rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-09-24 04:48:35 +00:00
Code Issues Releases Wiki Activity

cluster/plan: don't relabel /lib/modules by default

Browse Source 
As this logic went, it would relabel /lib/modules, except on enterprise
linux and when SELinux is enabled (even just permisive).

Flatcar Container Linux defaults to SELinux on, but permisive, and
`/lib/modules/` is a symlink to the read-only `/usr`.
So `./rke up` would fail on attempting to relabel /usr.

The prior work around is to set `SELINUX=disable` in
/etc/selinux/config.

Signed-off-by: Vincent Batts <vbatts@kinvolk.io>
This commit is contained in:
Vincent Batts
2020-08-21 16:11:36 -04:00
parent 6dd6fc76e3
commit d77ee0d53f
1 changed files with 1 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
cluster/plan.go
View File

@@ -602,11 +602,7 @@ func (c *Cluster) BuildKubeProxyProcess(host *hosts.Host, serviceOptions v3.Kube
"/run:/run", "/run:/run",
} }
BindModules := "/lib/modules:/lib/modules:z,ro" BindModules := "/lib/modules:/lib/modules:ro"
if hosts.IsEnterpriseLinuxHost(host) && hosts.IsDockerSELinuxEnabled(host) && !hosts.IsEnterpriseLinuxDocker(host) {
// Avoid relabing on Enterprise Linux with Docker SELinux and upstream Docker
BindModules = "/lib/modules:/lib/modules:ro"
}
Binds = append(Binds, BindModules) Binds = append(Binds, BindModules)
} }
Binds = append(Binds, host.GetExtraBinds(kubeproxy.BaseService)...) Binds = append(Binds, host.GetExtraBinds(kubeproxy.BaseService)...)