-
Notifications
You must be signed in to change notification settings - Fork 266
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
etcd stuck in crashloopbackoff: permission denied to read config #1494
Comments
Additional note, if selinux is false AND profile is null, then rke2 starts no issue. If either selinux is true, OR profile is set (1.5 or 1.6), it gets stuck in this error loop. |
@briandowns to reproduce |
@dajester2013 I tried to reproduce what you've reported and am having some difficulty in finding similar behavior. Did you have RKE2 installed on the system previously? How did you enable FIPS mode (at install or after)? When was SELinux enabled? |
@briandowns So, the VMs were provisioned by our customer's IT organization. They were FIPS-enabled / SELinux-enabled from the point of provisioning. I installed RKE2 on these freshly-provisioned systems. I do know they are also running McAfee on these systems, and there are other OS hardening guides they have applied. |
Would it be possible to get those additional hardening steps? |
@dajester2013 I'm closing this as I can't reproduce in any form. Please feel free to reopen if you can aquire the additional hardening steps that have been applied to the nodes. |
Sorry for the delay, I was assigned other work, but now am back on this. I updated to 1.21.4, but it is still not working. I do not know specifically what hardening steps have been taken. I have followed the installation instructions exactly as documented, but I am still stuck with etcd in a crash loop. I have tried everything I know to do, including checking selinux contexts and file permissions. Everything seems to match with my CentOS deployment (which works). The only way I can get it to work is if I disable the selinux and profile options in the config.yaml. It is really odd to me that it only works if it runs without these security settings. I can explain further if you want to take this offline, even see if it is possible for you to see what we are seeing. |
I think we need to know what the additional hardening steps are that the customer is taking so we can possibly determine that gap. |
It's a STIGed RHEL 7.9 image is all I know.
…On Fri, Sep 24, 2021, 11:08 Brian Downs ***@***.***> wrote:
I think we need to know what the additional hardening steps are that the
customer is taking so we can possibly determine that gap.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1494 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABC5FWDOFDSQWHWQAR2F3HLUDSPAPANCNFSM5BIP5XFQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
So apparently it is an selinux issue. Placing the system into permissive mode allows everything to start, including the selinux and profile options enabled. I will raise the issue over in the selinux project. |
Can you link here to the new issue you raise? |
FWIW based on the audit logs the denied syscall is |
Possibly related to containers/container-selinux#147 |
I opened issue #4313, as I encountered it again on a freshly installed RockyLinux 9 with the DoD STIG profile applied. |
Environmental Info:
RKE2 Version:
rke2 version v1.21.3+rke2r1 (2ed0b0d)
go version go1.16.6b7
Node(s) CPU architecture, OS, and Version:
I do not have access at the moment, but it is a VM running RHEL 7.9, FIPS mode.
Cluster Configuration:
3 servers, but this error is happening on the first server I'm trying to deploy to, have not attempted the other servers.
Describe the bug:
etcd will not start with selinux: true and profile: cis-1.6 - it gets stuck in a crash loop stating permission denied.
Steps To Reproduce:
curl -sfL https://get.rke2.io | sh -
Expected behavior:
etcd and related containers start normally
Actual behavior:
etcd gets stuck in an error loop
Additional context / logs:
etcd container logs
Verify etcd uid/gid:
etcd container security settings
audit log search:
this one is interesting as it repeatedly shows these sync_file_range SYSCALL's as
success=no
The text was updated successfully, but these errors were encountered: