From a4cd6f13c87bc7858bfbe8498039beae04e56719 Mon Sep 17 00:00:00 2001 From: Harshal Patil Date: Thu, 24 Sep 2020 20:26:20 +0530 Subject: [PATCH] Add SELinux labels for kubelet on Fedora CoreOS Signed-off-by: Harshal Patil --- test/e2e_node/remote/node_e2e.go | 49 +++++++++++++++++++++++++++----- 1 file changed, 42 insertions(+), 7 deletions(-) diff --git a/test/e2e_node/remote/node_e2e.go b/test/e2e_node/remote/node_e2e.go index ef192d881f73..02e87ed0a925 100644 --- a/test/e2e_node/remote/node_e2e.go +++ b/test/e2e_node/remote/node_e2e.go @@ -21,6 +21,7 @@ import ( "os" "os/exec" "path/filepath" + "regexp" "strings" "time" @@ -101,23 +102,57 @@ func prependMemcgNotificationFlag(args string) string { return "--kubelet-flags=--kernel-memcg-notification=true " + args } -// updateOSSpecificKubeletFlags updates the Kubelet args with OS specific -// settings. -func updateOSSpecificKubeletFlags(args, host, workspace string) (string, error) { - output, err := SSH(host, "cat", "/etc/os-release") +// osSpecificActions takes OS specific actions required for the node tests +func osSpecificActions(args, host, workspace string) (string, error) { + output, err := getOSDistribution(host) if err != nil { return "", fmt.Errorf("issue detecting node's OS via node's /etc/os-release. Err: %v, Output:\n%s", err, output) } switch { - case strings.Contains(output, "ID=gci"), strings.Contains(output, "ID=cos"): + case strings.Contains(output, "fedora"), strings.Contains(output, "rhcos"), + strings.Contains(output, "centos"), strings.Contains(output, "rhel"): + return args, setKubeletSELinuxLabels(host, workspace) + case strings.Contains(output, "gci"), strings.Contains(output, "cos"): args = prependMemcgNotificationFlag(args) return prependCOSMounterFlag(args, host, workspace) - case strings.Contains(output, "ID=ubuntu"): + case strings.Contains(output, "ubuntu"): return prependMemcgNotificationFlag(args), nil } return args, nil } +// setKubeletSELinuxLabels set the appropriate SELinux labels for the +// kubelet on Fedora CoreOS distribution +func setKubeletSELinuxLabels(host, workspace string) error { + cmd := getSSHCommand(" && ", + fmt.Sprintf("/usr/bin/chcon -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "kubelet")), + fmt.Sprintf("/usr/bin/chcon -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "e2e_node.test")), + fmt.Sprintf("/usr/bin/chcon -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "ginkgo")), + fmt.Sprintf("/usr/bin/chcon -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "mounter")), + fmt.Sprintf("/usr/bin/chcon -R -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "cni", "bin/")), + ) + output, err := SSH(host, "sh", "-c", cmd) + if err != nil { + return fmt.Errorf("Unable to apply SELinux labels. Err: %v, Output:\n%s", err, output) + } + return nil +} + +func getOSDistribution(host string) (string, error) { + output, err := SSH(host, "cat", "/etc/os-release") + if err != nil { + return "", fmt.Errorf("issue detecting node's OS via node's /etc/os-release. Err: %v, Output:\n%s", err, output) + } + + var re = regexp.MustCompile(`(?m)^ID="?(\w+)"?`) + subMatch := re.FindStringSubmatch(output) + if len(subMatch) > 0 { + return subMatch[1], nil + } + + return "", fmt.Errorf("Unable to parse os-release for the host, %s", host) +} + // RunTest runs test on the node. func (n *NodeE2ERemote) RunTest(host, workspace, results, imageDesc, junitFilePrefix, testArgs, ginkgoArgs, systemSpecName, extraEnvs string, timeout time.Duration) (string, error) { // Install the cni plugins and add a basic CNI configuration. @@ -134,7 +169,7 @@ func (n *NodeE2ERemote) RunTest(host, workspace, results, imageDesc, junitFilePr // Kill any running node processes cleanupNodeProcesses(host) - testArgs, err := updateOSSpecificKubeletFlags(testArgs, host, workspace) + testArgs, err := osSpecificActions(testArgs, host, workspace) if err != nil { return "", err }