: "" % oc create -f mcs.yaml machineconfig.machineconfiguration.openshift.io/99-worker-selinux-configuration created % oc debug node/sunil410z-tz9fr-worker-northcentralus-z9kwm Starting pod/sunil410z-tz9fr-worker-northcentralus-z9kwm-debug ... sh-4.4# ls /etc/crio/ crio.conf crio.conf.d seccomp.json sh-4.4# cat /etc/crio/crio.conf.d/01-selinux.conf [crio.runtime.runtimes.selinux] runtime_path = "/usr/bin/runc" runtime_root = "/run/runc" runtime_type = "oci" allowed_annotations = ["io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel"] % cat selinuxrc.yaml apiVersion: node.k8s.io/v1 kind: RuntimeClass metadata: name: selinux handler: selinux % oc create -f selinuxrc.yaml runtimeclass.node.k8s.io/selinux created % oc create -f pv.yaml persistentvolume/pv0001 created % oc create -f pvc.yaml persistentvolumeclaim/myclaim created % oc create -f deploy.yaml deployment.apps/pv-deploy created % oc get pods NAME READY STATUS RESTARTS AGE pv-deploy-6f8f665458-8jb9c 1/1 Running 0 20s sh-4.4# runc list | grep -i d0cfc7ffced96 d0cfc7ffced9695435b79670fb6584c46458e9dcfd62abc7eb39fd871138cf67 14846 running /run/containers/storage/overlay-containers/d0cfc7ffced9695435b79670fb6584c46458e9dcfd62abc7eb39fd871138cf67/userdata 2022-06-15T12:42:25.357588858Z root sh-4.4# chcon -t unlabeled_t /run/containers/storage/overlay-containers/d0cfc7ffced9695435b79670fb6584c46458e9dcfd62abc7eb39fd871138cf67/userdata/config.json sh-4.4# ls -lZ /run/containers/storage/overlay-containers/d0cfc7ffced9695435b79670fb6584c46458e9dcfd62abc7eb39fd871138cf67/userdata/config.json -rw-r--r--. 1 root root system_u:object_r:unlabeled_t:s0 10008 Jun 15 12:42 /run/containers/storage/overlay-containers/d0cfc7ffced9695435b79670fb6584c46458e9dcfd62abc7eb39fd871138cf67/userdata/config.json