Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-49735

afterburn.service and user@afterburn-ssh-keys fail in CS9 (SCOS) with SELinux enabled

XMLWordPrintable

    • selinux-policy-38.1.44-1.el9
    • None
    • None
    • rhel-sst-security-selinux
    • ssg_security
    • 25
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      The afterburn service does not trigger SELinux denials when started in Stream CoreOS environment.

      Show
      The afterburn service does not trigger SELinux denials when started in Stream CoreOS environment.
    • Pass
    • None
    • Unspecified Release Note Type - Unknown
    • None

      What were you trying to do that didn't work?

       

      In the CentOS Stream CoreOS 9 build used by OKD, we faced OKD-223, where nodes aren't able to join a cluster because the afterburn units fail to start due to denied permissions when accessing the files they are meant to access to pursue their job.

       

      I didn't find the right component to bind for afterburn and used ignition for the closeness to the coreos community.

      Please provide the package NVR for which bug is seen:

      How reproducible: Always

      afterburn-5.6.0-1.el9.x86_64
      afterburn-dracut-5.6.0-1.el9.x86_64

      Steps to reproduce

      1. In a AWS machine with selinux enabled and CS9 (actually done with SCOS, I'm unsure it can reproduce so easily in pure CS9)
      2. systemctl start afterburn
      3.  

      Expected results

       

      Success

      Actual results

       

      Jul 18 06:32:30 localhost afterburn[879]: Jul 18 06:32:30.747 INFO Putting http://169.254.169.254/latest/api/token: Attempt #1
Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]: Jul 18 06:32:31.765 INFO Putting http://169.254.169.254/latest/api/token: Attempt #2
Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]: Error: failed to run
Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]: Caused by:
Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]:     0: writing metadata attributes
Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]:     1: failed to create directory "/run/metadata"
Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]:     2: Permission denied (os error 13)
Jul 18 06:32:31 ip-10-0-29-129 systemd[1]: afterburn.service: Main process exited, code=exited, status=1/FAILURE
Jul 18 06:32:31 ip-10-0-29-129 systemd[1]: afterburn.service: Failed with result 'exit-code'.
Jul 18 06:32:31 ip-10-0-29-129 systemd[1]: Failed to start Afterburn (Metadata).

       

       

      Additional info:

      https://github.com/fedora-selinux/selinux-policy/pull/1362/files, https://github.com/fedora-selinux/selinux-policy/pull/2000  might be the fixes to downstream (Fedora/FCOS is not affected)

              rhn-support-zpytela Zdenek Pytela
              rhn-support-adistefa Alessandro Di Stefano
              CoreOS Bot CoreOS Bot
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: