Comments (7)
We create a selinux policy to make it work. I don't remember how we figured this out, but we have our ansible do it automatically now.
- Create
/root/localpathpoicy.te
module localpathpolicy 1.0; require { type usr_t; type init_t; type container_t; type container_var_lib_t; class dir { search write add_name create remove_name rmdir setattr getattr }; class file { create open write append read unlink setattr getattr }; } #============= container_t ============== allow container_t container_var_lib_t:file { create open write append read setattr getattr unlink }; allow container_t container_var_lib_t:dir { add_name create remove_name rmdir setattr write search }; allow container_t init_t:dir search; allow container_t usr_t:dir { add_name create remove_name rmdir setattr getattr write }; allow container_t usr_t:file { create unlink write setattr getattr }; allow container_t init_t:file { read open };
checkmodule -M -m -o /root/localpathpolicy.mod /root/localpathpolicy.te
semodule_package -o /root/localpathpolicy.pp -m /root/localpathpolicy.mod
semodule -i /root/localpathpolicy.pp
semanage fcontext -a -t container_file_t "/var/lib/localpath(/.*)?"
(replace /var/lib/localpath with your path on disk)restorecon -R -v /var/lib/localpath
from local-path-provisioner.
This did not, unfortunately, solve the problem:
sudo chcon -R -t svirt_sandbox_file_t -l s0 /opt/anaconda/storage
from local-path-provisioner.
I was able to get the full application running this command repeatedly as the containers started up.
sudo chcon -R -t svirt_sandbox_file_t -l s0 /opt/anaconda/storage
Because three different pods are interacting with this directory, and Postgres is particularly feisty about ownership, the various operations they do to confirm ownership and set permissions causes the pods to lose access. Here's the audit log:
----
type=PROCTITLE msg=audit(11/06/2023 15:26:59.770:300) : proctitle=chmod 00700 /mnt/pgdata
type=SYSCALL msg=audit(11/06/2023 15:26:59.770:300) : arch=x86_64 syscall=fchmodat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x558dc11ee4d0 a2=0700 a3=0x7f075ab07f98 items=0 ppid=14261 pid=14317 auid=unset uid=ec2-user gid=root euid=ec2-user suid=ec2-user fsuid=ec2-user egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chmod exe=/usr/bin/chmod subj=system_u:system_r:container_t:s0:c813,c975 key=(null)
type=AVC msg=audit(11/06/2023 15:26:59.770:300) : avc: denied { setattr } for pid=14317 comm=chmod name=pgdata dev="nvme0n1p2" ino=511705289 scontext=system_u:system_r:container_t:s0:c813,c975 tcontext=system_u:object_r:container_file_t:s0:c79,c834 tclass=dir permissive=0
----
type=PROCTITLE msg=audit(11/06/2023 15:40:56.187:543) : proctitle=postgres: walwriter
type=SYSCALL msg=audit(11/06/2023 15:40:56.187:543) : arch=x86_64 syscall=pwrite success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7f86a2678000 a2=0x2000 a3=0x866000 items=0 ppid=36573 pid=36596 auid=unset uid=ec2-user gid=root euid=ec2-user suid=ec2-user fsuid=ec2-user egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postgres exe=/usr/lib/postgresql/12/bin/postgres subj=system_u:system_r:container_t:s0:c250,c1019 key=(null)
type=AVC msg=audit(11/06/2023 15:40:56.187:543) : avc: denied { write } for pid=36596 comm=postgres path=/mnt/pgdata/pg_wal/000000010000000000000001 dev="nvme0n1p2" ino=58720526 scontext=system_u:system_r:container_t:s0:c250,c1019 tcontext=system_u:object_r:container_file_t:s0:c428,c438 tclass=file permissive=0
from local-path-provisioner.
OK, here's what worked for me.
- Run
sudo chcon -R -t svirt_sandbox_file_t -l s0 /opt/anaconda/storage
- Launch one of the deployments in isolation; let it stabilize and interact with the volume.
- Examine
ls -Zd /opt/anaconda/storage
to obtain the auto-assigned MCS label for the container:s0:c248,c366
, for isntance - Add this label to the
securityContext
for the deployments, including the one just launched.securityContext: runAsUser: 1000 seLinuxOptions: level: s0:c248,c366
- Bring up the rest of the deployments.
from local-path-provisioner.
Sorry, it's me again. I've been comparing k3s and rke2 here, which ostensibly use the same local path provisioner, and k3s is not having the same issue. And it seems to be because k3s is not applying the same ownership semantics on the volume. In particular, here's what ls -lZd
gives me for the Postgres volume:
drwx------. 19 ec2-user root system_u:object_r:usr_t:s0 4096 Nov 8 14:23 pgdata
Note the lack of container labels.
I'm just going to check myself that perhaps k3s doesn't enable full SELinux enforcement by default; I will see. If that's the case, no need to reply, I'll figure that out soon enough :-)
EDIT: installing k3s with --selinux
produces the same behavior, so it's definitely generic
from local-path-provisioner.
Related Issues (20)
- `fsgroup` is not applied correctly to already existing content in PVCs
- multiple paths is not random HOT 1
- Helper Pod always runs in privileged mode HOT 2
- start using `app.kubernetes.io/` labels HOT 4
- Capacity limit is ignored HOT 8
- Allow multiple shared file system locations in sharedFileSystemPath.
- Feature request: monitoring volume usage HOT 2
- CSI Volume Cloning HOT 2
- how to create xfs formatted disks with this? HOT 5
- when create PVC, some of the pv are 755 permission HOT 1
- Not able to use instance created with aws bottlerocket image for local storage HOT 1
- Possibility to change affinity rules HOT 5
- ProvisioningFailed due to mkdir: can't create directory '': No such file or directory HOT 1
- busybox 1.36.1 Illegal option -a HOT 1
- Can we update go version to 1.20.5 and publish to docker hub? HOT 3
- E2E test failing due to conflicting PersistentVolume with previous test when volume type is "local"
- [question]: Is `fsGroup` working with `ReadWriteMany` PV? HOT 2
- volume folder created with unexpected different user and folder HOT 5
- Should support anti afinity policy settings on pvc HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from local-path-provisioner.