SELinux context missing on snapshot contents breaks container start-up after enabling SELinux in existing K3s cluster #72
Description
Description:
When enabling SELinux support in a pre provisioned custom K3s cluster, containers fail to start due to incorrect SELinux contexts on pre-existing snapshot files. The issue stems from the upstream k3s-selinux policy skipping context assignment on snapshot contents.
SURE-10172
Rancher Server Setup:
- Rancher version: 2.10.1
- OS: Rocky 8.10
Information about the Downstream Cluster:
- Kubernetes version: v1.31.7+k3s1
Repro Steps:
Create a custom k3s cluster on Rancher 2.10.1 on v1.31.7 (other versions likely affected). Keep default settings, including 'selinux: false'
Create a Rocky 8.10 node (or any node with SELinux enabled)
Join the node as an all-roles node to the cluster with the registration command
Install prerequisites (note that the SELinux policy base (selinux-policy-base) is already present on the OS):
yum install -y container-selinux
Grabbed the latest k3s-selinux from Github since the k3s docs only mention a CentOS 7 version)
yum install -y https://github.com/k3s-io/k3s-selinux/releases/download/v1.6.latest.1/k3s-selinux-1.6-1.el8.noarch.rpm
Enable SELinux support on the cluster by editing its YAML: spec.rkeConfig.machineSelectorConfig.config.selinux (change from 'false' to 'true')
Redeploy the cattle-cluster-agent on the downstream cluster
It will error out with:
/bin/bash: error while loading shared libraries: /lib64/libc.so.6: cannot apply additional memory protection after relocation: Permission denied