Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-2382

istio-cni does not work on RHEL9 (OCP 4.13)

    XMLWordPrintable

Details

    Description

      We got a report today from the CNV team that istio-cni fails on RHEL9 nodes because of SELinux. From the audit log:

      type=AVC msg=audit(1671679231.719:78743): avc:  denied  { open } for  pid=703303 comm="iptables-restor" path="/tmp/iptables-rules-1671679231719103294.txt128242135" dev="vda1" ino=535228 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0

      Apparently, for some reason iptables-restore is not allowed to open files in /tmp. This might as well be a RHEL9 bug as this previously worked.

      iptables has been deprecated in RHEL9, so we'll have to look into migrating to nftables anyway. This might be a good time. OCP 4.13 will be based on RHCOS9 and will likely have the same problem.

      Attachments

        Issue Links

          mentioned on

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated 2 upstream sources

          GitLab Merge request - Updated US source to: 5d524d1 OSSM-3732: Add istio postsubmit jobs (#789)

          GitLab Merge request - Updated US source to: 8adc6d6 OSSM-3732: Add workaround script for Prow postcommit jobs (#785)

          GitLab Merge request - Updated US source to: 16e9e65 OSSM-2382 Fix istio-cni issue on RHEL9 (#762) (#773)

          GitLab Merge request - Updated US source to: 16e9e65 OSSM-2382 Fix istio-cni issue on RHEL9 (#762) (#773)

          GitLab Merge request - Updated US source to: 51c756b OSSM-3599 Federation egress-gateway gets wrong network gateway endpoints (#775) (#781)

          GitLab Merge request - Updated US source to: 69d8a77 OSSM-2382 Fix istio-cni issue on RHEL9 (#762)

          GitLab Merge request - Updated US source to: 90043ea OSSM-2382 Fix istio-cni issue on RHEL9 (#762) (#772)

          GitLab Merge request - Updated US source to: 90043ea OSSM-2382 Fix istio-cni issue on RHEL9 (#762) (#772)

          Activity

            People

              mluksa@redhat.com Marko Luksa
              dgrimm@redhat.com Daniel Grimm
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: