Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[rhcos-4.17] workaround selinux issues with osbuild #3886

Merged
merged 3 commits into from
Sep 30, 2024
Merged

[rhcos-4.17] workaround selinux issues with osbuild #3886

merged 3 commits into from
Sep 30, 2024

Conversation

openshift-cherrypick-robot
Copy link

This is an automated cherry-pick of #3885

/assign dustymabe

@dustymabe
vmdeps: add reset and clear to supermin VM
48d6389 
These are extremely useful when dealing with a limited serial
console to try to restore some order to the output.
@dustymabe
workaround selinux issues with osbuild
51bb6ef 
We have a few issues right now where files in our images
don't have any selinux context (i.e. end up unlabeled_t).
Here we workaround the hidden mountpoints issue [1] with
a patch to OSBuild to hardcode some chcon calls. We
workaround the "bunch of files under /sysroot are unlabeled"
issue [2] by backported a proposed upstream change to
the org.osbuild.selinux stage [3] and then using it to
explicitly set the context on the root of the tree to
`root_t`. We also add a fix [4] for another issue where
'/boot/coreos/platforms.json' would end up with the
wrong label.

[1] coreos/fedora-coreos-tracker#1771
[2] coreos/fedora-coreos-tracker#1772
[3] osbuild/osbuild#1889
[4] osbuild/osbuild#1888
@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Sep 19, 2024
Merged
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Sep 19, 2024

Hi @openshift-cherrypick-robot. Thanks for your PR.

I'm waiting for a coreos member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@dustymabe
Copy link
Member

/ok-to-test

@dustymabe dustymabe added the hold waiting on something label Sep 20, 2024
@dustymabe
Copy link
Member

dustymabe commented Sep 26, 2024
edited
Loading

/unhold

There was one reason I was holding this PR because I thought the disk images still had one file in them that was unlabeled and I needed to thoroughly investigate it. It turns out it is a file that gets created on boot on systemd less than v254 and we're not sure why, but newer versions of systemd don't have the problem and on upgrading systems the problem goes away so we're just adding it as an exception in the test for now.

@dustymabe
mantle: move kolet binary location to /usr/local/bin
8856e69 
I'm writing a test that verifies files on the filesystem
in CoreOS machinges match the SELinux policy. Placing
kolet in `/var/home/core/kolet` with a `bin_t` context
is a violation of this. Let's use /usr/local/bin/. This
has the side effect of the file having the right `bin_t`
context as soon as it is created.

(cherry picked from commit b076a72)
@dustymabe
Copy link
Member

added a cherry-pick of b076a72 here too.

@dustymabe dustymabe removed the hold waiting on something label Sep 26, 2024
marmijo
marmijo approved these changes Sep 26, 2024
View reviewed changes
Copy link
Member

@marmijo marmijo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aaradhak
Copy link
Member

/retest

@dustymabe
Copy link
Member

CI is failing here with:

error: Packages not found: kata-containers

is RHCOS CI on these older branches expected to pass?

@mike-nguyen
Copy link
Member

/retest-required

@mike-nguyen
Copy link
Member

I checked the mirror on prow and it looks fine and contains the kata-containers package. Lets re-run and see if it fails again.

@dustymabe
Copy link
Member

/retest-required

@dustymabe dustymabe merged commit dcf2b97 into coreos:rhcos-4.17 Sep 30, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marmijo marmijo marmijo approved these changes

Assignees

@dustymabe dustymabe

Labels
ok-to-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@openshift-cherrypick-robot @dustymabe @aaradhak @mike-nguyen @marmijo