https://rancher.com/ logo
Join Slack
Powered by
been getting `/usr/bin/coredns: error while loadin...
# k3s
a
been getting 
/usr/bin/coredns: error while loading shared libraries: /usr/lib/libc.so.6: cannot apply additional memory protection after relocation: Permission denied
in coredns pod logs after enabling selinux. is this known?
c
nope never seen that before.
Do you have the k3s-selinux package enabled? is selinux enabled in k3s flags/config?
Normally you want to get selinux set up first, before installing/starting k3s. If you try to turn it on later there are a lot more hoops to jump through.
a
yes. selinux packages along with k3s selinux are installed before i run my install script. install script has selinux:true aswell in config.yaml
also if u look at install script. it returns out with 
"skipping installation of selinux rpm"
if install_k3s_skip_download is true
Copy code
${package_installer} install -y container-selinux
    ${package_installer} install -y https://${rpm_site}/k3s/${rpm_channel}/common/${rpm_site_infix}/noarch/${available_version}
"

    if [ "$INSTALL_K3S_SKIP_SELINUX_RPM" = true ] || can_skip_download_selinux || [ ! -d /usr/share/selinux ]; then
        info "Skipping installation of SELinux RPM"
        return
    fi

    get_k3s_selinux_version
    install_selinux_rpm ${rpm_site} ${rpm_channel} ${rpm_target} ${rpm_site_infix}

    policy_error=fatal
    if [ "$INSTALL_K3S_SELINUX_WARN" = true ] || [ "${ID_LIKE:-}" = coreos ] ||
       [ "${VARIANT_ID:-}" = coreos ] || [ "${VARIANT_ID:-}" = iot ]; then
        policy_error=warn
    fi

    if ! $SUDO chcon -u system_u -r object_r -t container_runtime_exec_t ${BIN_DIR}/k3s >/dev/null 2>&1; then
        if $SUDO grep '^\s*SELINUX=enforcing' /etc/selinux/config >/dev/null 2>&1; then
            $policy_error "Failed to apply container_runtime_exec_t to ${BIN_DIR}/k3s, ${policy_hint}"
        fi
    elif [ ! -f /usr/share/selinux/packages/k3s.pp ]; then
        if [ -x /usr/sbin/transactional-update ] || [ "${ID_LIKE:-}" = coreos ] || \
            { { [ "${ID:-}" = fedora ] || [ "${ID_LIKE:-}" = fedora ]; } && [ -n "${OSTREE_VERSION:-}" ]; }; then
            warn "Please reboot your machine to activate the changes and avoid data loss."
        else
            $policy_error "Failed to find the k3s-selinux policy, ${policy_hint}"
        fi
    fi
}
this would mean that it never sets the context for the k3s binary hence giving permission errors saying cannot read k3s binary
would this be a bug ?
Copy code
can_skip_download_selinux() {
    if [ "${INSTALL_K3S_SKIP_DOWNLOAD}" != true ] && [ "${INSTALL_K3S_SKIP_DOWNLOAD}" != selinux ]; then
        return 1
    fi
}
@creamy-pencil-82913 https://github.com/k3s-io/k3s-selinux/pull/73 might wanna look at the PR and the issue it solves
c
I’ve not seen this be a problem if you set things up properly ahead of time. We don’t really test enabling selinux on running containers, so I can’t say if this would solve your specific problem or not.
😔 1
Open in Slack
PreviousNext
Powered by