Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-10045

The spod pods crash with rhel9 os due to "error parsing semanage configuration file"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • 4.14.0
    • Security Profiles Operator
    • None
    • Important
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      The spod pods crash with rhel9 os due to "error parsing semanage configuration file"

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-03-08-194110 + security-profiles-operator-bundle-container-0.5.2-2

      How reproducible:

      Always

      Steps to Reproduce:

      1. Install security profiles operator with build security-profiles-operator-bundle-container-0.5.2-2 with a 4.14 nightly build

      Actual results:

       

      Installation failed. All spod pods crashed:
$ oc get pod
NAME                                                  READY   STATUS                  RESTARTS        AGE
security-profiles-operator-6f798df7f9-5zf68           1/1     Running                 0               14m
security-profiles-operator-6f798df7f9-d7cx6           1/1     Running                 0               14m
security-profiles-operator-6f798df7f9-j5cqw           1/1     Running                 0               14m
security-profiles-operator-webhook-55648cf999-6x8bx   1/1     Running                 0               14m
security-profiles-operator-webhook-55648cf999-psxfl   1/1     Running                 0               14m
security-profiles-operator-webhook-55648cf999-qpdlr   1/1     Running                 0               14m
spod-4ds55                                            0/3     Init:CrashLoopBackOff   7 (3m34s ago)   14m
spod-pfcfw                                            0/3     Init:CrashLoopBackOff   7 (3m21s ago)   14m
spod-pxb29                                            0/3     Init:CrashLoopBackOff   7 (3m36s ago)   14m
spod-rdg2v                                            0/3     Init:CrashLoopBackOff   7 (3m36s ago)   14m
spod-tzw2g                                            0/3     Init:CrashLoopBackOff   7 (3m43s ago)   14m
spod-x2ng4                                            0/3     Init:CrashLoopBackOff   7 (3m38s ago)   14m
$ oc logs pod/spod-4ds55 --all-containers 
...
time="2023-03-13T08:42:20Z" level=info msg="Trying to copy dir /opt/spo-profiles to /var/lib/kubelet/seccomp"
time="2023-03-13T08:42:20Z" level=info msg="Trying to copy dir /opt/spo-profiles/..2023_03_13_08_42_18.2218084285 to /var/lib/kubelet/seccomp/..2023_03_13_08_42_18.2218084285"
time="2023-03-13T08:42:20Z" level=info msg="Trying to copy file /opt/spo-profiles/..2023_03_13_08_42_18.2218084285/security-profiles-operator.json to /var/lib/kubelet/seccomp/..2023_03_13_08_42_18.2218084285/security-profiles-operator.json (required: false)"
time="2023-03-13T08:42:20Z" level=info msg="Copied security-profiles-operator.json"
time="2023-03-13T08:42:20Z" level=info msg="Trying to copy file /opt/spo-profiles/..2023_03_13_08_42_18.2218084285/selinuxd.cil to /var/lib/kubelet/seccomp/..2023_03_13_08_42_18.2218084285/selinuxd.cil (required: false)"
time="2023-03-13T08:42:20Z" level=info msg="Copied selinuxd.cil"
time="2023-03-13T08:42:20Z" level=info msg="Trying to copy file /opt/spo-profiles/..2023_03_13_08_42_18.2218084285/selinuxrecording.cil to /var/lib/kubelet/seccomp/..2023_03_13_08_42_18.2218084285/selinuxrecording.cil (required: false)"
time="2023-03-13T08:42:20Z" level=info msg="Copied selinuxrecording.cil"
time="2023-03-13T08:42:20Z" level=info msg="Trying to copy dir /opt/spo-profiles/..data to /var/lib/kubelet/seccomp/..data"
time="2023-03-13T08:42:20Z" level=info msg="Trying to copy file /opt/spo-profiles/..data/security-profiles-operator.json to /var/lib/kubelet/seccomp/..data/security-profiles-operator.json (required: false)"
time="2023-03-13T08:42:20Z" level=info msg="Copied security-profiles-operator.json"
time="2023-03-13T08:42:20Z" level=info msg="Trying to copy file /opt/spo-profiles/..data/selinuxd.cil to /var/lib/kubelet/seccomp/..data/selinuxd.cil (required: false)"
time="2023-03-13T08:42:20Z" level=info msg="Copied selinuxd.cil"
time="2023-03-13T08:42:20Z" level=info msg="Trying to copy file /opt/spo-profiles/..data/selinuxrecording.cil to /var/lib/kubelet/seccomp/..data/selinuxrecording.cil (required: false)"
time="2023-03-13T08:42:20Z" level=info msg="Copied selinuxrecording.cil"
time="2023-03-13T08:42:20Z" level=info msg="Trying to copy file /opt/spo-profiles/security-profiles-operator.json to /var/lib/kubelet/seccomp/security-profiles-operator.json (required: false)"
time="2023-03-13T08:42:20Z" level=info msg="Copied security-profiles-operator.json"
time="2023-03-13T08:42:20Z" level=info msg="Trying to copy file /opt/spo-profiles/selinuxd.cil to /var/lib/kubelet/seccomp/selinuxd.cil (required: false)"
time="2023-03-13T08:42:20Z" level=info msg="Copied selinuxd.cil"
time="2023-03-13T08:42:20Z" level=info msg="Trying to copy file /opt/spo-profiles/selinuxrecording.cil to /var/lib/kubelet/seccomp/selinuxrecording.cil (required: false)"
time="2023-03-13T08:42:20Z" level=info msg="Copied selinuxrecording.cil"
+ chown 65535:0 /etc/selinux.d
+ chmod 750 /etc/selinux.d
+ semodule -i /usr/share/selinuxd/templates/base_container.cil /usr/share/selinuxd/templates/config_container.cil /usr/share/selinuxd/templates/home_container.cil /usr/share/selinuxd/templates/log_container.cil /usr/share/selinuxd/templates/net_container.cil /usr/share/selinuxd/templates/tmp_container.cil /usr/share/selinuxd/templates/tty_container.cil /usr/share/selinuxd/templates/virt_container.cil /usr/share/selinuxd/templates/x_container.cil
error parsing semanage configuration file: syntax error
semodule:  Could not create semanage handle
+ semodule -i /opt/spo-profiles/selinuxd.cil
error parsing semanage configuration file: syntax error
semodule:  Could not create semanage handle
+ semodule -i /opt/spo-profiles/selinuxrecording.cil
error parsing semanage configuration file: syntax error
semodule:  Could not create semanage handle
Error from server (BadRequest): container "security-profiles-operator" in pod "spod-4ds55" is waiting to start: PodInitializing

      Expected results:

      Installation succeeded. All pods are in running status.

      Additional info:

       

      $ oc debug node/ip-ip-xxxxxx.us-east-2.compute.internal -- chroot /host cat /etc/os-release 
Starting pod/ip-xxxxxx.us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
NAME="CentOS Stream CoreOS"
ID="rhcos"
ID_LIKE="rhel fedora"
VERSION="413.92.202303061740-0"
VERSION_ID="4.13"
VARIANT="CoreOS"
VARIANT_ID=coreos
PLATFORM_ID="platform:el9"
PRETTY_NAME="CentOS Stream CoreOS 413.92.202303061740-0 (Plow)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:9coreos"
HOME_URL="https://centos.org/"
DOCUMENTATION_URL="https://docs.openshift.com/container-platform/4.13/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform"
REDHAT_BUGZILLA_PRODUCT_VERSION="4.13"
REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform"
REDHAT_SUPPORT_PRODUCT_VERSION="4.13"
OPENSHIFT_VERSION="4.13"
RHEL_VERSION="9"
OSTREE_VERSION="413.92.202303061740-0"
 
Removing debug pod ...

       

              jhrozek@redhat.com Jakub Hrozek (Inactive)
              xiyuan@redhat.com Xiaojie Yuan
              Xiaojie Yuan Xiaojie Yuan
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: