-
Notifications
You must be signed in to change notification settings - Fork 255
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fresh install on STIG'd RockyLinux 9 fails to launch - etcd permission denied #4313
Comments
What are the permissions on the RKE2 DB directory? Has your hardening altered the permissions on /var/lib/rancher/rke2/server/db such that the etcd user does not have access to files within that directory? |
I'm not sure what's causing the issue, I can run alpine in podman and list the contents:
|
How did you install rke2; from tarball or from RPM? If you installed from RPM, did the rke2-selinux installation complete successfully? |
I installed using the quick-start script - using RPM I assume. Everything installed correctly as far as I can tell. I have found it will start if I do not enable the CIS-1.23 profile. |
Also, if I attempt to run the podman container as non root, I get the same permission denied failure.
|
Can you check your audit log for denials? If possible you might also confirm that the rke2-selinux RPM install completed successfully, distros have recently updated their container-selinux package, and that has caused some conflicts that may have been missed in the rest of the install script output. |
The only denials I see are from my attempts to use podman to test access:
|
Some more debugging:
|
Some more debugging, the missing X bit on the parent directories prevents etcd user from accessing contents of it's folder using bash:
However, the pod is still not starting. |
Has the error changed? What caused you to restrict the permissions on those directories beyond the defaults managed by rke2? |
I didn’t restrict them, I expanded them. The default permissions were 700,
I chmodded to 701.
…On Wed, Jun 7, 2023 at 11:41 AM Brad Davidson ***@***.***> wrote:
Has the error changed?
What caused you to restrict the permissions on those directories beyond
the defaults managed by rke2?
—
Reply to this email directly, view it on GitHub
<#4313 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABC5FWGYFDM4MZY2U6ESVE3XKCVLPANCNFSM6AAAAAAYYUUV2E>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
No change in error message in the etcd container.
On Wed, Jun 7, 2023 at 11:43 AM Jesse Shaffer ***@***.***>
wrote:
… I didn’t restrict them, I expanded them. The default permissions were
700, I chmodded to 701.
On Wed, Jun 7, 2023 at 11:41 AM Brad Davidson ***@***.***>
wrote:
> Has the error changed?
>
> What caused you to restrict the permissions on those directories beyond
> the defaults managed by rke2?
>
> —
> Reply to this email directly, view it on GitHub
> <#4313 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/ABC5FWGYFDM4MZY2U6ESVE3XKCVLPANCNFSM6AAAAAAYYUUV2E>
> .
> You are receiving this because you authored the thread.Message ID:
> ***@***.***>
>
|
Can you show what your permissions are? On the host you should see: root@rke2-server-1:/# for DIR in /var/lib/rancher/rke2/server/db/etcd /var/lib/rancher/rke2/server/db /var/lib/rancher/rke2/server /var/lib/rancher/rke2 /var/lib/rancher; do ls -lad $DIR; done
drwx------ 3 etcd etcd 4096 Jun 7 20:59 /var/lib/rancher/rke2/server/db/etcd
drwx------ 3 root root 4096 Jun 7 20:59 /var/lib/rancher/rke2/server/db
drwxr-xr-x 7 root root 4096 Jun 7 20:59 /var/lib/rancher/rke2/server
drwxr-xr-x 5 root root 4096 Jun 7 20:59 /var/lib/rancher/rke2
drwxr-xr-x 3 root root 4096 Jun 7 20:59 /var/lib/rancher And in the container: root@rke2-server-1:/# crictl exec $(crictl ps -q --name=etcd) sh -c 'for DIR in /var/lib/rancher/rke2/server/db/etcd /var/lib/rancher/rke2/server/db /var/lib/rancher/rke2/server /var/lib/rancher/rke2 /var/lib/rancher; do ls -lad $DIR; done'
drwx------ 3 999 999 4096 Jun 7 20:59 /var/lib/rancher/rke2/server/db/etcd
drwxr-xr-x 3 root root 4096 Jun 7 20:59 /var/lib/rancher/rke2/server/db
drwxr-xr-x 4 root root 4096 Jun 7 20:59 /var/lib/rancher/rke2/server
drwxr-xr-x 3 root root 4096 Jun 7 20:59 /var/lib/rancher/rke2
drwxr-xr-x 3 root root 4096 Jun 7 20:59 /var/lib/rancher |
I cannot execute the same in the container, as it is stuck in a crash loop. |
Based on your comment, I did try this:
|
Perhaps related? STIG requirements state RHEL 8 must set the umask value to 077 for all local interactive user accounts. https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-06-14/finding/V-230384 |
OK - the STIG umask requirement is what prevented etcd from starting:
This allows etcd to start successfully. I can send you a recursive directory listing if that would help discover what other folders are missing the necessary permissions? Unfortunately, I'm still having issues, as I'm now getting:
EDIT: the above was a problem with the custom configuration I copied from the ansible playbook. Removing the line with that configuration appears to allow it to run. |
Yeah, I was thinking that it looked like a umask problem. That admission plugin has been removed from Kubernetes; I suspect the playbook you're working off of hasn't been updated to support the version you're using. |
OK - so, initial startup using the |
I would probably just recommend adding a |
@dajester2013 I am facing the same issue with RHEL STIG. Can you please let me know which custom configuration have you had to remove from the Ansible playbook to fix this issue? |
if you'd prefer to leave the default system umask alone, a better idea would be to add a systemd override file to the rke2-server service, with content like:
|
So, I’ve not had to make that change personally, it seems like my problem
stemmed from attempting to launch ‘rke2 server’ initially from an
interactive terminal, instead of enabling the systemd unit.
Next time I attempt to install, I will attempt using the systemd unit first
as is, and if that fails, will set the UMask entry in the service file.
To modify the global umask setting would be a STIG finding.
…On Tue, Jun 13, 2023 at 7:22 PM Brad Davidson ***@***.***> wrote:
if you'd prefer to leave the default system umask alone, a better idea
would be to add a systemd override file to the rke2-server service, with
content like:
[Service]
UMask=0022
—
Reply to this email directly, view it on GitHub
<#4313 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABC5FWBBDC7RZ46NU2RB4STXLD74HANCNFSM6AAAAAAYYUUV2E>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Oh, I don't think it was clear that you weren't actually starting the service. |
@brandond @dajester2013 Thanks for your reply. A fresh installation works ok when UMask is set in the rke2-server service.
Do you know if its possible to do cluster reset any other way without the etcd permission issue? |
My suggestion is, from the terminal, temporarily modify the umask to 022
before running any rke2 commands.
umask 022
rke2 …..
umask 077
|
Environmental Info:
RKE2 Version:
rke2 version v1.25.10+rke2r1 (e0c376c)
go version go1.19.9 X:boringcrypto
Node(s) CPU architecture, OS, and Version:
Linux ... 5.14.0-284.11.1.el9_2.x86_64 #1 SMP PREEMPT_DYNAMIC Tue May 9 17:09:15 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Cluster Configuration:
Single server
Describe the bug:
I am experiencing this on a freshly-installed RockyLinux 9 with DoD STIG profile applied at installation. Created the etcd user prior to launch as recommended in the documentation - uid/gid 982. Disabling fapolicy and selinux does not fix the permission denied error.
config.yaml:
crictl logs for etcd container:
Steps To Reproduce:
Expected behavior:
RKE2 boots
Actual behavior:
etcd fails to run - permission denied to etcd config
Additional context / logs:
The text was updated successfully, but these errors were encountered: