Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-2382

istio-cni does not work on RHEL9 (OCP 4.13)


      We got a report today from the CNV team that istio-cni fails on RHEL9 nodes because of SELinux. From the audit log:

      type=AVC msg=audit(1671679231.719:78743): avc:  denied  { open } for  pid=703303 comm="iptables-restor" path="/tmp/iptables-rules-1671679231719103294.txt128242135" dev="vda1" ino=535228 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0

      Apparently, for some reason iptables-restore is not allowed to open files in /tmp. This might as well be a RHEL9 bug as this previously worked.

      iptables has been deprecated in RHEL9, so we'll have to look into migrating to nftables anyway. This might be a good time. OCP 4.13 will be based on RHCOS9 and will likely have the same problem.

            mluksa@redhat.com Marko Luksa
            dgrimm@redhat.com Daniel Grimm
            0 Vote for this issue
            11 Start watching this issue