Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.7
Component/s: Containers
Labels:
- migrated_from_bz
- needs_manual_sfdc

Severity:
Important
Release Blocker:
Rejected
Architecture:

Unspecified
Release Note Type:
If docs needed, set a value

SFDC Cases Counter:
SFDC Cases Links:

Description

Thanks for reporting your issue!

In order for the CoreOS team to be able to quickly and successfully triage your issue, please fill out the following template as completely as possible.

Be ready for follow-up questions and please respond in a timely manner.

If we can't reproduce a bug, we might close your issue.

—

OCP Version at Install Time: 4.7.11
RHCOS Version at Install Time: rhcos 4.7.11
OCP Version after Upgrade (if applicable):
RHCOS Version after Upgrade (if applicable):
Platform: AWS, Azure, bare metal, GCP, vSphere, etc: vSphere
Architecture: x86_64/ppc64le/s390x

What are you trying to do? What is your use case?
A customer created a custom container image based on Wind River (Wind River Linux LTS 10.18.44.20) and they use the ping command in their applications to perform networking monitoring. The customer needs to use the ping specifying the source ip address like this:

$ ping dstip -I srcip

What happened? What went wrong or what did you expect?
When the container image execute the command they get the permission denied error:

bind: Permission denied

Correct capabilities has been assigned to the container:
—
capabilities:
add:

NET_RAW
NET_ADMIN
SYS_PTRACE
SYS_CHROOT
NET_BIND_SERVICE
NET_BROADCAST
—

The issue is not present when tried using Red Hat ubi images. Only with customer specific image.

From node logs, there is a selinux denied event:

—
type=AVC msg=audit(1634753245.900:73549): avc: denied

{ node_bind }

for pid=676729 comm="ping" saddr=10.131.1.180 scontext=system_u:system_r:container_t:s0:c0,c26 tcontext=system_u:object_r:node_t:s0 tclass=icmp_socket permissive=0
—

What are the steps to reproduce your issue? Please try to reduce these steps to something that can be reproduced with a single RHCOS node.

Deploy an image based on Wind River Linux LTS 10.18.44.20 and execute from the pod:

$ ping dstip -I srcip

The expected result is ping command executed but we obtain bind: access denied because selinux prevent the command to be executed.

If you're having problems booting/installing RHCOS, please provide:

the full contents of the serial console showing disk initialization, network configuration, and Ignition stage (see https://access.redhat.com/articles/7212 for information about configuring your serial console)
Ignition JSON
output of `journalctl -b`

If you're having problems post-upgrade, please provide:

A complete must-gather (`oc adm must-gather`)

If you're having SELinux related issues, please provide:

The full `/var/log/audit/audit.log` file
Were any SELinux modules or booleans changed from the default configuration?
The output of `ostree admin config-diff | grep selinux/targeted` on impacted nodes

Please add anything else that might be useful, for example:

kernel command line (`cat /proc/cmdline`)
contents of `/etc/NetworkManager/system-connections/`
contents of `/etc/sysconfig/network-scripts/`

Attachments

Activity

People

Assignee:: Daniel Walsh (Inactive)

Reporter:: Alfredo Pizarro

Contributing Groups:: Red Hat Employee

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Dates

Created:: 2021/10/20 6:39 PM

Updated:: 2023/04/01 4:52 AM