Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an install argument option to not install fapolicy rules #4803

Closed
brandond opened this issue Sep 26, 2023 · 2 comments
Closed

Add an install argument option to not install fapolicy rules #4803

brandond opened this issue Sep 26, 2023 · 2 comments
Assignees

Comments

@brandond
Copy link
Member

@stratusjerry has asked for the ability to have the install script skip adding fapolicy rules.

@brandond brandond self-assigned this Sep 26, 2023
@brandond brandond added this to the v1.28.3+rke2r1 milestone Sep 26, 2023
@brandond
Copy link
Member Author

No backports because the install script is only served off master.

@aganesh-suse aganesh-suse self-assigned this Sep 26, 2023
@aganesh-suse
Copy link

Validated on master branch with version v1.28.3-rc2+rke2r1

Also tested on release-1.27 / version: v1.27.7-rc2+rke2r1

Environment Details

Infrastructure

  • Cloud
  • Hosted

Node(s) CPU architecture, OS, and Version:

$ cat /etc/os-release | grep PRETTY
PRETTY_NAME="Red Hat Enterprise Linux 9.2 (Plow)"

$ uname -m
x86_64

Cluster Configuration:

1 server

Config.yaml:

token: secret
write-kubeconfig-mode: "0644"
node-external-ip: 1.1.1.1
selinux: true

Testing Steps

  1. Install fapolicyd on the rhel 9.2 VM:
sudo yum install fapolicyd -y
  1. Copy config.yaml
$ sudo mkdir -p /etc/rancher/rke2 && sudo cp config.yaml /etc/rancher/rke2
  1. Compare install options:
    a. Install RKE2 NOT using "INSTALL_RKE2_SKIP_FAPOLICY" option; start rke2 service:

    $ curl -sfL https://get.rke2.io | sudo INSTALL_RKE2_VERSION='v1.28.3-rc2+rke2r1' INSTALL_RKE2_CHANNEL=testing INSTALL_RKE2_TYPE='server' INSTALL_RKE2_METHOD=rpm sh -
    $ sudo systemctl enable --now rke2-server
    

    Verify (using step 4 commands): The fapolicyd rules should be setup as usual.

    b. Install RKE2 using "INSTALL_RKE2_SKIP_FAPOLICY=true" option:

    $ curl -sfL https://get.rke2.io | sudo INSTALL_RKE2_VERSION='v1.28.3-rc2+rke2r1' INSTALL_RKE2_CHANNEL=testing INSTALL_RKE2_TYPE='server' INSTALL_RKE2_METHOD=rpm INSTALL_RKE2_SKIP_FAPOLICY=true sh -
    $ sudo systemctl enable --now rke2-server
    

    Verify (using step 4 commands): The fapolicyd rules should NOT be setup.

  2. To verify the existence of fapolicyd rules commands used:

$ sudo cat /etc/fapolicyd/rules.d/80-rke2.rules
$ sudo systemctl status fapolicyd

Validation Results:

  • rke2 version used for validation:
$ rke2 -v
rke2 version v1.28.3-rc2+rke2r1 (0d0d0e4879fdf95254461e3a49224f75d7b2dc3d)
go version go1.20.10 X:boringcrypto

Outputs for install without SKIP option set:

$ curl -sfL https://get.rke2.io | sudo INSTALL_RKE2_VERSION='v1.27.7-rc2+rke2r1' INSTALL_RKE2_CHANNEL=testing INSTALL_RKE2_TYPE='server' INSTALL_RKE2_METHOD=rpm sh -
$ sudo systemctl enable --now rke2-server
$ sudo cat /etc/fapolicyd/rules.d/80-rke2.rules 
allow perm=any all : dir=/var/lib/rancher/
allow perm=any all : dir=/opt/cni/
allow perm=any all : dir=/run/k3s/
allow perm=any all : dir=/var/lib/kubelet/

$ sudo systemctl status fapolicyd 
● fapolicyd.service - File Access Policy Daemon
     Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; disabled; preset: disabled)
     Active: active (running) since Tue 2023-10-24 20:23:54 UTC; 8min ago
       Docs: man:fapolicyd(8)
   Main PID: 146418 (fapolicyd)
      Tasks: 4 (limit: 22549)
     Memory: 53.7M
        CPU: 5.063s
     CGroup: /system.slice/fapolicyd.service
             └─146418 /usr/sbin/fapolicyd

Oct 24 20:23:54 ip-172-31-20-15.us-east-2.compute.internal fapolicyd[146418]: Initializing the trust database
Oct 24 20:23:54 ip-172-31-20-15.us-east-2.compute.internal fapolicyd[146418]: fapolicyd integrity is 0
Oct 24 20:23:54 ip-172-31-20-15.us-east-2.compute.internal fapolicyd[146418]: Loading rpmdb backend
Oct 24 20:23:54 ip-172-31-20-15.us-east-2.compute.internal fapolicyd[146418]: Checking if the trust database up to date
Oct 24 20:23:54 ip-172-31-20-15.us-east-2.compute.internal fapolicyd[146418]: Importing trust data from rpmdb backend
Oct 24 20:23:54 ip-172-31-20-15.us-east-2.compute.internal fapolicyd[146418]: Importing trust data from file backend
Oct 24 20:23:54 ip-172-31-20-15.us-east-2.compute.internal fapolicyd[146418]: Entries in trust DB: 17860
Oct 24 20:23:54 ip-172-31-20-15.us-east-2.compute.internal fapolicyd[146418]: Loaded trust info from all backends(without duplicates): 17860
Oct 24 20:23:54 ip-172-31-20-15.us-east-2.compute.internal fapolicyd[146418]: Trust database checks OK
Oct 24 20:23:54 ip-172-31-20-15.us-east-2.compute.internal fapolicyd[146418]: Starting to listen for events

Outputs for install with INSTALL_RKE2_SKIP_FAPOLICY=true option set:

$ curl -sfL https://get.rke2.io | sudo INSTALL_RKE2_VERSION='v1.28.3-rc2+rke2r1' INSTALL_RKE2_CHANNEL=testing INSTALL_RKE2_TYPE='server' INSTALL_RKE2_METHOD=rpm INSTALL_RKE2_SKIP_FAPOLICY=true sh -
$ sudo systemctl enable --now rke2-server

$ sudo cat /etc/fapolicyd/rules.d/80-rke2.rules
cat: /etc/fapolicyd/rules.d/80-rke2.rules: No such file or directory

$ sudo systemctl status fapolicyd
○ fapolicyd.service - File Access Policy Daemon
     Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; disabled; preset: disabled)
     Active: inactive (dead)
       Docs: man:fapolicyd(8)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants