New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cluster/plan: don't relabel /lib/modules by default #2214
Conversation
As this logic went, it would relabel /lib/modules, except on enterprise linux and when SELinux is enabled (even just permisive). Flatcar Container Linux defaults to SELinux on, but permisive, and `/lib/modules/` is a symlink to the read-only `/usr`. So `./rke up` would fail on attempting to relabel /usr. The prior work around is to set `SELINUX=disable` in /etc/selinux/config. Signed-off-by: Vincent Batts <vbatts@kinvolk.io>
@superseb @galal-hussein I can't understand a use case where we would ever need to relabel /lib/modules. It seems to be on the platform where we support SELinux (RHEL) we specifically don't relabel. This logic seems to be correct in that we just never relabel /lib/modules. I'd say as long as this doesn't break a default centos 7/8 install it should be fine. |
This was added in #1724 and seems like a copy from the other bind. The reason the exception was added was because we want to avoid changes on cluster provisioning if nothing changed. This change will replace |
i get following error with flatcar linux:
your fix was about /usr/lib i have /usr/lib64. Is there a different fix needed? |
@dirien ah, i just saw this message while looking at the other issue. Are you getting this error with this PR? |
@vbatts I'm getting the same issue with Rancher 2.3.9 and 2.4.8. I tried to run master-head to see if it fixes the issue but rancher is not even starting, getting different error ...
|
@vbatts same as @mikekuzak. I have v2.4.8 running. |
|
#2194
As this logic went, it would relabel /lib/modules, except on enterprise
linux and when SELinux is enabled (even just permisive).
Flatcar Container Linux defaults to SELinux on, but permisive, and
/lib/modules/
is a symlink to the read-only/usr
.So
./rke up
would fail on attempting to relabel /usr.The prior work around is to set
SELINUX=disable
in/etc/selinux/config.
Signed-off-by: Vincent Batts vbatts@kinvolk.io