check-config fails permission denied #6278
Assignees
Milestone
Comments
|
Disabling apparmor and re-starting the OS fixes the permissions issue and then most of the features are found but check-config still fails now because of apparmor. |
|
What happens if you install the |
|
I had wondered that as well (but forgot to specify it) It is already installed. |
|
It appears that apparmor-parser is not officially released for 15.4 yet https://software.opensuse.org/package/apparmor |
|
Appears to pass just fine on Latest 15.4 release (all commands run as root) |
|
@dereknola are you saying everything works for you? I just refreshed and updated, re-installed k3s, still not working for me. |
|
I am unable to reproduce it either. Something is unusual on your host. Have you or someone else taken some additional steps to harden it beyond what opensuse comes with on a normal ISO install or VM image? fapolicyd, mounting things noexec, applying some sort of STIG hardening script to it? |
|
No I haven't done any extra steps or hardening BUT it is a VM running in Proxmox. If I disable apparmor and restart, then everything is fine. |
|
Was able to reproduce this in another installation. Uploaded OS ISO - openSUSE-Leap-15.4-DVD-x86_64-Build243.2-Media to VMware Cloud Director (can't determine version). I shutdown the VM and enabled And again, if I disable apparmor and restart, then check-config works. Same virtualization system w/ openSUSE Leap 15.3 works. I really don't have bare metal to reproduce on. Is there some other virtualization scenario to try? |
|
I am not able to reproduce this on Azure using openSUSE Leap 15.4 Going to check a few more things out and then will probably come back here and close this. |
|
Working on Azure |
|
I just re-downloaded the media Proxmox VM Ran script from k3s.io So what could be different from Azure's openSUSE 15.4 and my installation/environment? Any hints on what to look into w/ regards to AppArmor and the environment? |
|
Turns out that Azure doesn't have any AppArmor profiles. It is installed, but nothing is active. These processes are now profiled as of 15.4 This is the process that is erroring out in k3s check-config. On the machines you guys couldn't reproduce on, were there any active profiles Going to look into what the profile is restricting. |
|
Can you confirm which apparmor related packages you have installed on your host? We do most of our testing on cloud instances or VM images since they're easy to spin up and tear down for dev/QA work. I'm not sure how often we test on bare-metal installs from ISO media. |
|
Understandable Leap15.4 Leap15.3 |
|
That is interesting. These profile restrictions don't seem to affect k3s otherwise, I wonder why they are specifically preventing zgrep from being used. We can take a look at what it would take to make profiles available for k3s. |
|
I am seeing the same thing, my customized install of k3s seems fine but I can't call check-config. I can work around it by disabling the zgrep profile Since it is a permissions issue zgrep calling gzip, I also was able to get around it by deleting the symlink from k3s/data/current/bin/gzip -> busybox and replacing it w/ a symlink to /usr/bin/gzip |
|
Will changing the symlink for gzip to not use busybox but instead use /usr/bin/gzip cause any issues? I noticed your check-config caught me ;>) |
This was referenced Jul 12, 2023
Validated on k3s version v1.27.3+k3s-be442433 using latest commit be44243 from master branchEnvironment DetailsInfrastructure: Node(s) CPU architecture, OS, and Version: Cluster Configuration: Steps:
Results from issue reproductionResults from issue validation |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Environmental Info:
K3s Version:
v1.24.6+k3s1
Node(s) CPU architecture, OS, and Version:
Linux kw-leap15-4-a 5.14.21-150400.24.21-default #1 SMP PREEMPT_DYNAMIC Wed Sep 7 06:51:18 UTC 2022 (974d0aa) x86_64 x86_64 x86_64 GNU/Linux
VM running in ProxMox
Cluster Configuration:
Single node
Describe the bug:
k3s check-config reports permissions denied when using zgrep to detect features.
Steps To Reproduce:
Installed K3s:
As root I ran the default script on k3s.io
curl -sfL https://get.k3s.io | sh -k3s installed and
get nodesorget pods -Alooks goodAs root run
k3s check-configExpected behavior:
Should display installed OS features and 'pass'
Actual behavior:
permission denied for each feature check
Additional context / logs:
I am able to reproduce this on multiple Leap 15.4 'default' installations, but on Leap 15.3 it seems to work fine.
check-config.txt
The text was updated successfully, but these errors were encountered: