Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-55918

[OLMv1] operator-controller cannot access the /etc/docker since its SELinux type changed to cert_t

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • None
    • Rejected
    • Lillipup Sprint 272
    • 1
    • Done
    • None
    • N/A
    • None
    • None
    • None
    • None

      Description of problem:

      The default container process cannot access the `/etc/docker`, which means it cannot read the certs. The same issue as https://issues.redhat.com/browse/OCPBUGS-55403 

      jiazha-mac:~ jiazha$ oc exec operator-controller-controller-manager-78f674f5f8-ww74h -- ls -R /etc/docker 
ls: cannot open directory '/etc/docker': Permission denied
command terminated with exit code 2

jiazha-mac:~ jiazha$ oc exec operator-controller-controller-manager-5d6c9845fd-jbfwx -- id
uid=1001(1001) gid=0(root) groups=0(root)

jiazha-mac:~ jiazha$ oc exec operator-controller-controller-manager-5d6c9845fd-jbfwx -- ls -Z /etc/docker
ls: cannot open directory '/etc/docker': Permission denied
command terminated with exit code 2

      Version-Release number of selected component (if applicable):

          4.19.0-0.nightly-2025-05-07-130416

      How reproducible:

          always

      Steps to Reproduce:

          1. Install OCP 4.19
    2. Run 
$ oc exec operator-controller-controller-manager-78f674f5f8-ww74h -- ls -R /etc/docker 
    

      Actual results:

          jiazha-mac:~ jiazha$ oc exec operator-controller-controller-manager-78f674f5f8-ww74h -- ls -R /etc/docker 
ls: cannot open directory '/etc/docker': Permission denied
command terminated with exit code 2

      Expected results:

      The default container process can access the certs of the /etc/dcoker folder

      Additional info:

      It works well on OCP 4.18.

      jiazha-mac:~ jiazha$ oc exec operator-controller-controller-manager-6cf5f94d45-mwm72 -- ls -R /etc/docker  /etc/docker: certs.d/etc/docker/certs.d: image-registry.openshift-image-registry.svc.cluster.local:5000 image-registry.openshift-image-registry.svc:5000/etc/docker/certs.d/image-registry.openshift-image-registry.svc.cluster.local:5000: ca.crt/etc/docker/certs.d/image-registry.openshift-image-registry.svc:5000: ca.crt

      The difference between 4.19 and 4.18 is the SELinux type of /etc/docker. In 4.19, it was changed to `cert_t` from `etc_t`.

      OCP 4.19:
jiazha-mac:~ jiazha$ oc debug node/ip-10-0-15-244.us-east-2.compute.internal Starting pod/ip-10-0-15-244us-east-2computeinternal-debug-rnwjc ... To use host binaries, run `chroot /host` Pod IP: 10.0.15.244 If you don't see a command prompt, try pressing enter. 
sh-5.1# chroot /host
sh-5.1# ls -Z /etc/docker 
system_u:object_r:cert_t:s0 certs.d

OCP4.18:
jiazha-mac:~ jiazha$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.18.0-0.nightly-2025-05-07-124712   True        False         103m    Cluster version is 4.18.0-0.nightly-2025-05-07-124712

jiazha-mac:~ jiazha$ oc debug node/yinzhou-1808-d6fz5-master-0 
Starting pod/yinzhou-1808-d6fz5-master-0-debug-prx9j ...
To use host binaries, run `chroot /host`
Pod IP: 192.168.0.145
If you don't see a command prompt, try pressing enter.
sh-5.1# chroot /host

sh-5.1# ls -Z /etc/docker
system_u:object_r:etc_t:s0 certs.d

              rhn-support-jiazha Jian Zhang
              rhn-support-jiazha Jian Zhang
              None
              None
              Jian Zhang Jian Zhang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: