From 51a6b50a8446c36d13652a8b044cad1e70366f1c Mon Sep 17 00:00:00 2001 From: Sebastiaan van Steenis Date: Thu, 29 Jul 2021 08:59:54 +0200 Subject: [PATCH] Revert "Do not rewrite SELinux labels on volume mounts" --- cluster/cluster.go | 1 - cluster/file-deployer.go | 8 +----- cluster/plan.go | 36 ++++++++++++------------ hosts/hosts.go | 6 +--- pki/deploy.go | 6 ++-- pki/pki.go | 8 +++--- services/controlplane.go | 2 +- services/etcd.go | 61 +++++++++------------------------------- services/services.go | 5 ---- 9 files changed, 42 insertions(+), 91 deletions(-) diff --git a/cluster/cluster.go b/cluster/cluster.go index d92053a3..fb41d860 100644 --- a/cluster/cluster.go +++ b/cluster/cluster.go @@ -99,7 +99,6 @@ const ( NameLabel = "name" WorkerThreads = util.WorkerThreads - SELinuxLabel = services.SELinuxLabel serviceAccountTokenFileParam = "service-account-key-file" diff --git a/cluster/file-deployer.go b/cluster/file-deployer.go index e6317cb4..2d5aa9b6 100644 --- a/cluster/file-deployer.go +++ b/cluster/file-deployer.go @@ -60,15 +60,9 @@ func doDeployFile(ctx context.Context, host *hosts.Host, fileName, fileContents, } hostCfg := &container.HostConfig{ Binds: []string{ - fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")), + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")), }, } - if hosts.IsDockerSELinuxEnabled(host) { - // We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z) - logrus.Debugf("Applying security opt label [%s] for [%s] container on host [%s]", SELinuxLabel, ContainerName, host.Address) - hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel) - } - if err := docker.DoRunOnetimeContainer(ctx, host.DClient, imageCfg, hostCfg, ContainerName, host.Address, ServiceName, prsMap); err != nil { return err } diff --git a/cluster/plan.go b/cluster/plan.go index 80536314..fd178914 100644 --- a/cluster/plan.go +++ b/cluster/plan.go @@ -266,10 +266,10 @@ func (c *Cluster) BuildKubeAPIProcess(host *hosts.Host, serviceOptions v3.Kubern services.SidekickContainerName, } Binds := []string{ - fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")), + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")), } if c.Services.KubeAPI.AuditLog != nil && c.Services.KubeAPI.AuditLog.Enabled { - Binds = append(Binds, fmt.Sprintf("%s:/var/log/kube-audit", path.Join(host.PrefixPath, "/var/log/kube-audit"))) + Binds = append(Binds, fmt.Sprintf("%s:/var/log/kube-audit:z", path.Join(host.PrefixPath, "/var/log/kube-audit"))) bytes, err := yaml.Marshal(c.Services.KubeAPI.AuditLog.Configuration.Policy) if err != nil { logrus.Warnf("Error while marshalling auditlog policy: %v", err) @@ -358,7 +358,7 @@ func (c *Cluster) BuildKubeControllerProcess(host *hosts.Host, serviceOptions v3 services.SidekickContainerName, } Binds := []string{ - fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")), + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")), } for arg, value := range c.Services.KubeController.ExtraArgs { @@ -485,29 +485,29 @@ func (c *Cluster) BuildKubeletProcess(host *hosts.Host, serviceOptions v3.Kubern } } else { Binds = []string{ - fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")), - "/etc/cni:/etc/cni:rw", - "/opt/cni:/opt/cni:rw", - fmt.Sprintf("%s:/var/lib/cni", path.Join(host.PrefixPath, "/var/lib/cni")), - "/var/lib/calico:/var/lib/calico", + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")), + "/etc/cni:/etc/cni:rw,z", + "/opt/cni:/opt/cni:rw,z", + fmt.Sprintf("%s:/var/lib/cni:z", path.Join(host.PrefixPath, "/var/lib/cni")), + "/var/lib/calico:/var/lib/calico:z", "/etc/resolv.conf:/etc/resolv.conf", "/sys:/sys:rprivate", - host.DockerInfo.DockerRootDir + ":" + host.DockerInfo.DockerRootDir + ":rw,rslave", - fmt.Sprintf("%s:%s:shared", path.Join(host.PrefixPath, "/var/lib/kubelet"), path.Join(host.PrefixPath, "/var/lib/kubelet")), - "/var/lib/rancher:/var/lib/rancher:shared", + host.DockerInfo.DockerRootDir + ":" + host.DockerInfo.DockerRootDir + ":rw,rslave,z", + fmt.Sprintf("%s:%s:shared,z", path.Join(host.PrefixPath, "/var/lib/kubelet"), path.Join(host.PrefixPath, "/var/lib/kubelet")), + "/var/lib/rancher:/var/lib/rancher:shared,z", "/var/run:/var/run:rw,rprivate", "/run:/run:rprivate", fmt.Sprintf("%s:/etc/ceph", path.Join(host.PrefixPath, "/etc/ceph")), "/dev:/host/dev:rprivate", - "/var/log/containers:/var/log/containers", - "/var/log/pods:/var/log/pods", + "/var/log/containers:/var/log/containers:z", + "/var/log/pods:/var/log/pods:z", "/usr:/host/usr:ro", "/etc:/host/etc:ro", } // Special case to simplify using flex volumes if path.Join(host.PrefixPath, "/var/lib/kubelet") != "/var/lib/kubelet" { - Binds = append(Binds, "/var/lib/kubelet/volumeplugins:/var/lib/kubelet/volumeplugins:shared") + Binds = append(Binds, "/var/lib/kubelet/volumeplugins:/var/lib/kubelet/volumeplugins:shared,z") } } Binds = append(Binds, host.GetExtraBinds(kubelet.BaseService)...) @@ -622,7 +622,7 @@ func (c *Cluster) BuildKubeProxyProcess(host *hosts.Host, serviceOptions v3.Kube } } else { Binds = []string{ - fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")), + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")), "/run:/run", } @@ -740,7 +740,7 @@ func (c *Cluster) BuildSchedulerProcess(host *hosts.Host, serviceOptions v3.Kube services.SidekickContainerName, } Binds := []string{ - fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")), + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")), } for arg, value := range c.Services.Scheduler.ExtraArgs { @@ -910,8 +910,8 @@ func (c *Cluster) BuildEtcdProcess(host *hosts.Host, etcdHosts []*hosts.Host, se } Binds := []string{ - fmt.Sprintf("%s:%s", path.Join(host.PrefixPath, "/var/lib/etcd"), services.EtcdDataDir), - fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")), + fmt.Sprintf("%s:%s:z", path.Join(host.PrefixPath, "/var/lib/etcd"), services.EtcdDataDir), + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")), } if serviceOptions.Etcd != nil { diff --git a/hosts/hosts.go b/hosts/hosts.go index e163a171..c0ef98d3 100644 --- a/hosts/hosts.go +++ b/hosts/hosts.go @@ -51,7 +51,6 @@ const ( CleanerContainerName = "kube-cleaner" LogCleanerContainerName = "rke-log-cleaner" RKELogsPath = "/var/lib/rancher/rke/log" - SELinuxLabel = "label=type:rke_container_t" B2DOS = "Boot2Docker" B2DPrefixPath = "/mnt/sda1/rke" @@ -307,14 +306,11 @@ func buildCleanerConfig(host *Host, toCleanDirs []string, cleanerImage string) ( } bindMounts := []string{} for _, vol := range toCleanDirs { - bindMounts = append(bindMounts, fmt.Sprintf("%s:%s", vol, vol)) + bindMounts = append(bindMounts, fmt.Sprintf("%s:%s:z", vol, vol)) } hostCfg := &container.HostConfig{ Binds: bindMounts, } - if IsDockerSELinuxEnabled(host) { - hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel) - } return imageCfg, hostCfg } diff --git a/pki/deploy.go b/pki/deploy.go index 0c984469..5660561f 100644 --- a/pki/deploy.go +++ b/pki/deploy.go @@ -86,7 +86,7 @@ func DeployStateOnPlaneHost(ctx context.Context, host *hosts.Host, stateDownload } hostCfg := &container.HostConfig{ Binds: []string{ - fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")), + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")), }, Privileged: true, } @@ -142,7 +142,7 @@ func doRunDeployer(ctx context.Context, host *hosts.Host, containerEnv []string, } hostCfg := &container.HostConfig{ Binds: []string{ - fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")), + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")), }, Privileged: true, } @@ -300,7 +300,7 @@ func FetchFileFromHost(ctx context.Context, filePath, image string, host *hosts. } hostCfg := &container.HostConfig{ Binds: []string{ - fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")), + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")), }, Privileged: true, } diff --git a/pki/pki.go b/pki/pki.go index c042dbd3..291c7c1c 100644 --- a/pki/pki.go +++ b/pki/pki.go @@ -112,8 +112,8 @@ func SaveBackupBundleOnHost(ctx context.Context, host *hosts.Host, alpineSystemI hostCfg := &container.HostConfig{ Binds: []string{ - fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")), - fmt.Sprintf("%s:/backup", etcdSnapshotPath), + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")), + fmt.Sprintf("%s:/backup:z", etcdSnapshotPath), }, Privileged: true, } @@ -149,8 +149,8 @@ func ExtractBackupBundleOnHost(ctx context.Context, host *hosts.Host, alpineSyst hostCfg := &container.HostConfig{ Binds: []string{ - fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")), - fmt.Sprintf("%s:/backup", etcdSnapshotPath), + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")), + fmt.Sprintf("%s:/backup:z", etcdSnapshotPath), }, Privileged: true, } diff --git a/services/controlplane.go b/services/controlplane.go index 36b97c8f..6629ad93 100644 --- a/services/controlplane.go +++ b/services/controlplane.go @@ -374,7 +374,7 @@ func RunGetStateFileFromConfigMap(ctx context.Context, controlPlaneHost *hosts.H } hostCfg := &container.HostConfig{ Binds: []string{ - fmt.Sprintf("%s:/etc/kubernetes", path.Join(controlPlaneHost.PrefixPath, "/etc/kubernetes")), + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(controlPlaneHost.PrefixPath, "/etc/kubernetes")), }, NetworkMode: container.NetworkMode("host"), RestartPolicy: container.RestartPolicy{Name: "no"}, diff --git a/services/etcd.go b/services/etcd.go index 5ca627bf..c0af7941 100644 --- a/services/etcd.go +++ b/services/etcd.go @@ -346,16 +346,12 @@ func RunEtcdSnapshotSave(ctx context.Context, etcdHost *hosts.Host, prsMap map[s } hostCfg := &container.HostConfig{ Binds: []string{ - fmt.Sprintf("%s:/backup", EtcdSnapshotPath), - fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))}, + fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath), + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))}, NetworkMode: container.NetworkMode("host"), RestartPolicy: container.RestartPolicy{Name: restartPolicy}, } - if hosts.IsDockerSELinuxEnabled(etcdHost) { - hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel) - } - if once { log.Infof(ctx, "[etcd] Running snapshot save once on host [%s]", etcdHost.Address) logrus.Debugf("[etcd] Using command [%s] for snapshot save once container [%s] on host [%s]", getSanitizedSnapshotCmd(imageCfg, es.BackupConfig), EtcdSnapshotOnceContainerName, etcdHost.Address) @@ -417,16 +413,12 @@ func RunGetStateFileFromSnapshot(ctx context.Context, etcdHost *hosts.Host, prsM } hostCfg := &container.HostConfig{ Binds: []string{ - fmt.Sprintf("%s:/backup", EtcdSnapshotPath), + fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath), }, NetworkMode: container.NetworkMode("host"), RestartPolicy: container.RestartPolicy{Name: "no"}, } - if hosts.IsDockerSELinuxEnabled(etcdHost) { - hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel) - } - if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdStateFileContainerName, etcdHost.Address); err != nil { return "", err } @@ -488,14 +480,11 @@ func DownloadEtcdSnapshotFromS3(ctx context.Context, etcdHost *hosts.Host, prsMa log.Infof(ctx, s3Logline) hostCfg := &container.HostConfig{ Binds: []string{ - fmt.Sprintf("%s:/backup", EtcdSnapshotPath), - fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))}, + fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath), + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))}, NetworkMode: container.NetworkMode("host"), RestartPolicy: container.RestartPolicy{Name: "no"}, } - if hosts.IsDockerSELinuxEnabled(etcdHost) { - hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel) - } if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdDownloadBackupContainerName, etcdHost.Address); err != nil { return err } @@ -547,14 +536,11 @@ func RestoreEtcdSnapshot(ctx context.Context, etcdHost *hosts.Host, prsMap map[s } hostCfg := &container.HostConfig{ Binds: []string{ - "/opt/rke/:/opt/rke/", - fmt.Sprintf("%s:/var/lib/rancher/etcd", path.Join(etcdHost.PrefixPath, "/var/lib/etcd")), - fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))}, + "/opt/rke/:/opt/rke/:z", + fmt.Sprintf("%s:/var/lib/rancher/etcd:z", path.Join(etcdHost.PrefixPath, "/var/lib/etcd")), + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))}, NetworkMode: container.NetworkMode("host"), } - if hosts.IsDockerSELinuxEnabled(etcdHost) { - hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel) - } if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdRestoreContainerName, etcdHost.Address); err != nil { return err } @@ -624,13 +610,10 @@ func RunEtcdSnapshotRemove(ctx context.Context, etcdHost *hosts.Host, prsMap map hostCfg := &container.HostConfig{ Binds: []string{ - fmt.Sprintf("%s:/backup", EtcdSnapshotPath), + fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath), }, RestartPolicy: container.RestartPolicy{Name: "no"}, } - if hosts.IsDockerSELinuxEnabled(etcdHost) { - hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel) - } if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdSnapshotRemoveContainerName, etcdHost.Address); err != nil { return err } @@ -667,12 +650,9 @@ func GetEtcdSnapshotChecksum(ctx context.Context, etcdHost *hosts.Host, prsMap m } hostCfg := &container.HostConfig{ Binds: []string{ - "/opt/rke/:/opt/rke/", + "/opt/rke/:/opt/rke/:z", }} - if hosts.IsDockerSELinuxEnabled(etcdHost) { - hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel) - } if err := docker.DoRunContainer(ctx, etcdHost.DClient, imageCfg, hostCfg, EtcdChecksumContainerName, etcdHost.Address, ETCDRole, prsMap); err != nil { return checksum, err } @@ -751,14 +731,11 @@ func StartBackupServer(ctx context.Context, etcdHost *hosts.Host, prsMap map[str hostCfg := &container.HostConfig{ Binds: []string{ - fmt.Sprintf("%s:/backup", EtcdSnapshotPath), - fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))}, + fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath), + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))}, NetworkMode: container.NetworkMode("host"), RestartPolicy: container.RestartPolicy{Name: "no"}, } - if hosts.IsDockerSELinuxEnabled(etcdHost) { - hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel) - } if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdServeBackupContainerName, etcdHost.Address); err != nil { return err } @@ -802,14 +779,11 @@ func DownloadEtcdSnapshotFromBackupServer(ctx context.Context, etcdHost *hosts.H hostCfg := &container.HostConfig{ Binds: []string{ - fmt.Sprintf("%s:/backup", EtcdSnapshotPath), - fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))}, + fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath), + fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))}, NetworkMode: container.NetworkMode("host"), RestartPolicy: container.RestartPolicy{Name: "on-failure"}, } - if hosts.IsDockerSELinuxEnabled(etcdHost) { - hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel) - } if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdDownloadBackupContainerName, etcdHost.Address); err != nil { return err } @@ -852,13 +826,6 @@ func setEtcdPermissions(ctx context.Context, etcdHost *hosts.Host, prsMap map[st hostCfg := &container.HostConfig{ Binds: []string{dataBind}, } - - if hosts.IsDockerSELinuxEnabled(etcdHost) { - // We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z) - logrus.Debugf("Applying security opt label [%s] for [%s] container on host [%s]", SELinuxLabel, EtcdPermFixContainerName, etcdHost.Address) - hostCfg.SecurityOpt = []string{SELinuxLabel} - } - if err := docker.DoRunOnetimeContainer(ctx, etcdHost.DClient, imageCfg, hostCfg, EtcdPermFixContainerName, etcdHost.Address, ETCDRole, prsMap); err != nil { return err diff --git a/services/services.go b/services/services.go index 95d32801..7ccf0c70 100644 --- a/services/services.go +++ b/services/services.go @@ -52,7 +52,6 @@ const ( ContainerNameLabel = "io.rancher.rke.container.name" MCSLabel = "label=level:s0:c1000,c1001" - SELinuxLabel = "label=type:rke_container_t" ) type RestartFunc func(context.Context, *hosts.Host) error @@ -143,10 +142,6 @@ func GetProcessConfig(process v3.Process, host *hosts.Host) (*container.Config, hostCfg.SecurityOpt = []string{MCSLabel} } } - // We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z) - logrus.Debugf("Applying security opt label [%s] for etcd container on host [%s]", SELinuxLabel, host.Address) - hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel) - } return imageCfg, hostCfg, process.HealthCheck.URL }