Resolve selinux installation issues #2394
Conversation
|
This PR has been released (on staging) and is available for download with a embedded-cluster-smoke-test-staging-app license ID. Online Installer: Airgap Installer (may take a few minutes before the airgap bundle is built): Happy debugging! |
|
TODO:
|
|
The preflight would have to be a run collector that checks:
|
hedge-sparrow
force-pushed
the
ash/restorecon
branch
2 times, most recently
from
e285016 to
b8560c5
Compare
|
I've rolled back my test changes after a discussion with @chris-sanders. I've performed manual testing on selinux enabled systems that prove that this works, but was having significant trouble porting the single node alma linux test over to the cmx testing framework so that we can test automatically with selinux enabled. |
hedge-sparrow
force-pushed
the
ash/restorecon
branch
from
c4c09d0 to
ba74d7b
Compare
hedge-sparrow
changed the title
hedge-sparrow
force-pushed
the
ash/restorecon
branch
2 times, most recently
from
59a0aaf to
f5b7038
Compare
This builds on the existing airgapped testing. due to some limitations in our alma images I had to change all script calls to absolute paths.
|
This now has a test. it's essentially the same as the airgap test but it's performed on an alma linux CMX VM with selinux set to Enforcing mode. |
| @@ -363,7 +371,7 @@ func (c *Cluster) SetupPlaywrightAndRunTest(testName string, args ...string) (st | |||
|
|
|||
| func (c *Cluster) SetupPlaywright(envs ...map[string]string) error { | |||
| c.t.Logf("%s: bypassing kurl-proxy", time.Now().Format(time.RFC3339)) | |||
| _, stderr, err := c.RunCommandOnNode(0, []string{"bypass-kurl-proxy.sh"}, envs...) | |||
| _, stderr, err := c.RunCommandOnNode(0, []string{"/usr/local/bin/bypass-kurl-proxy.sh"}, envs...) | |||
There was a problem hiding this comment.
is adding /usr/local/bin here necessary if it's being added to PATH above?
There was a problem hiding this comment.
during writing these tests I found that any $PATH settings would get ignored when we came to actually execute the scripts. I spent days banging my head against the problem and determined that using the absolute path was just simpler than working out where the problem was.
There was a problem hiding this comment.
I believe the $PATH variable being stripped might actually be because of selinux 😓
There was a problem hiding this comment.
ok this does get passed on but only in one place... when running the ec binary. all the .sh script calls fail if called with a PATH lookup 🤔
hedge-sparrow
force-pushed
the
ash/restorecon
branch
2 times, most recently
from
dbd4a40 to
6d90fba
Compare
What this PR does / why we need it:
Enables Embedded Cluster to install in selinux environments by:
bin_tfile context on our bin directory.This should resolve selinux installation issues for most common selinux setups.
administrators with custom policies and rules will still have to take extra steps to allow EC to install.
Which issue(s) this PR fixes:
Does this PR require a test?
Does this PR require a release note?
Does this PR require documentation?