Uploaded image for project: 'Openshift sandboxed containers'
  1. Openshift sandboxed containers
  2. KATA-2116

kata-monitor pod hits SELinux denials

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • High
    • OSC 1.4.0
    • OSC 1.4.0
    • None
    • False
    • None
    • False
    • Kata Sprint #234
    • 0
    • 0

    Description

      Description

      Monitor pod is logging a failure every minute :

      time="2023-03-29T13:38:44.612082211Z" level=warning msg="cannot monitor /run/vc/sbs, retry in 60 sec." error="permission denied" name=kata-monitor pid=1 source=kata-monitor
time="2023-03-29T13:39:44.612766433Z" level=warning msg="cannot monitor /run/vc/sbs, retry in 60 sec." error="permission denied" name=kata-monitor pid=1 source=kata-monitor
time="2023-03-29T13:40:44.613944245Z" level=warning msg="cannot monitor /run/vc/sbs, retry in 60 sec." error="permission denied" name=kata-monitor pid=1 source=kata-monitor

      Matching selinux denials are logged on the host :

      type=AVC msg=audit(1680097124.610:359): avc:  denied  { watch } for  pid=11960 comm="kata-monitor" path="/run/vc/sbs" dev="tmpfs" ino=4078 scontext=system_u:system_r:osc_monitor.process:s0:c862,c902 tcontext=system_u:object_r:container_var_run_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1680097184.611:360): avc:  denied  { watch } for  pid=11960 comm="kata-monitor" path="/run/vc/sbs" dev="tmpfs" ino=4078 scontext=system_u:system_r:osc_monitor.process:s0:c862,c902 tcontext=system_u:object_r:container_var_run_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1680097244.612:361): avc:  denied  { watch } for  pid=11960 comm="kata-monitor" path="/run/vc/sbs" dev="tmpfs" ino=4078 scontext=system_u:system_r:osc_monitor.process:s0:c862,c902 tcontext=system_u:object_r:container_var_run_t:s0 tclass=dir permissive=0

      Steps to reproduce

      1. Install OSC 1.4 on OCP 4.13
      2. Create a kataconfig
      3. Wait for a monitor pod to be running
      4. Look at the logs of that monitor and the audit logs on the host

      Expected result

      No errors.

      Actual result

      Errors mentioned in the description.

      Impact

      No metrics.

      Env

      OCP : 4.13.0-0.nightly-2023-03-23-000343
      OSC : quay.io/openshift_sandboxed_containers/openshift-sandboxed-containers-operator-catalog:1.4.0-40

      Additional helpful info

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem that impairs or prevents the functions of the product. KATA-2095 kata metrics not working: cannot monitor /run/vc/sbs, error="permission denied"

          • High - Required for next release. Launch blocker.
          • Closed

          Activity

            People

              rhgkurz Greg Kurz
              rhgkurz Greg Kurz
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: