Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.24.4+rke2r1] RKE2 CIS checks expect etcd user on agents #3313

Closed
rkgupta76 opened this issue Sep 5, 2022 · 2 comments
Closed

[release-1.24.4+rke2r1] RKE2 CIS checks expect etcd user on agents #3313

rkgupta76 opened this issue Sep 5, 2022 · 2 comments
Labels
status/stale

Comments

@rkgupta76
Copy link

Environmental Info:
RKE2 Version:
rke2 version v1.24.4+rke2r1 (749c87a)
go version go1.18.1b7

Node(s) CPU architecture, OS, and Version:
Linux rke2-singlenode 5.3.18-150300.59.63-default #1 SMP Tue Apr 5 12:47:31 UTC 2022 (d77db66) x86_64 x86_64 x86_64 GNU/Linux
SLES 15 SP3

Cluster Configuration:
Single Node Cluster

Describe the bug:
During upgrade of RKE2 to v1.24.4+rke2r1 with CIS 1.6 profile enabled, I see the following messages

Sep 05 10:10:29 rke2-singlenode sh[2864]: + /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service
Sep 05 10:10:29 rke2-singlenode sh[2871]: Failed to get unit file state for nm-cloud-setup.service: No such file or directory
Sep 05 10:10:29 rke2-singlenode rke2[2876]: time="2022-09-05T10:10:29+05:30" level=fatal msg="missing required: user: unknown user etcd\nmissing required: group: unknown group etcd\n"
Sep 05 10:10:29 rke2-singlenode systemd[1]: rke2-server.service: Main process exited, code=exited, status=1/FAILURE

As per #1063 ,this should not have happened

Steps To Reproduce:

  • Installed RKE2 v1.23.6+rke2r2 as a single node cluster using Rancher on a KVM VM
  • From Rancher 2.8 UI, upgraded RKE2 from v1.23.6+rke2r2 to v1.24.4+rke2r1
  • Enabled CIS 1.6 profile when upgrading (not enabled in v1.23.6+rke2r2)

Expected behavior:
RKE 2 upgrade should have completed successfully

Actual behavior:
RKE2 upgrade gets stuck because of the above error message
@brandond
Copy link
Contributor

brandond commented Sep 5, 2022
edited

Your report doesn't make any sense to me. You said you have a single-node cluster with just one server - so how can you be having a problem with it requiring this user on agents, if you don't have any agent nodes?

If you enable the CIS profile on your server (either during the initial install, or after upgrading), you need to meet the hardening requirements listed in the documentation - including having an etcd user/group created on the server node.

@stale
Copy link

stale bot commented Mar 11, 2023

This repository uses a bot to automatically label issues which have not had any activity (commit/comment/label) for 180 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the bot can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the bot will automatically close the issue in 14 days. Thank you for your contributions.

@stale stale bot added the status/stale label Mar 11, 2023
@stale stale bot closed this as completed Apr 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brandond @rkgupta76