Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SELinux labels for kubelet on Fedora CoreOS #95035

Merged
merged 1 commit into from Oct 21, 2020
Merged

Add SELinux labels for kubelet on Fedora CoreOS #95035

merged 1 commit into from Oct 21, 2020

Conversation

harche
Copy link
Contributor

@harche harche commented Sep 24, 2020

Signed-off-by: Harshal Patil harpatil@redhat.com

What type of PR is this?

/kind failing-test

What this PR does / why we need it:
After extracting the kubelet binaries on the remote host, but just before starting the tests, this PR will try to set the right SELinux labels on the Fedora CoreOS node.

Which issue(s) this PR fixes:

Fixes #95034

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-none Denotes a PR that doesn't merit a release note. kind/failing-test Categorizes issue or PR as related to a consistently or frequently failing test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Sep 24, 2020
@k8s-ci-robot
Copy link
Contributor

Hi @harche. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Sep 24, 2020
@k8s-ci-robot k8s-ci-robot added area/test sig/node Categorizes an issue or PR as relevant to SIG Node. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Sep 24, 2020
@harche harche mentioned this pull request Sep 24, 2020
Merged
@harche harche changed the title [WIP] Add SELinux labels for kubelet on Fedora CoreOS Add SELinux labels for kubelet on Fedora CoreOS Sep 25, 2020
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 25, 2020
@harche
Copy link
Contributor Author

harche commented Sep 25, 2020

/assign @harche

mrunalp
mrunalp reviewed Sep 25, 2020
View reviewed changes
test/e2e_node/remote/node_e2e.go Outdated
return prependMemcgNotificationFlag(args), nil
case strings.Contains(output, "fedora"):
Copy link
Contributor

@mrunalp mrunalp Sep 25, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might as well get rhel and centos, too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I will add those too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added the check for,

  1. Fedora CoreOS and Fedora - fedora
  2. CentOS - centos
  3. RHEL - rhel
  4. Red Hat Core OS - rhcos

@rphillips
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Sep 25, 2020
@harche
Copy link
Contributor Author

harche commented Sep 25, 2020

Go playground for testing the regex in this PR, https://play.golang.org/p/WmAZTuFWsBD

@harche
Copy link
Contributor Author

harche commented Sep 26, 2020

/test pull-kubernetes-e2e-kind

@harche
Copy link
Contributor Author

harche commented Sep 26, 2020

/test pull-kubernetes-node-crio-e2e

@harche
Copy link
Contributor Author

harche commented Sep 26, 2020

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 26, 2020
@harche
Copy link
Contributor Author

harche commented Sep 29, 2020

/test pull-kubernetes-node-crio-e2e

@harche
Copy link
Contributor Author

harche commented Sep 29, 2020

/test pull-kubernetes-node-crio-e2e

@harche
Copy link
Contributor Author

harche commented Sep 29, 2020

/test pull-kubernetes-node-crio-e2e

@harche
Copy link
Contributor Author

harche commented Sep 29, 2020

/test pull-kubernetes-node-crio-cgrpv2-e2e

@dims
Copy link
Member

dims commented Sep 29, 2020

/lgtm

reapplying LGTM

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 29, 2020
oomichi
oomichi reviewed Sep 30, 2020
View reviewed changes
test/e2e_node/remote/node_e2e.go Outdated
return prependMemcgNotificationFlag(args), nil
case strings.Contains(output, "fedora"), strings.Contains(output, "rhcos"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess if the output contains "rhcos", the line 112 catches it on strings.Contains(output, "cos") instead of here.
It is better to change the order or check string strictly.

/cc @oomichi

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @oomichi

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a really good point, if this is order dependent that's a defect waiting to happen in the future.

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 6, 2020
@harche
Add SELinux labels for kubelet on Fedora CoreOS
a4cd6f1 
Signed-off-by: Harshal Patil <harpatil@redhat.com>
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Oct 6, 2020
edited

@harche: The following tests failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
pull-kubernetes-node-crio-e2e f6ab6ed5d1d0fbcbc83a567a005eb0a8f6a19995 link /test pull-kubernetes-node-crio-e2e
pull-kubernetes-node-crio-cgrpv2-e2e f6ab6ed5d1d0fbcbc83a567a005eb0a8f6a19995 link /test pull-kubernetes-node-crio-cgrpv2-e2e

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@harche
Copy link
Contributor Author

harche commented Oct 7, 2020

/test pull-kubernetes-node-e2e

@harche
Copy link
Contributor Author

harche commented Oct 7, 2020

/test pull-kubernetes-bazel-build

@harche
Copy link
Contributor Author

harche commented Oct 7, 2020

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 7, 2020
@rphillips
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 7, 2020
@rphillips
Copy link
Member

/assign @dims @sjenning

MHBauer
MHBauer reviewed Oct 8, 2020
View reviewed changes
Copy link
Contributor

@MHBauer MHBauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit, but overall looks like an improvement.

test/e2e_node/remote/node_e2e.go
args = prependMemcgNotificationFlag(args)
return prependCOSMounterFlag(args, host, workspace)
case strings.Contains(output, "ID=ubuntu"):
case strings.Contains(output, "ubuntu"):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why remove the ID=?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, down below a stricter regex to find that and pull it out ahead of time.

test/e2e_node/remote/node_e2e.go
return "", fmt.Errorf("issue detecting node's OS via node's /etc/os-release. Err: %v, Output:\n%s", err, output)
}

var re = regexp.MustCompile(`(?m)^ID="?(\w+)"?`)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ID= used here instead.

test/e2e_node/remote/node_e2e.go
fmt.Sprintf("/usr/bin/chcon -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "ginkgo")),
fmt.Sprintf("/usr/bin/chcon -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "mounter")),
fmt.Sprintf("/usr/bin/chcon -R -u system_u -r object_r -t bin_t %s", filepath.Join(workspace, "cni", "bin/")),
)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am unfamiliar with SELinux, and so checking my understanding.
These binaries need to be added because they're not part of the distribution itself, and they weren't created on the OS, but were extracted/pushed/pulled from somewhere else.
Is that correct?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We had to add those SELinux labels explicitly because otherwise SELinux will prevent the execution of those binaries. By default, when you copy those binaries in certain location on the filesystem will not have those required labels.

test/e2e_node/remote/node_e2e.go
return prependMemcgNotificationFlag(args), nil
}
return args, nil
}

// setKubeletSELinuxLabels set the appropriate SELinux labels for the
// kubelet on Fedora CoreOS distribution
func setKubeletSELinuxLabels(host, workspace string) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Function name is more than only the Kubelet. Maybe drop Kubelet to setSELinuxLabels?

test/e2e_node/remote/node_e2e.go
@@ -134,7 +169,7 @@ func (n *NodeE2ERemote) RunTest(host, workspace, results, imageDesc, junitFilePr
// Kill any running node processes
cleanupNodeProcesses(host)

testArgs, err := updateOSSpecificKubeletFlags(testArgs, host, workspace)
testArgs, err := osSpecificActions(testArgs, host, workspace)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably a better name now.

@sjenning
Copy link
Contributor

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, harche, sjenning

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 21, 2020
@k8s-ci-robot k8s-ci-robot merged commit 5d49a62 into kubernetes:master Oct 21, 2020
@k8s-ci-robot k8s-ci-robot added this to the v1.20 milestone Oct 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrunalp mrunalp mrunalp left review comments

@MHBauer MHBauer MHBauer left review comments

@karan karan Awaiting requested review from karan

@mattjmcnaughton mattjmcnaughton Awaiting requested review from mattjmcnaughton

@dims dims Awaiting requested review from dims

@oomichi oomichi Awaiting requested review from oomichi

Assignees

@rphillips rphillips

@dims dims

@sjenning sjenning

@harche harche

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/failing-test Categorizes issue or PR as related to a consistently or frequently failing test. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesn't merit a release note. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.20
Development

Successfully merging this pull request may close these issues.

Incorrect SELinux labels for kubelet artifacts for node tests on Fedora CoreOS
8 participants
@harche @k8s-ci-robot @rphillips @dims @sjenning @mrunalp @oomichi @MHBauer