local-path-provisioner icon indicating copy to clipboard operation
local-path-provisioner copied to clipboard

Published 20 hours ago verified publisher icon rancher

SELinux Enforcing svirt_sandbox_file_t

Open guislander opened this issue 5 years ago • 0 comments

Fedora CoreOS k8s workers are configured for SELinux enforcing and targeted.

$ getenforce Enforcing

$ cat config

This file controls the state of SELinux on the system.

SELINUX= can take one of these three values:

enforcing - SELinux security policy is enforced.

permissive - SELinux prints warnings instead of enforcing.

disabled - No SELinux policy is loaded.

SELINUX=enforcing

SELINUXTYPE= can take one of these three values:

targeted - Targeted processes are protected,

minimum - Modification of targeted policy. Only selected processes are protected.

mls - Multi Level Security protection.

SELINUXTYPE=targeted

Hence the provisioner fails.

kubectl -n local-path-storage logs -f -l app=local-path-provisioner time="2020-06-28T15:30:36Z" level=debug msg="Applied config: {"nodePathMap":[{"node":"DEFAULT_PATH_FOR_NON_LISTED_NODES","paths":["/opt/local-path-provisioner"]}]}" time="2020-06-28T15:30:36Z" level=debug msg="Provisioner started" I0628 15:30:36.501575 1 leaderelection.go:242] attempting to acquire leader lease local-path-storage/rancher.io-local-path... I0628 15:30:36.512557 1 leaderelection.go:252] successfully acquired lease local-path-storage/rancher.io-local-path I0628 15:30:36.512670 1 controller.go:773] Starting provisioner controller rancher.io/local-path_local-path-provisioner-7d9c4586c4-wn4gf_05ccae49-b604-4382-9ee4-3d05b756eaae! I0628 15:30:36.512705 1 event.go:281] Event(v1.ObjectReference{Kind:"Endpoints", Namespace:"local-path-storage", Name:"rancher.io-local-path", UID:"1f312ff1-c033-4694-9370-038115619ce3", APIVersion:"v1", ResourceVersion:"13063", FieldPath:""}): type: 'Normal' reason: 'LeaderElection' local-path-provisioner-7d9c4586c4-wn4gf_05ccae49-b604-4382-9ee4-3d05b756eaae became leader I0628 15:30:36.613038 1 controller.go:822] Started provisioner controller rancher.io/local-path_local-path-provisioner-7d9c4586c4-wn4gf_05ccae49-b604-4382-9ee4-3d05b756eaae! I0628 15:32:00.514098 1 controller.go:1202] provision "default/local-path-pvc" class "local-path": started time="2020-06-28T15:32:00Z" level=debug msg="config doesn't contain node node2.sabana.com, use DEFAULT_PATH_FOR_NON_LISTED_NODES instead" time="2020-06-28T15:32:00Z" level=info msg="Creating volume pvc-aa210b4a-8d39-4789-b212-bf512a42cadf at node2.sabana.com:/opt/local-path-provisioner/pvc-aa210b4a-8d39-4789-b212-bf512a42cadf_default_local-path-pvc" I0628 15:32:00.523203 1 event.go:281] Event(v1.ObjectReference{Kind:"PersistentVolumeClaim", Namespace:"default", Name:"local-path-pvc", UID:"aa210b4a-8d39-4789-b212-bf512a42cadf", APIVersion:"v1", ResourceVersion:"13313", FieldPath:""}): type: 'Normal' reason: 'Provisioning' External provisioner is provisioning volume for claim "default/local-path-pvc" W0628 15:34:01.062196 1 controller.go:893] Retrying syncing claim "aa210b4a-8d39-4789-b212-bf512a42cadf" because failures 0 < threshold 15

Checking the node journalctl shows the SELinux denial.

Jun 28 15:59:49 node2.sabana.com kernel: audit: type=1400 audit(1593359989.624:987): avc: denied { write } for pid=123863 comm="mkdir" name="local-path-provisioner" dev="nvme0n1p4" ino=478150853 scontext=system_u:system_r:container_t:s0:c781,c881 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0

To resolve /opt/local-path-provisioner context requires svirt_sandbox_file_t.

Work around appears to be create and set the path chcon before using the provisioner.

guislander avatar Jun 28 '20 16:06 guislander