Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

centos8: set SELinux boolean that is now required for chardev access by containers #968

Merged
merged 1 commit into from
Feb 21, 2023
Merged

centos8: set SELinux boolean that is now required for chardev access by containers #968

merged 1 commit into from
Feb 21, 2023

Conversation

jean-edouard
Copy link
Contributor

No description provided.

@kubevirt-bot kubevirt-bot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label Feb 20, 2023
@xpivarc
Copy link
Member

xpivarc commented Feb 20, 2023

@brianmcarey FYI, relates to kubevirt/kubevirt#9208

@oshoval
Copy link
Contributor

oshoval commented Feb 21, 2023
edited
Loading

https://prow.ci.kubevirt.io/view/gs/kubevirt-prow/pr-logs/pull/kubevirt_kubevirtci/968/check-provision-k8s-1.24/1627702552218832896

Not related to this PR
failed to delete CustomResourceDefinition(e2e-test-crd-publish-openapi-5167-crd): Internal error occurred: etcdserver: request timed out - we might want to consider using ramfs as we are doing with kind

@oshoval
Copy link
Contributor

oshoval commented Feb 21, 2023
edited
Loading

We don't have a presubmit job for 1.26 anymore it seems, but publish does run it,
so in case there are problems, publish might fail
(unless we are fine to take the risk, which is ok)

@oshoval
Copy link
Contributor

oshoval commented Feb 21, 2023

@brianmcarey FYI, relates to kubevirt/kubevirt#9208

Worth to add please on PR desc a failure example

brianmcarey
brianmcarey approved these changes Feb 21, 2023
View reviewed changes
Copy link
Member

@brianmcarey brianmcarey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

/approve

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Feb 21, 2023
@kubevirt-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: brianmcarey

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 21, 2023
@kubevirt-bot kubevirt-bot merged commit 656d01a into kubevirt:main Feb 21, 2023
@brianmcarey brianmcarey mentioned this pull request Feb 21, 2023
Closed
kubevirt-bot added a commit to kubevirt-bot/kubevirt that referenced this pull request Feb 21, 2023
@kubevirt-bot
Bump kubevirtci
af340aa 
[656d01a centos8: set SELinux boolean that is now required for chardev access by containers](kubevirt/kubevirtci#968)
[31e5860 vm based providers: Introduce robust stack provider](kubevirt/kubevirtci#954)
[15b2c14 Refresh snapshot CRDs follow up for 1.26-centos9 provider](kubevirt/kubevirtci#947)
[0163752 Enable Seccomp configuration](kubevirt/kubevirtci#960)
[e037eb1 Adds note about CLI dependencies](kubevirt/kubevirtci#959)
[9c37b86 k8s-1.24-psa: Remove leftovers](kubevirt/kubevirtci#956)

```release-note
NONE
```

Signed-off-by: kubevirt-bot <[email protected]>
@EdDev
Copy link
Member

EdDev commented Feb 21, 2023

@jean-edouard , it seems we tweak the nodes with this configuration for the kubevirtci.

Who is suppose to tweak it for production nodes?

@jean-edouard
Copy link
Contributor Author

@jean-edouard , it seems we tweak the nodes with this configuration for the kubevirtci.

Who is suppose to tweak it for production nodes?

I was planning on documenting that the boolean has to be enabled on SELinux-enabled nodes... For now, the bump-kubevirtci PR is still failing in kubevirt/kubevirt, so the final resolution may or may not include this change.
The fact that each distro has its own SELinux policy, and that policies are randomly subject to change, makes it really hard on us! (Centos 8 allowed chardev access to container processes until recently...)

@EdDev
Copy link
Member

EdDev commented Feb 21, 2023

The fact that each distro has its own SELinux policy, and that policies are randomly subject to change, makes it really hard on us! (Centos 8 allowed chardev access to container processes until recently...)

I think that formally we only support CentOS Stream for nodes, it is the only distribution we test.

The problem is that we bump it from time to time, catching bugs like this one.
Here is another example: https://bugzilla.redhat.com/2172090

However, patching our CI may just mask the problem.

@oshoval
Copy link
Contributor

oshoval commented Feb 22, 2023
edited
Loading

The problem is that we bump it from time to time, catching bugs like this one.

I am planning to do two things:

  1. vm based providers: Introduce Provision manager #957
    More controlled provider rebuilding.
  2. Create a bit easier way to test a non released provider with all kubevirt jobs on CI, so hopefully it will allow us
    to test things better before they appear on the bump.

@oshoval
Copy link
Contributor

oshoval commented Mar 1, 2023

I wonder if by any change, once it is fixed on kubevirt if it can shed some light about WA for
kubernetes-sigs/kind#2999
(anyhow, we are moving to k3d for now it seems soon)

oshoval added a commit to oshoval/kubevirt that referenced this pull request Mar 6, 2023
@oshoval
Bump kubevirtci
b3e7d18 
[1b9174d centos8: update SELinux policy version](kubevirt/kubevirtci#975)
[e1cf770 robust stack: Fix sanity check](kubevirt/kubevirtci#970)
[bc50e16 Add WFFC variation of rook-ceph-block](kubevirt/kubevirtci#967)
[656d01a centos8: set SELinux boolean that is now required for chardev access by containers](kubevirt/kubevirtci#968)
[31e5860 vm based providers: Introduce robust stack provider](kubevirt/kubevirtci#954)
[15b2c14 Refresh snapshot CRDs follow up for 1.26-centos9 provider](kubevirt/kubevirtci#947)
[0163752 Enable Seccomp configuration](kubevirt/kubevirtci#960)
[e037eb1 Adds note about CLI dependencies](kubevirt/kubevirtci#959)
[9c37b86 k8s-1.24-psa: Remove leftovers](kubevirt/kubevirtci#956)

```release-note
NONE
```

Signed-off-by: Or Shoval <[email protected]>
@oshoval oshoval mentioned this pull request Mar 6, 2023
Merged
kubevirt-bot added a commit to kubevirt-bot/kubevirt that referenced this pull request Mar 6, 2023
@kubevirt-bot
Bump kubevirtci
fb63515 
[1b9174d centos8: update SELinux policy version](kubevirt/kubevirtci#975)
[e1cf770 robust stack: Fix sanity check](kubevirt/kubevirtci#970)
[bc50e16 Add WFFC variation of rook-ceph-block](kubevirt/kubevirtci#967)
[656d01a centos8: set SELinux boolean that is now required for chardev access by containers](kubevirt/kubevirtci#968)
[31e5860 vm based providers: Introduce robust stack provider](kubevirt/kubevirtci#954)
[15b2c14 Refresh snapshot CRDs follow up for 1.26-centos9 provider](kubevirt/kubevirtci#947)
[0163752 Enable Seccomp configuration](kubevirt/kubevirtci#960)
[e037eb1 Adds note about CLI dependencies](kubevirt/kubevirtci#959)
[9c37b86 k8s-1.24-psa: Remove leftovers](kubevirt/kubevirtci#956)

```release-note
NONE
```

Signed-off-by: kubevirt-bot <[email protected]>
@jean-edouard jean-edouard mentioned this pull request Mar 6, 2023
Closed
oshoval added a commit to oshoval/kubevirt that referenced this pull request Mar 7, 2023
@oshoval
Bump kubevirtci
3cafa2f 
[1b9174d centos8: update SELinux policy version](kubevirt/kubevirtci#975)
[e1cf770 robust stack: Fix sanity check](kubevirt/kubevirtci#970)
[bc50e16 Add WFFC variation of rook-ceph-block](kubevirt/kubevirtci#967)
[656d01a centos8: set SELinux boolean that is now required for chardev access by containers](kubevirt/kubevirtci#968)
[31e5860 vm based providers: Introduce robust stack provider](kubevirt/kubevirtci#954)
[15b2c14 Refresh snapshot CRDs follow up for 1.26-centos9 provider](kubevirt/kubevirtci#947)
[0163752 Enable Seccomp configuration](kubevirt/kubevirtci#960)
[e037eb1 Adds note about CLI dependencies](kubevirt/kubevirtci#959)
[9c37b86 k8s-1.24-psa: Remove leftovers](kubevirt/kubevirtci#956)

```release-note
NONE
```

Signed-off-by: Or Shoval <[email protected]>
oshoval added a commit to oshoval/kubevirt that referenced this pull request Mar 7, 2023
@oshoval
Bump kubevirtci
0a790cd 
[1b9174d centos8: update SELinux policy version](kubevirt/kubevirtci#975)
[e1cf770 robust stack: Fix sanity check](kubevirt/kubevirtci#970)
[bc50e16 Add WFFC variation of rook-ceph-block](kubevirt/kubevirtci#967)
[656d01a centos8: set SELinux boolean that is now required for chardev access by containers](kubevirt/kubevirtci#968)
[31e5860 vm based providers: Introduce robust stack provider](kubevirt/kubevirtci#954)
[15b2c14 Refresh snapshot CRDs follow up for 1.26-centos9 provider](kubevirt/kubevirtci#947)
[0163752 Enable Seccomp configuration](kubevirt/kubevirtci#960)
[e037eb1 Adds note about CLI dependencies](kubevirt/kubevirtci#959)
[9c37b86 k8s-1.24-psa: Remove leftovers](kubevirt/kubevirtci#956)

```release-note
NONE
```

Signed-off-by: Or Shoval <[email protected]>
@xpivarc xpivarc mentioned this pull request Mar 15, 2023
Closed
tiraboschi added a commit to tiraboschi/hyperconverged-cluster-operator that referenced this pull request Mar 20, 2023
@tiraboschi
Workaround for SELinux boolean for chardev
24602e0 
Workaround for kubevirt/kubevirt#9434
we started setting SELinux boolean for chardev access
with kubevirt/kubevirtci#968
but it got reverted with kubevirt/kubevirtci#975
altough it's still needed with Kubevirt v0.58.1
TODO: let's remove this once kubevirt/kubevirt#9434
is fixed

Signed-off-by: stirabos <[email protected]>
kubevirt-bot pushed a commit to kubevirt/hyperconverged-cluster-operator that referenced this pull request Mar 20, 2023
@tiraboschi @jcanocan
@0xFelix @oshoval
[release-1.8] Align github actions from newer branches (#2287)
ca9cc7e 
* [release-1.8] Align github actions from newer branches

Backport a few configuration changes
in github actions.

Signed-off-by: stirabos <[email protected]>

* Fix bug and change cri selection procedure of cluster-sync. (#2155)

The command for getting the registry port gets more than one output,
which breaks following commands in the deploying scripts. The output is
now parsed to pickup just the first port.

Also the container runtime selection was hardcoded, now it uses the cri
selection script of kubervirtci.

Co-authored-by: Felix Matouschek <[email protected]>
Signed-off-by: Javier Cano Cano <[email protected]>

Signed-off-by: Javier Cano Cano <[email protected]>
Co-authored-by: Felix Matouschek <[email protected]>

* cluster-up: Fix tag updating (#2189)

In case the _kubevirtci folder exists,
changing the tag won't reclone the folder.
The cluster-up folder won't be updated and it can lead
to bugs in case the folder is changed.

Fix it by deleting the folder in case of tag mismatch.
It will enforce a reclone.

Signed-off-by: Or Shoval <[email protected]>

Signed-off-by: Or Shoval <[email protected]>

* Bump the default kubevirtci provider

Signed-off-by: stirabos <[email protected]>

* Workaround for SELinux boolean for chardev

Workaround for kubevirt/kubevirt#9434
we started setting SELinux boolean for chardev access
with kubevirt/kubevirtci#968
but it got reverted with kubevirt/kubevirtci#975
altough it's still needed with Kubevirt v0.58.1
TODO: let's remove this once kubevirt/kubevirt#9434
is fixed

Signed-off-by: stirabos <[email protected]>

---------

Signed-off-by: stirabos <[email protected]>
Signed-off-by: Javier Cano Cano <[email protected]>
Signed-off-by: Or Shoval <[email protected]>
Co-authored-by: Javier Cano Cano <[email protected]>
Co-authored-by: Felix Matouschek <[email protected]>
Co-authored-by: oscollabus <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brianmcarey brianmcarey brianmcarey approved these changes

@dhiller dhiller Awaiting requested review from dhiller

@rmohr rmohr Awaiting requested review from rmohr

Assignees

@brianmcarey brianmcarey

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jean-edouard @xpivarc @oshoval @kubevirt-bot @EdDev @brianmcarey