etcd pause container fails to start due to SELinux error on CoreOS #269
Assignees
Labels
Comments
|
Is this a dupe of #215? |
|
Currently we say that you should do |
|
@luxas Nope. This happens even when you use |
|
|
EDIT: This is a coincidental error message as it happens even if you omit the spc_t option (and the container starts fine). |
|
You'd likely need to update selinux policy... |
|
@mikesimons Thanks for the report! I'm not familiar with SELinux, can someone else chime in? |
|
Most likely the container platform does not understand what an spc_t type is, or something along those lines. If this system has audit running see if you can get this output. grep spc_t /var/log/audit/audit.log* Otherwise look for it in /var/log/messages or dmesg dmesg | grep spc_t |
|
@rhatdan I can't get coreos to give me an audit log but there are some audit related things in journalctl. I can find no logs containing spc_t at all (No /var/log/audit gets created, journalctl has logs as below and dmesg looks much like journalctl without some of the service logs) |
|
This looks like the command is trying to execute containers as "\n", and this is not a valid label. I have no idea how good CoreOS is at supporting SELinux. So I am not really able to help. |
|
@mikesimons Audit logs are off by default. Our selinux page has instructions for turning them on. It's true that we don't have an However, it seems like there should be a much easier fix: just deleting that label. Assuming it works, that would be both more secure and should work on more selinux configurations. |
|
Threw up a PR kubernetes/kubernetes#49328 |
k8s-github-robot
pushed a commit
to kubernetes/kubernetes
that referenced
this issue
Jul 21, 2017
Automatic merge from submit-queue (batch tested with PRs 49328, 49285, 49307, 49127, 49163) kubeadm: don't customize etcd selinux label The original change that added the unconfined label included a comment indicating it won't be needed in the future. See: #33555 (comment) That time is now. #33663 has landed and means we no longer have to go out of our way to make that work. Removing the label also increases security since there wasn't really a good reason for etcd to be run with such broad selinux privileges. This also will allow kubeadm to avoid errors on distros without an spc_t type, such as Gentoo and Container Linux (at the time of writing at least). Fixes kubernetes/kubeadm#269 **Release note**: ```release-note NONE ```
luxas
pushed a commit
to luxas/kubernetes
that referenced
this issue
Jul 25, 2017
The original change that added the unconfined label included a comment indicating it won't be needed in the future. See: kubernetes#33555 (comment) That time is now. kubernetes#33663 has landed and means we no longer have to go out of our way to make that work. Removing the label also increases security since there wasn't really a good reason for etcd to be run with such broad selinux privileges. This also will allow kubeadm to avoid errors on distros without an spc_t type, such as Gentoo and Container Linux (at the time of writing at least). Fixes kubernetes/kubeadm#269
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Versions
kubeadm version:
Environment:
uname -a):What happened?
Attempting
kubeadm initthe process stalls atwaiting for the control plane to become ready. The etcd pause container is crashlooping with the following error:SELinux is set to Permissive and the docker daemon has
--selinux-enabled.The following error appears in journalctl for each time the container crashes:EDIT: This is coincidental as it happens without spc_t too (where the container launches successfully)
What you expected to happen?
For it not to be crashlooping
How to reproduce it (as minimally and precisely as possible)?
docker infoshowsselinuxin the Security Options field.docker run --name=k8s_etcd_test --detach=true --security-opt "label=type:spc_t" --security-opt "seccomp=unconfined" gcr.io/google_containers/pause-amd64:3.0.Labels are set on the pod here: https://github.com/kubernetes/kubernetes/blob/2c05234674d0d59d24ac322e07c5f6c9267c1e5f/cmd/kubeadm/app/master/manifests.go#L128
I don't know enough about SELinux to suggest what might fix this but perhaps only adding the labels if SELinux is enforcing might work?
Anything else we need to know?
CoreOS uses a wrapper script (
/usr/lib/coreos/dockerd) to set --selinux-enabled by default. Running the docker daemon without --selinux-enabled or starting the container without thetype:spc_tlabel resolves the issue. Setting selinux enforcing to permissive does not.Workaround for using kubeadm on CoreOS
Run docker without --selinux-enabled by bypassing the coreos wrapper script:
cp /usr/lib/systemd/system/docker.service /etc/systemd/system/docker.servicesed -i -e 's/lib\/coreos/bin/g' /etc/systemd/system/docker.servicesystemctl daemon-reload && systemctl restart dockerThe text was updated successfully, but these errors were encountered: