-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ironic containers running under the metal3-baremetal-operator pod are crash-looping #703
Comments
I managed to get the ironic containers running on the master node after:
avc denials: [root@rhhi-node-master-0 core]# modprobe ip_tables
[root@rhhi-node-master-0 core]# lsmod | grep iptable
[root@rhhi-node-master-0 core]# setenforce 0
[root@rhhi-node-master-0 core]# lsmod | grep iptable
iptable_filter 16384 1
ip_tables 28672 1 iptable_filter
[root@rhhi-node-master-0 core]# dmesg | grep denied
[ 3505.474392] audit: type=1400 audit(1564448204.432:5): avc: denied { module_request } for pid=98308 comm="iptables" kmod="iptable_filter" scontext=system_u:system_r:container_t:s0:c105,c202 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
[ 3505.481231] audit: type=1400 audit(1564448204.433:6): avc: denied { module_request } for pid=98308 comm="iptables" kmod="iptable_filter" scontext=system_u:system_r:container_t:s0:c105,c202 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
[ 3505.486755] audit: type=1400 audit(1564448204.435:7): avc: denied { module_request } for pid=98309 comm="iptables" kmod="iptable_filter" scontext=system_u:system_r:container_t:s0:c105,c202 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
[ 3505.491788] audit: type=1400 audit(1564448204.435:8): avc: denied { module_request } for pid=98309 comm="iptables" kmod="iptable_filter" scontext=system_u:system_r:container_t:s0:c105,c202 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
[ 3587.168118] audit: type=1400 audit(1564448286.124:9): avc: denied { module_request } for pid=104037 comm="iptables" kmod="iptable_filter" scontext=system_u:system_r:container_t:s0:c105,c202 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
[ 3587.176576] audit: type=1400 audit(1564448286.124:10): avc: denied { module_request } for pid=104037 comm="iptables" kmod="iptable_filter" scontext=system_u:system_r:container_t:s0:c105,c202 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
[ 3587.184230] audit: type=1400 audit(1564448286.127:11): avc: denied { module_request } for pid=104038 comm="iptables" kmod="iptable_filter" scontext=system_u:system_r:container_t:s0:c105,c202 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
[ 3587.191919] audit: type=1400 audit(1564448286.127:12): avc: denied { module_request } for pid=104038 comm="iptables" kmod="iptable_filter" scontext=system_u:system_r:container_t:s0:c105,c202 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
[ 3589.014374] audit: type=1400 audit(1564448287.971:13): avc: denied { module_request } for pid=104166 comm="iptables" kmod="iptable_filter" scontext=system_u:system_r:container_t:s0:c105,c202 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
[ 3589.024676] audit: type=1400 audit(1564448287.973:14): avc: denied { module_request } for pid=104166 comm="iptables" kmod="iptable_filter" scontext=system_u:system_r:container_t:s0:c105,c202 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
[ 3589.033340] audit: type=1400 audit(1564448287.979:15): avc: denied { module_request } for pid=104167 comm="iptables" kmod="iptable_filter" scontext=system_u:system_r:container_t:s0:c105,c202 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
[ 3589.042370] audit: type=1400 audit(1564448287.979:16): avc: denied { module_request } for pid=104167 comm="iptables" kmod="iptable_filter" scontext=system_u:system_r:container_t:s0:c105,c202 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
[ 3600.827937] audit: type=1400 audit(1564448299.783:20): avc: denied { module_request } for pid=105038 comm="iptables" kmod="iptable_filter" scontext=system_u:system_r:container_t:s0:c105,c202 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1 |
I would prefer that we remove all |
I'm having the same issue in a baremetal deployment (and fixed with the modprobe and disable selinux thing). |
Do we need those for the podman-run containers on the provisioning host? Should we add a switch to enable/disable them instead of just removing them? |
soon none of them will be running on the provisioning host once ironic is moved into the bootstrap VM. |
Same as metal3-io/ironic-image#82 ? |
Is this still an issue? |
Nope, closed. |
Describe the bug
ironic containers running under the metal3-baremetal-operator pod are crash-looping. After running make:
To Reproduce
Deploy a 3 nodes cluster with following config:
Expected/observed behavior
Deployment completes successfully but the ironic containers running under the baremetal-operator pod are crash-looping
Additional context
The text was updated successfully, but these errors were encountered: