Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KubeVirt does not work with Talos Linux 1.9 #10083

Closed
kvaps opened this issue Jan 3, 2025 · 10 comments · Fixed by #10084
Closed

KubeVirt does not work with Talos Linux 1.9 #10083

kvaps opened this issue Jan 3, 2025 · 10 comments · Fixed by #10084

Comments

@kvaps
Copy link
Contributor

kvaps commented Jan 3, 2025
edited
Loading

Bug Report

Description

Logs

virt-handler reports an error during VM creation:

failed to configure vmi network: setup failed, err: Critical network error: could not retrieve pid 199735 selinux label: getxattr /proc/199735/attr/current: operation not supported

this is happening because of selinux enabled:

cat /sys/fs/selinux/enforce
0

code:

Environment

  • Talos version: v1.9.1
  • Kubernetes version: v1.30.3
  • Platform: Cozystack

I tried to disable selinux using machineconfig:

machine:
    install:
        extraKernelArgs:
        - -selinux

and

machine:
    install:
        extraKernelArgs:
        - selinux=0

and running talosctl upgrade commad, but it had no effect

Talos Linux 1.8 have no /sys/fs/selinux/enforce so this check returns false:
@kvaps kvaps mentioned this issue Jan 3, 2025
Merged
@frezbo
Copy link
Member

frezbo commented Jan 3, 2025

talos 1.9 has only selinux compiled and not even enabled at all, this is rather a an upstream issue on how they check if selinux is enabled

@kvaps
Copy link
Contributor Author

kvaps commented Jan 3, 2025
edited
Loading

Hey @frezbo,
I have built Talos 1.9 using this config
https://github.com/aenix-io/cozystack/blob/c6edf6cb9ea828065885015e3a0b164ee3cddf1a/packages/core/installer/images/talos/profiles/installer.yaml

Selinux is enabled, but in permissive mode:

  • There is no oportunity to disable selinux. (to make /sys/fs/selinux/enforce disapear completely)
  • And when SELinux loaded, KubeVirt can't work even withpermissive mode, because getxattr system call is blocked by Talos

@kvaps kvaps mentioned this issue Jan 3, 2025
Open
@kvaps
Copy link
Contributor Author

kvaps commented Jan 3, 2025

I just found similar issue in KubeVirt project
kubevirt/kubevirt#13607

@frezbo
Copy link
Member

frezbo commented Jan 3, 2025

  • There is no oportunity to disable selinux. (to make /sys/fs/selinux/enforce disapear completely)

but just having selinux fs mounted doesn;t mean it's enabled at all, you still need selinux=1 to enable it

And when SELinux loaded, KubeVirt can't work even withpermissive mode, because getxattr system call is blocked by Talos

Talos doesn't do anything in this regard, it probably kubevirt trying to access getxattr when selinux is not enabled

@frezbo
Copy link
Member

frezbo commented Jan 3, 2025

@dsseng tagging you here just to make sure we don't do anything wrong

@dsseng
Copy link
Member

dsseng commented Jan 3, 2025

  • There is no oportunity to disable selinux. (to make /sys/fs/selinux/enforce disapear completely)

but just having selinux fs mounted doesn;t mean it's enabled at all, you still need selinux=1 to enable it

And when SELinux loaded, KubeVirt can't work even withpermissive mode, because getxattr system call is blocked by Talos

Talos doesn't do anything in this regard, it probably kubevirt trying to access getxattr when selinux is not enabled

True. Mere existence of SELinux filesystem should not decline any permissions.

I will take a look at what KubeVirt does and whether or not SELinux could affect that in disabled mode but with selinuxfs, maybe if that's the case we should mount selinuxfs conditionally.

@kvaps
Copy link
Contributor Author

kvaps commented Jan 3, 2025
edited
Loading

Okay I found workaround:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: disable-selinux
  namespace: cozy-kubevirt
  labels:
    app: disable-selinux
spec:
  selector:
    matchLabels:
      app: disable-selinux
  template:
    metadata:
      labels:
        app: disable-selinux
    spec:
      containers:
      - command:
        - sh
        - -exc
        - test -f /host/sys/fs/selinux/enforce && mount -t tmpfs tmpfs /host/sys/fs/selinux || sleep infinity
        image: docker.io/library/alpine
        name: mount
        securityContext:
          privileged: true
        volumeMounts:
        - mountPath: /host
          mountPropagation: Bidirectional
          name: host-root
      hostIPC: true
      hostNetwork: true
      hostPID: true
      tolerations:
      - operator: Exists
      volumes:
      - hostPath:
          path: /
        name: host-root

@kvaps kvaps closed this as completed Jan 3, 2025
@kvaps kvaps reopened this Jan 3, 2025
@dsseng
Copy link
Member

dsseng commented Jan 3, 2025

So okay, this means kubevirt breaks with selinuxfs mounted but policy not loaded. As I see from its code, it uses conventional Linux methods for querying SELinux (like getenforce from the container), which seem to interpret has selinuxfs but no policy as permissive mode.

From our side the fix should be not mounting selinuxfs when not enabling SELinux. This is what I am going to do right now. This change will likely be backported to 1.9 and released with the next point release.

@frezbo
Copy link
Member

frezbo commented Jan 3, 2025

So okay, this means kubevirt breaks with selinuxfs mounted but policy not loaded. As I see from its code, it uses conventional Linux methods for querying SELinux (like getenforce from the container), which seem to interpret has selinuxfs but no policy as permissive mode.

From our side the fix should be not mounting selinuxfs when not enabling SELinux. This is what I am going to do right now. This change will likely be backported to 1.9 and released with the next point release.

I also think upstream should do a better check

@dsseng
Copy link
Member

dsseng commented Jan 3, 2025

It also should. But actually mounting selinuxfs is not necessary and takes some time, even minor, so perhaps we better mount it conditionally.

dsseng added a commit to dsseng/talos that referenced this issue Jan 3, 2025
@dsseng
fix: mount selinuxfs only when SELinux is enabled
d650986 
Having selinuxfs mounted might confuse some software, as conventional Linux systems do not have selinuxfs mounted when SELinux is disabled and no policy is loaded.

Fixes siderolabs#10083

Signed-off-by: Dmitry Sharshakov <[email protected]>
@dsseng dsseng mentioned this issue Jan 3, 2025
Merged
dsseng added a commit to dsseng/talos that referenced this issue Jan 3, 2025
@dsseng
fix: mount selinuxfs only when SELinux is enabled
7dc3d19 
Having selinuxfs mounted might confuse some software, as conventional Linux systems do not have selinuxfs mounted when SELinux is disabled and no policy is loaded.

Fixes siderolabs#10083

Signed-off-by: Dmitry Sharshakov <[email protected]>
@kvaps kvaps mentioned this issue Jan 16, 2025
Closed
smira pushed a commit to smira/talos that referenced this issue Jan 16, 2025
@dsseng @smira
fix: mount selinuxfs only when SELinux is enabled
6b1fe3d 
Having selinuxfs mounted might confuse some software, as conventional Linux systems do not have selinuxfs mounted when SELinux is disabled and no policy is loaded.

Fixes siderolabs#10083

Signed-off-by: Dmitry Sharshakov <[email protected]>
(cherry picked from commit ae6d065)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: mount selinuxfs only when SELinux is enabled dsseng/talos
3 participants
@kvaps @frezbo @dsseng