Bug 2079454 - [4.10] conditionally relabel volumes given annotation not working - SELinux context match is wrong
Summary: [4.10] conditionally relabel volumes given annotation not working - SELinux c...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node
Version: 4.8
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.10.z
Assignee: Peter Hunt
QA Contact: Sunil Choudhary
URL:
Whiteboard:
Depends On: 2071033
Blocks: 2079461 2086098
TreeView+ depends on / blocked
 
Reported: 2022-04-27 14:58 UTC by Peter Hunt
Modified: 2022-06-28 11:50 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2071033
: 2079461 (view as bug list)
Environment:
Last Closed: 2022-06-28 11:50:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github cri-o cri-o pull 5792 0 None Merged [release-1.23] server: Canonize selinux label for comparison with filesystem label 2022-04-27 14:58:36 UTC
Red Hat Product Errata RHBA-2022:5172 0 None None None 2022-06-28 11:50:54 UTC

Comment 3 Sunil Choudhary 2022-06-15 12:54:56 UTC 
% oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2022-06-08-150219   True        False         19m     Cluster version is 4.10.0-0.nightly-2022-06-08-150219

% oc get nodes
NAME                                          STATUS   ROLES    AGE   VERSION
sunil410z-tz9fr-master-0                      Ready    master   44m   v1.23.5+3afdacb
sunil410z-tz9fr-master-1                      Ready    master   44m   v1.23.5+3afdacb
sunil410z-tz9fr-master-2                      Ready    master   44m   v1.23.5+3afdacb
sunil410z-tz9fr-worker-northcentralus-527v7   Ready    worker   33m   v1.23.5+3afdacb
sunil410z-tz9fr-worker-northcentralus-kfwn9   Ready    worker   34m   v1.23.5+3afdacb
sunil410z-tz9fr-worker-northcentralus-z9kwm   Ready    worker   34m   v1.23.5+3afdacb

% oc get nodes
NAME                                          STATUS   ROLES    AGE   VERSION
sunil410z-tz9fr-master-0                      Ready    master   44m   v1.23.5+3afdacb
sunil410z-tz9fr-master-1                      Ready    master   44m   v1.23.5+3afdacb
sunil410z-tz9fr-master-2                      Ready    master   44m   v1.23.5+3afdacb
sunil410z-tz9fr-worker-northcentralus-527v7   Ready    worker   33m   v1.23.5+3afdacb
sunil410z-tz9fr-worker-northcentralus-kfwn9   Ready    worker   34m   v1.23.5+3afdacb
sunil410z-tz9fr-worker-northcentralus-z9kwm   Ready    worker   34m   v1.23.5+3afdacb

% cat mcs.yaml 
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: 99-worker-selinux-configuration
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
      - contents:
          source: data:text/plain;charset=utf-8;base64,W2NyaW8ucnVudGltZS5ydW50aW1lcy5zZWxpbnV4XQpydW50aW1lX3BhdGggPSAiL3Vzci9iaW4vcnVuYyIKcnVudGltZV9yb290ID0gIi9ydW4vcnVuYyIKcnVudGltZV90eXBlID0gIm9jaSIKYWxsb3dlZF9hbm5vdGF0aW9ucyA9IFsiaW8ua3ViZXJuZXRlcy5jcmktby5UcnlTa2lwVm9sdW1lU0VMaW51eExhYmVsIl0K
        mode: 0640
        overwrite: true
        path: /etc/crio/crio.conf.d/01-selinux.conf
  osImageURL: ""

% oc create -f mcs.yaml 
machineconfig.machineconfiguration.openshift.io/99-worker-selinux-configuration created

% oc debug node/sunil410z-tz9fr-worker-northcentralus-z9kwm
Starting pod/sunil410z-tz9fr-worker-northcentralus-z9kwm-debug ...

sh-4.4# ls /etc/crio/
crio.conf  crio.conf.d	seccomp.json

sh-4.4# cat /etc/crio/crio.conf.d/01-selinux.conf 
[crio.runtime.runtimes.selinux]
runtime_path = "/usr/bin/runc"
runtime_root = "/run/runc"
runtime_type = "oci"
allowed_annotations = ["io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel"]


% cat selinuxrc.yaml 
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: selinux
handler: selinux

% oc create -f selinuxrc.yaml
runtimeclass.node.k8s.io/selinux created



% oc create -f pv.yaml 
persistentvolume/pv0001 created

% oc create -f pvc.yaml 
persistentvolumeclaim/myclaim created

% oc create -f deploy.yaml 
deployment.apps/pv-deploy created

% oc get pods
NAME                         READY   STATUS    RESTARTS   AGE
pv-deploy-6f8f665458-8jb9c   1/1     Running   0          20s



sh-4.4# runc list | grep -i d0cfc7ffced96
d0cfc7ffced9695435b79670fb6584c46458e9dcfd62abc7eb39fd871138cf67   14846       running     /run/containers/storage/overlay-containers/d0cfc7ffced9695435b79670fb6584c46458e9dcfd62abc7eb39fd871138cf67/userdata   2022-06-15T12:42:25.357588858Z   root

sh-4.4# chcon -t unlabeled_t  /run/containers/storage/overlay-containers/d0cfc7ffced9695435b79670fb6584c46458e9dcfd62abc7eb39fd871138cf67/userdata/config.json

sh-4.4# ls -lZ /run/containers/storage/overlay-containers/d0cfc7ffced9695435b79670fb6584c46458e9dcfd62abc7eb39fd871138cf67/userdata/config.json
-rw-r--r--. 1 root root system_u:object_r:unlabeled_t:s0 10008 Jun 15 12:42 /run/containers/storage/overlay-containers/d0cfc7ffced9695435b79670fb6584c46458e9dcfd62abc7eb39fd871138cf67/userdata/config.json
Comment 8 errata-xmlrpc 2022-06-28 11:50:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.10.20 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:5172
Note You need to log in before you can comment on or make changes to this bug.