-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SELinux blocking disk operations on a hostPath volume #362
Comments
This did not, unfortunately, solve the problem:
|
I was able to get the full application running this command repeatedly as the containers started up.
Because three different pods are interacting with this directory, and Postgres is particularly feisty about ownership, the various operations they do to confirm ownership and set permissions causes the pods to lose access. Here's the audit log:
|
OK, here's what worked for me.
|
Sorry, it's me again. I've been comparing k3s and rke2 here, which ostensibly use the same local path provisioner, and k3s is not having the same issue. And it seems to be because k3s is not applying the same ownership semantics on the volume. In particular, here's what
Note the lack of container labels. I'm just going to check myself that perhaps k3s doesn't enable full SELinux enforcement by default; I will see. If that's the case, no need to reply, I'll figure that out soon enough :-) EDIT: installing k3s with |
We create a selinux policy to make it work. I don't remember how we figured this out, but we have our ansible do it automatically now.
|
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
This issue was closed because it has been stalled for 5 days with no activity. |
I have a
hostPath
persistent volume pointed to a path/opt/anaconda/storage
that is owned by 1000:0, the same UID and GID that the pod will run in. This PV is shared by three pods, one of them runningpostgres
. This pod tries tochmod 700
its subdirectory (because, you know, postgres). I believe SELinux is denying that operation, at least sometimes. The symptom is that when I first start the pod, it works fine, and it can see/mnt/pgdata
(where/opt/anaconda/storage/pgdata
is mounted), but after some time, it can no longer access that directory, despite having the right owner and primary group.Disabling SELinux solved the problem, but of course I'd prefer not to have to do that. This seems like it may be a duplicate of #100 but I'm not sufficiently familiar with SELinux yet to know how to test the
chcon
fix. I will update if I find it.I turned on permissive SELinux mode and fired up the application, and got a much longer set of denials. I'm offering that in the attachment below. Here's what seems to be the relevant snippet of the log before I turned permissive mode on.
selinux.log
The text was updated successfully, but these errors were encountered: