Bug 2079461 - [4.9] conditionally relabel volumes given annotation not working - SELinux context match is wrong
Summary: [4.9] conditionally relabel volumes given annotation not working - SELinux co...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node
Version: 4.8
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.9.z
Assignee: Peter Hunt
QA Contact: Sunil Choudhary
URL:
Whiteboard:
Depends On: 2071033 2079454
Blocks: 2086098
TreeView+ depends on / blocked
 
Reported: 2022-04-27 15:00 UTC by Peter Hunt
Modified: 2022-06-30 05:31 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2079454
: 2086098 (view as bug list)
Environment:
Last Closed: 2022-06-30 05:31:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github cri-o cri-o pull 5829 0 None Merged [release-1.22] [release-1.23] server: Canonize selinux label for comparison with filesystem label 2022-05-13 20:15:18 UTC
Red Hat Product Errata RHBA-2022:5180 0 None None None 2022-06-30 05:31:54 UTC

Comment 6 Sunil Choudhary 2022-06-16 10:57:39 UTC 
 % oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.39    True        False         4h48m   Cluster version is 4.9.39

% oc get nodes -o wide
NAME                                        STATUS   ROLES    AGE     VERSION           INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                                                       KERNEL-VERSION                 CONTAINER-RUNTIME
sunil49-k5q8r-master-0                      Ready    master   5h6m    v1.22.8+f34b40c   10.0.0.6      <none>        Red Hat Enterprise Linux CoreOS 49.84.202206131503-0 (Ootpa)   4.18.0-305.49.1.el8_4.x86_64   cri-o://1.22.5-3.rhaos4.9.gitb6d3a87.el8
sunil49-k5q8r-master-1                      Ready    master   5h6m    v1.22.8+f34b40c   10.0.0.8      <none>        Red Hat Enterprise Linux CoreOS 49.84.202206131503-0 (Ootpa)   4.18.0-305.49.1.el8_4.x86_64   cri-o://1.22.5-3.rhaos4.9.gitb6d3a87.el8
sunil49-k5q8r-master-2                      Ready    master   5h6m    v1.22.8+f34b40c   10.0.0.7      <none>        Red Hat Enterprise Linux CoreOS 49.84.202206131503-0 (Ootpa)   4.18.0-305.49.1.el8_4.x86_64   cri-o://1.22.5-3.rhaos4.9.gitb6d3a87.el8
sunil49-k5q8r-worker-northcentralus-6zkn7   Ready    worker   4h57m   v1.22.8+f34b40c   10.0.128.5    <none>        Red Hat Enterprise Linux CoreOS 49.84.202206131503-0 (Ootpa)   4.18.0-305.49.1.el8_4.x86_64   cri-o://1.22.5-3.rhaos4.9.gitb6d3a87.el8
sunil49-k5q8r-worker-northcentralus-dkgqr   Ready    worker   4h57m   v1.22.8+f34b40c   10.0.128.4    <none>        Red Hat Enterprise Linux CoreOS 49.84.202206131503-0 (Ootpa)   4.18.0-305.49.1.el8_4.x86_64   cri-o://1.22.5-3.rhaos4.9.gitb6d3a87.el8
sunil49-k5q8r-worker-northcentralus-trxhj   Ready    worker   4h56m   v1.22.8+f34b40c   10.0.128.6    <none>        Red Hat Enterprise Linux CoreOS 49.84.202206131503-0 (Ootpa)   4.18.0-305.49.1.el8_4.x86_64   cri-o://1.22.5-3.rhaos4.9.gitb6d3a87.el8

% cat mcs.yaml 
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: 99-worker-selinux-configuration
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
      - contents:
          source: data:text/plain;charset=utf-8;base64,W2NyaW8ucnVudGltZS5ydW50aW1lcy5zZWxpbnV4XQpydW50aW1lX3BhdGggPSAiL3Vzci9iaW4vcnVuYyIKcnVudGltZV9yb290ID0gIi9ydW4vcnVuYyIKcnVudGltZV90eXBlID0gIm9jaSIKYWxsb3dlZF9hbm5vdGF0aW9ucyA9IFsiaW8ua3ViZXJuZXRlcy5jcmktby5UcnlTa2lwVm9sdW1lU0VMaW51eExhYmVsIl0K
        mode: 0640
        overwrite: true
        path: /etc/crio/crio.conf.d/01-selinux.conf
  osImageURL: ""

% oc create -f mcs.yaml 
machineconfig.machineconfiguration.openshift.io/99-worker-selinux-configuration created

% oc get mc
NAME                                               GENERATEDBYCONTROLLER                      IGNITIONVERSION   AGE
00-master                                          bd2557a122fbc1831e8c91c28c114382f2d5d44f   3.2.0             5h6m
00-worker                                          bd2557a122fbc1831e8c91c28c114382f2d5d44f   3.2.0             5h6m
01-master-container-runtime                        bd2557a122fbc1831e8c91c28c114382f2d5d44f   3.2.0             5h6m
01-master-kubelet                                  bd2557a122fbc1831e8c91c28c114382f2d5d44f   3.2.0             5h6m
01-worker-container-runtime                        bd2557a122fbc1831e8c91c28c114382f2d5d44f   3.2.0             5h6m
01-worker-kubelet                                  bd2557a122fbc1831e8c91c28c114382f2d5d44f   3.2.0             5h6m
99-master-generated-registries                     bd2557a122fbc1831e8c91c28c114382f2d5d44f   3.2.0             5h6m
99-master-ssh                                                                                 3.2.0             5h12m
99-worker-generated-registries                     bd2557a122fbc1831e8c91c28c114382f2d5d44f   3.2.0             5h6m
99-worker-selinux-configuration                                                               3.2.0             30s
99-worker-ssh                                                                                 3.2.0             5h12m
rendered-master-8082e6f40921f362f80241e7a6e4cf25   bd2557a122fbc1831e8c91c28c114382f2d5d44f   3.2.0             5h6m
rendered-worker-4e8572aca0ac8b13dada4b779a5f3c47   bd2557a122fbc1831e8c91c28c114382f2d5d44f   3.2.0             25s
rendered-worker-52e1f826aa4be163b248a23f3a144a9c   bd2557a122fbc1831e8c91c28c114382f2d5d44f   3.2.0             5h6m

% oc debug node/sunil49-k5q8r-worker-northcentralus-dkgqr
Starting pod/sunil49-k5q8r-worker-northcentralus-dkgqr-debug ...
...

sh-4.4# cat /etc/crio/crio.conf.d/01-selinux.conf 
[crio.runtime.runtimes.selinux]
runtime_path = "/usr/bin/runc"
runtime_root = "/run/runc"
runtime_type = "oci"
allowed_annotations = ["io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel"]

% cat selinuxrc.yaml 
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: selinux
handler: selinux

% oc create -f selinuxrc.yaml 
runtimeclass.node.k8s.io/selinux created

% oc create -f pv.yaml 
persistentvolume/pv0001 created

% oc create -f pvc.yaml
persistentvolumeclaim/myclaim created

% oc create -f deploy.yaml 
deployment.apps/pv-deploy created

% oc get pods
NAME                         READY   STATUS    RESTARTS   AGE
pv-deploy-787f8469c6-8cj25   1/1     Running   0          5m3s


sh-4.4# runc list | grep -i 3bf3b99207ac6
3bf3b99207ac616a21ce7d05a24a4dc37f025ecaf40f02d37557f4927bb1efc5   6320        running     /run/containers/storage/overlay-containers/3bf3b99207ac616a21ce7d05a24a4dc37f025ecaf40f02d37557f4927bb1efc5/userdata   2022-06-16T10:48:40.538982698Z   root

sh-4.4# chcon -t unlabeled_t /run/containers/storage/overlay-containers/3bf3b99207ac616a21ce7d05a24a4dc37f025ecaf40f02d37557f4927bb1efc5/userdata/config.json

sh-4.4# ls -lZ  /run/containers/storage/overlay-containers/3bf3b99207ac616a21ce7d05a24a4dc37f025ecaf40f02d37557f4927bb1efc5/userdata/config.json
-rw-r--r--. 1 root root system_u:object_r:unlabeled_t:s0 9780 Jun 16 10:48 /run/containers/storage/overlay-containers/3bf3b99207ac616a21ce7d05a24a4dc37f025ecaf40f02d37557f4927bb1efc5/userdata/config.json
Comment 10 errata-xmlrpc 2022-06-30 05:31:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.9.40 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:5180
Note You need to log in before you can comment on or make changes to this bug.