Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-49735

afterburn.service and user@afterburn-ssh-keys fail in CS9 (SCOS) with SELinux enabled

    • selinux-policy-38.1.44-1.el9
    • None
    • None
    • sst_security_selinux
    • ssg_security
    • 25
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      The afterburn service does not trigger SELinux denials when started in Stream CoreOS environment.

      Show
      The afterburn service does not trigger SELinux denials when started in Stream CoreOS environment.
    • Pass
    • None
    • Unspecified Release Note Type - Unknown
    • None

      What were you trying to do that didn't work?

       

      In the CentOS Stream CoreOS 9 build used by OKD, we faced OKD-223, where nodes aren't able to join a cluster because the afterburn units fail to start due to denied permissions when accessing the files they are meant to access to pursue their job.

       

      I didn't find the right component to bind for afterburn and used ignition for the closeness to the coreos community.

      Please provide the package NVR for which bug is seen:

      How reproducible: Always

      afterburn-5.6.0-1.el9.x86_64
      afterburn-dracut-5.6.0-1.el9.x86_64

      Steps to reproduce

      1. In a AWS machine with selinux enabled and CS9 (actually done with SCOS, I'm unsure it can reproduce so easily in pure CS9)
      2. systemctl start afterburn
      3.  

      Expected results

       

      Success

      Actual results

       

      Jul 18 06:32:30 localhost afterburn[879]: Jul 18 06:32:30.747 INFO Putting http://169.254.169.254/latest/api/token: Attempt #1
      Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]: Jul 18 06:32:31.765 INFO Putting http://169.254.169.254/latest/api/token: Attempt #2
      Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]: Error: failed to run
      Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]: Caused by:
      Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]:     0: writing metadata attributes
      Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]:     1: failed to create directory "/run/metadata"
      Jul 18 06:32:31 ip-10-0-29-129 afterburn[879]:     2: Permission denied (os error 13)
      Jul 18 06:32:31 ip-10-0-29-129 systemd[1]: afterburn.service: Main process exited, code=exited, status=1/FAILURE
      Jul 18 06:32:31 ip-10-0-29-129 systemd[1]: afterburn.service: Failed with result 'exit-code'.
      Jul 18 06:32:31 ip-10-0-29-129 systemd[1]: Failed to start Afterburn (Metadata). 

       

       

      Additional info:

      https://github.com/fedora-selinux/selinux-policy/pull/1362/files, https://github.com/fedora-selinux/selinux-policy/pull/2000  might be the fixes to downstream (Fedora/FCOS is not affected)

            rhn-support-zpytela Zdenek Pytela
            rhn-support-adistefa Alessandro Di Stefano
            CoreOS Bot CoreOS Bot
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated: