Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-node container failing to restart with SELinux enabled #2079

Closed
sahilbadla opened this issue Sep 8, 2022 · 5 comments
Closed

aws-node container failing to restart with SELinux enabled #2079

sahilbadla opened this issue Sep 8, 2022 · 5 comments
Assignees
@achevuru
Labels
bug stale Issue or PR is stale

Comments

@sahilbadla
Copy link

What happened:

aws-node container is having problems restarting after SELinux enforcing mode is applied. This happens because the file '/host/etc/cni/net.d/10-aws.conflist' was created by an older container(first aws-node container on the node) with a different context than the new container initializing. That puts the new container in CrashLoopBackOff.

Here's an example from one of the nodes:

image

Now when i delete this pod and a new pod(aws-node-rxcq6) comes up, here's the error message from the aws-node container:

image

Detailed exception:

image

As you can see the new container(with context c220,c982) is not able to "mv" the file "10-aws.conflist" that was created with different context (c615,c828). This is the line of code where it fails https://github.com/aws/amazon-vpc-cni-k8s/blob/master/scripts/entrypoint.sh#L199

Looks like if we change mv command to cp instead, it should work with selinux. Reference https://danwalsh.livejournal.com/56534.html

Attach logs

What you expected to happen:

How to reproduce it (as minimally and precisely as possible):

  • Deploy cni v1.11.2
  • Set Selinux to enforcing mode

Anything else we need to know?:

Environment:

  • Kubernetes version (use kubectl version): v1.21.14-eks-18ef993
  • CNI Version : v1.11.2
  • OS (e.g: cat /etc/os-release):
-NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
  • Kernel (e.g. uname -a): ip-10-134-188-70.vpc.internal 5.4.204-113.362.amzn2.x86_64
@sahilbadla sahilbadla added the bug label Sep 8, 2022
@sahilbadla sahilbadla mentioned this issue Sep 9, 2022
Closed
@github-actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days

@github-actions github-actions bot added the stale Issue or PR is stale label Nov 20, 2022
@jayanthvn
Copy link
Contributor

/not stale

@github-actions github-actions bot removed the stale Issue or PR is stale label Nov 22, 2022
@github-actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days

@github-actions github-actions bot added the stale Issue or PR is stale label Jan 22, 2023
@jdn5126
Copy link
Contributor

jdn5126 commented Jan 27, 2023

Since the move to a Golang entrypoint, we no longer use the shell mv command. Instead, we copy the file to the destination path named <file>.tmp, then call os.Rename: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/utils/cp/cp.go#L48

This should resolve the SELinux issue in enforcing mode, so closing this as fixed by #2146

@jdn5126 jdn5126 closed this as completed Jan 27, 2023
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@achevuru achevuru

Labels
bug stale Issue or PR is stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jayanthvn @sahilbadla @jdn5126 @achevuru