Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFE] oc debug node: Use unconfined_t as SELinux context for debug container #641

Open
travier opened this issue Nov 13, 2020 · 9 comments
Open

[RFE] oc debug node: Use unconfined_t as SELinux context for debug container #641

travier opened this issue Nov 13, 2020 · 9 comments
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@travier
Copy link
Member

travier commented Nov 13, 2020
edited
Loading

The SELinux policy has been changed to allow container runtimes to create unconfined container for host debugging (BZ#1839065) instead of using the spc_t semi-restricted context that leads to weird error cases (BZ#1896369).

This is released with RHSA-2020:3053.

For OCP, this can be enabled starting with 4.6 as it includes the fixed SELinux policy in the release image.
For OKD, this can be enabled starting with 4.6 as Fedora CoreOS has included the fix for a while.
@openshift-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci-robot openshift-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 11, 2021
@travier
Copy link
Member Author

travier commented Feb 11, 2021

/remove-lifecycle stale

@openshift-ci-robot openshift-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 11, 2021
@travier
Copy link
Member Author

travier commented Mar 8, 2021

We encountered this issue again in https://bugzilla.redhat.com/show_bug.cgi?id=1924926. Can I get an initial review? Should I start working on it?

@openshift-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 6, 2021
@travier
Copy link
Member Author

travier commented Jun 7, 2021

/remove-lifecycle stale

@openshift-ci openshift-ci bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 7, 2021
travier added a commit to travier/oc that referenced this issue Jun 8, 2021
@travier
debug node: Run under an unconfined SELinux context
3eaa351 
Run the node debug pod under an unconfined SELinux context
(unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023) to avoid issues
with the `spc_t` context.

Fixes: openshift#641
See also:
 - https://bugzilla.redhat.com/show_bug.cgi?id=1839065
 - https://bugzilla.redhat.com/show_bug.cgi?id=1896369
@travier travier mentioned this issue Jun 8, 2021
Closed
@openshift-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 5, 2021
@travier
Copy link
Member Author

travier commented Sep 17, 2021

/remove-lifecycle stale
/lifecycle frozen
We really should be doing that at some point or figuring out a way out (via an SSH proxy for example) so marking as frozen.

@openshift-ci openshift-ci bot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Sep 17, 2021
travier added a commit to travier/oc that referenced this issue Mar 29, 2023
@travier
debug node: Run under an unconfined SELinux context
b057767 
Run the node debug pod under an unconfined SELinux context
(unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023) to avoid issues
with the `spc_t` context.

Fixes: openshift#641
See also:
 - https://bugzilla.redhat.com/show_bug.cgi?id=1839065
 - https://bugzilla.redhat.com/show_bug.cgi?id=1896369
@atiratree atiratree mentioned this issue Mar 30, 2023
Merged
@codespearhead
Copy link

codespearhead commented Apr 10, 2024
edited
Loading

According to Daniel Walsh 2020-05-29 17:41:48 UTC, the source problem was fixed in container-selinux v2.135.0.

Should this issue be closed then?

@travier
Copy link
Member Author

travier commented Apr 10, 2024

The last time I check, it wasn't fixed. I had made: #842

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

OCPBUGS-10615: debug node: Run under an unconfined SELinux context travier/oc
4 participants
@openshift-bot @openshift-ci-robot @travier @codespearhead