*: package rkt for Fedora

[jonboulle]

Ticket to track the progress of rkt being packaged for Fedora.

This will not be performed by the rkt team, but this issue should track any work that needs to happen to unblock packaging.

Upstream Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1169966
Upstream package page: https://apps.fedoraproject.org/packages/rkt
Repo for rkt RPM: https://github.com/fedora-cloud/rkt-rpm

Current status: packaged, but outstanding issues:

• SElinux not correctly working with overlayfs #1727 SELinux
• trouble with rkt-metadata unitfiles on fedora (SELinux) #1978 SELinux
• Fedora firewall rules caveat and DNS #2206 Firewall

[jonboulle]

From #686 (comment):

We've been working the last few days in rkt-rpm. rkt itself has offered a configure option --with-stage1=host which removes the bundled systemd files and depends on systemd from the host at runtime. The stage1.aci drops from ~117 files to 26, and it appears that none of them come from outside the source tree.

Remaining we have 63 go packages in Godeps. These are checked into the rkt source tree, so their stability WRT rkt is not in question, but Godeps are still frowned upon in favor of external golang src packages. We may try to get it accepted as is and see if the Godeps will be accepted.

[alban]

About the packages in Godeps, the situation changed in Fedora: http://lwn.net/Articles/660429/

[alban]

@lsm5 @markllama any news on this?

Also, do you think the rkt package would benefit from https://fedoraproject.org/wiki/Jenkins@infra?

[lsm5]

On Mon, Nov 09, 2015 at 02:41:28AM -0800, Alban Crequy wrote:

@lsm5 @markllama any news on this?

None from my side so far :( . I'll try and resume this asap though if you
have/know someone who can resume this right away, feel free to send them my
way.

Also, do you think the rkt package would benefit from https://fedoraproject.org/wiki/Jenkins@infra?

oooh I wasn't aware we (Fedora) got our own jenkins setup, thanks for the pointer
:). I guess quite likely rkt would benefit from it, though I'm not sure at
this point if it's only for packages already in fedora or if Fedora COPR can
use it too.

---

Reply to this email directly or view it on GitHub:
#1304 (comment)

Lokesh
Freenode: lsm5
GPG: 0xC7C3A0DD

[alban]

oooh I wasn't aware we (Fedora) got our own jenkins setup, thanks for the pointer
:). I guess quite likely rkt would benefit from it, though I'm not sure at
this point if it's only for packages already in fedora or if Fedora COPR can
use it too.

I guess we can just create the ticket and ask if it is possible for packages not yet in Fedora. Do you want to do it? I could do it if you would like.

[alban]

I went ahead and created https://fedorahosted.org/fedora-infrastructure/ticket/5046

[lsm5]

Package has been approved :)

[alban]

Thanks!

When will it be available through "dnf install rkt" in Fedora 23?

Where should be filed packaging issues for rkt in Fedora? Should we use https://github.com/fedora-cloud/rkt-rpm/issues or https://bugzilla.redhat.com/?

[lsm5]

https://bugzilla.redhat.com . I'd quite likely be ignoring @fedora-cloud/rkt-rpm for the most part. RE: fedora 23 availability, I'd say as soon as we can resolve selinux issues. I'll try and work on it this week, I gotta start selinux from scratch, maybe Dan Walsh will beat me to it.

[chancez]

Looks like https://apps.fedoraproject.org/packages/rkt is on rawhide? Is that accurate @lsm5 ?

[jonboulle]

See #1727 and #1978

[alban]

@chancez Yes, the RPM is in Fedora-Rawhide, but not Fedora-22 or Fedora-23. But as @jonboulle mentioned, it does not work out of the box because of SELinux.

[alban]

$ grep VERSION /etc/os-release
VERSION="24 (Cloud Edition)"
VERSION_ID=24
REDHAT_BUGZILLA_PRODUCT_VERSION=rawhide
REDHAT_SUPPORT_PRODUCT_VERSION=rawhide

$ dnf info rkt
Last metadata expiration check performed 0:02:05 ago on Wed Feb  3 10:54:08 2016.
Available Packages
Name        : rkt
Arch        : x86_64
Epoch       : 0
Version     : 0.16.0
Release     : 4.git646746d.fc24
Size        : 20 M
Repo        : rawhide
Summary     : CLI for running app containers
URL         : https://github.com/coreos/rkt
License     : ASL 2.0
Description : CLI for running app containers

[alban]

Caveats on Fedora documented on:
https://github.com/coreos/rkt/blob/master/Documentation/distributions.md#fedora

See also the Fedora firewall caveat: #2206

I updated the description of this issue.

[lsm5]

on one laptop of mine, running the rkt binary gave me a segfault. Disabled selinux in config and now it doesn't wanna reboot o_O. Not sure if kernel problem or what. I did run strace on rkt before the reboot and said no such file or dir on some fips file, I'll open an issue once I can reproduce it.

[lsm5]

tail end of strace for rkt-1.0.0-10.git9003f4a.fc24.x86_64

access("/etc/selinux/config", F_OK)     = 0
access("/etc/system-fips", F_OK)        = -1 ENOENT (No such file or directory)
sched_getaffinity(0, 8192, [0 1])       = 8
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} ---
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault

This only happens on some of my machines, but seems fine on others.

[lsm5]

hmm, the segfault doesn't seem to occur with the latest rkt-1.0.0-12.git07235a7.fc24.x86_64 which I built moments ago.

[jonboulle]

Removing from specific milestone, there are a few external dependencies

[artem-sidorenko]

I created a project on OBS in first line for myself and my chef-rkt cookbook.

I plan to maintain this packages as long as rkt isn't available via distributions. There are plans to add some additional tools like actool to this repository.

If you want to use it, feel free to do it

[iaguis]

Patches were sent for overlay+SELinux to the kernel mailing list https://lkml.org/lkml/2016/7/5/409 🎉

[kushaldas]

I was trying out the rkt-v1.14.0 on a Fedora 24 cloud vm today. I had to copy init/systemd/* to /usr/lib/systemd/ first, and then executed sudo ./scripts/setup-data-dir.sh.

Without SELinux disabled, I am getting the following output.

$ sudo ./rkt --insecure-options=image run ../hello/hello-0.0.1-linux-amd64.aci
image: using image from local store for image name coreos.com/rkt/stage1-coreos:1.14.0
image: using image from file ../hello/hello-0.0.1-linux-amd64.aci
networking: loading networks from /etc/rkt/net.d
networking: loading network default with type ptp
Failed to take lock: Permission denied
/reaper.sh: line 13: /rkt/status/hello: Permission denied
Error: Unable to determine interpreter for "/bin/hello"

Disabling SELinux helped it to run normally.

[kushaldas]

From the audit.log

type=USER_CMD msg=audit(1473419895.803:729): pid=9644 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/fedora/rkt-v1.14.0" cmd=2E2F726B74202D2D696E7365637572652D6F7074696F6E733D696D616765202D2D64656275672072756E202E2E2F68656C6C6F2F68656C6C6F2D302E302E312D6C696E75782D616D6436342E616369 terminal=pts/1 res=success'
type=CRED_REFR msg=audit(1473419895.803:730): pid=9644 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_START msg=audit(1473419895.805:731): pid=9644 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_limits,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=NETFILTER_CFG msg=audit(1473419896.534:732): table=filter family=2 entries=0
type=NETFILTER_CFG msg=audit(1473419896.537:733): table=nat family=2 entries=0
type=NETFILTER_CFG msg=audit(1473419896.561:734): table=nat family=2 entries=25
type=NETFILTER_CFG msg=audit(1473419896.563:735): table=nat family=2 entries=27
type=NETFILTER_CFG msg=audit(1473419896.566:736): table=nat family=2 entries=28
type=NETFILTER_CFG msg=audit(1473419896.568:737): table=nat family=2 entries=29
type=LOGIN msg=audit(1473419896.590:738): pid=9678 uid=0 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 old-auid=1000 auid=4294967295 old-ses=3 ses=4294967295 res=1
type=AVC msg=audit(1473419896.609:739): avc:  denied  { create } for  pid=9679 comm="systemd" name="blk" scontext=system_u:system_r:svirt_lxc_net_t:s0:c489,c557 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c489,c557 tclass=blk_file permissive=0
type=AVC msg=audit(1473419896.610:740): avc:  denied  { write } for  pid=9679 comm="systemd" name="machine-id" dev="vda1" ino=395778 scontext=system_u:system_r:svirt_lxc_net_t:s0:c489,c557 tcontext=unconfined_u:object_r:container_image_t:s0 tclass=file permissive=0
type=AVC msg=audit(1473419896.610:741): avc:  denied  { write } for  pid=9679 comm="systemd" name="max_dgram_qlen" dev="proc" ino=33466 scontext=system_u:system_r:svirt_lxc_net_t:s0:c489,c557 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file permissive=0
type=AVC msg=audit(1473419896.626:742): avc:  denied  { write } for  pid=9680 comm="systemd-sysuser" name="etc" dev="vda1" ino=395776 scontext=system_u:system_r:svirt_lxc_net_t:s0:c489,c557 tcontext=unconfined_u:object_r:container_image_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1473419896.681:743): avc:  denied  { sendto } for  pid=9679 comm="systemd" path="/systemd/nspawn/notify" scontext=system_u:system_r:svirt_lxc_net_t:s0:c489,c557 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1473419896.724:744): avc:  denied  { write } for  pid=9689 comm="reaper.sh" name="status" dev="vda1" ino=395735 scontext=system_u:system_r:svirt_lxc_net_t:s0:c489,c557 tcontext=unconfined_u:object_r:container_image_t:s0 tclass=dir permissive=0
type=USER_END msg=audit(1473419896.818:745): pid=9644 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_limits,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=CRED_DISP msg=audit(1473419896.818:746): pid=9644 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'

[kushaldas]

Even with --no-overlay=true I am getting the following in the audit.log

type=USER_CMD msg=audit(1473426144.485:885): pid=9940 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/fedora/rkt-v1.14.0" cmd=2E2F726B74202D2D696E7365637572652D6F7074696F6E733D696D616765202D2D6465627567202D2D6E6F2D6F7665726C61793D747275652072756E202E2E2F68656C6C6F2F68656C6C6F2D302E302E312D6C696E75782D616D6436342E616369 terminal=pts/1 res=success'
type=CRED_REFR msg=audit(1473426144.485:886): pid=9940 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_START msg=audit(1473426144.487:887): pid=9940 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_limits,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=NETFILTER_CFG msg=audit(1473426145.373:888): table=filter family=2 entries=0
type=NETFILTER_CFG msg=audit(1473426145.375:889): table=nat family=2 entries=0
type=NETFILTER_CFG msg=audit(1473426145.397:890): table=nat family=2 entries=35
type=NETFILTER_CFG msg=audit(1473426145.399:891): table=nat family=2 entries=37
type=NETFILTER_CFG msg=audit(1473426145.401:892): table=nat family=2 entries=38
type=NETFILTER_CFG msg=audit(1473426145.403:893): table=nat family=2 entries=39
type=LOGIN msg=audit(1473426145.425:894): pid=9982 uid=0 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 old-auid=1000 auid=4294967295 old-ses=3 ses=4294967295 res=1
type=AVC msg=audit(1473426145.442:895): avc:  denied  { create } for  pid=9983 comm="systemd" name="blk" scontext=system_u:system_r:svirt_lxc_net_t:s0:c95,c714 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c95,c714 tclass=blk_file permissive=0
type=AVC msg=audit(1473426145.444:896): avc:  denied  { write } for  pid=9983 comm="systemd" name="max_dgram_qlen" dev="proc" ino=36320 scontext=system_u:system_r:svirt_lxc_net_t:s0:c95,c714 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file permissive=0
type=AVC msg=audit(1473426145.532:897): avc:  denied  { sendto } for  pid=9983 comm="systemd" path="/systemd/nspawn/notify" scontext=system_u:system_r:svirt_lxc_net_t:s0:c95,c714 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
type=USER_END msg=audit(1473426145.677:898): pid=9940 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_limits,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=CRED_DISP msg=audit(1473426145.677:899): pid=9940 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'

[kushaldas]

I have also filed a bug with SELinux issues in RH bugzilla.