Bug 1984226
| Summary: | No selinux policy for kubelet | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Kenny <kpeeples> |
| Component: | RHCOS | Assignee: | Timothée Ravier <travier> |
| Status: | CLOSED ERRATA | QA Contact: | Michael Nguyen <mnguyen> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.7 | CC: | aos-bugs, dahernan, dornelas, dpateriy, dwalsh, harpatil, hhei, jligon, lucab, mrussell, npaez, nstielau, smilner |
| Target Milestone: | --- | ||
| Target Release: | 4.7.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-09-15 09:16:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Kenny
2021-07-21 02:24:59 UTC
RHCOS 4.7 as moved to RHEL 8.4 content in the latest nightly and the kubelet is now running under container_runtime_t. Hi, As Michael is on PTO, I will review and verify this bug, the result is passed as 'kubelet is now running under container_runtime_t' Steps: 1) Launch 4.7.0 OCP nightly on aws 2) Login in worker nodes and check result $ oc debug nodes/worker-xxx sh-4.4# chroot /host sh-4.4# oc version Client Version: 4.7.0-202109031319.p0.git.e6f2e9b.assembly.stream-e6f2e9b sh-4.4# ps -eZ | grep -i kubelet system_u:system_r:container_runtime_t:s0 1375 ? 00:01:19 kubelet sh-4.4# semanage fcontext -l | grep kub | grep container_file /var/lib/kubernetes/pods(/.*)? all files system_u:object_r:container_file_t:s0 Thanks Tim and Luca for the review! Update test result with 4.7.30-x86_64 on aws, result is passed, and change status to VERIFIED. $ oc debug nodes/node-xxx sh-4.4# cat /etc/os-release NAME="Red Hat Enterprise Linux CoreOS" VERSION="47.84.202109082139-0" VERSION_ID="4.7" OPENSHIFT_VERSION="4.7" RHEL_VERSION="8.4" PRETTY_NAME="Red Hat Enterprise Linux CoreOS 47.84.202109082139-0 (Ootpa)" ID="rhcos" ID_LIKE="rhel fedora" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:8::coreos" HOME_URL="https://www.redhat.com/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform" REDHAT_BUGZILLA_PRODUCT_VERSION="4.7" REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform" REDHAT_SUPPORT_PRODUCT_VERSION="4.7" OSTREE_VERSION='47.84.202109082139-0' sh-4.4# ps -eZ | grep -i kubelet system_u:system_r:container_runtime_t:s0 1371 ? 00:01:11 kubelet sh-4.4# semanage fcontext -l | grep kub | grep container_file /var/lib/kubernetes/pods(/.*)? all files system_u:object_r:container_file_t:s0 sh-4.4# rpm -qa container-selinux container-selinux-2.164.1-1.module+el8.4.0+11870+8b6f7018.noarch sh-4.4# ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' # nothing output Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.7.30 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:3422 *** Bug 2006050 has been marked as a duplicate of this bug. *** |