rawhide: 20220103: selinux denial causing systemd-network-generator service failure

[dustymabe]

Our tests that test networking configuration via kernel arguments are failing because of SELinux denials causing the systemd-network-generator service to fail in our rawhide stream.

[2022-01-04T16:33:48.933Z] --- FAIL: ext.config.networking.prefer-ignition-networking (555.33s)
[2022-01-04T16:33:48.933Z]         harness.go:1249: Cluster failed starting machines: machine "5bffd725-9683-47c4-b64c-1fb8eb91c341" failed basic checks: some systemd units failed:
[2022-01-04T16:33:48.933Z] systemd-network-generator.service


[2022-01-04T16:35:34.817Z] --- FAIL: ext.config.networking.force-persist-ip (388.76s)
[2022-01-04T16:35:34.817Z]         harness.go:1249: Cluster failed starting machines: machine "b5b0354e-e771-495c-aaab-36cc98e47c6e" failed basic checks: some systemd units failed:
[2022-01-04T16:35:34.817Z] systemd-network-generator.service

I opened BZ#2037047 against selinux-policy to track a fix for getting the systemd-network-generator.service working again.

[dustymabe]

We have a few options here that I see for a short term workaround:

• make the tests use enforcing=0 temporarily (would affect all streams and would need a reminder to revert)
• snooze these tests for a while in rawhide
• determine/decide that we absolutely don't need anything from systemd-network-generator and disable it.

[jlebon]

determine/decide that we absolutely don't need anything from systemd-network-generator and disable it.

+1. I think for our own sanity we shouldn't have anything other than nm-initrd-generator generating things from network kargs.

[dustymabe]

determine/decide that we absolutely don't need anything from systemd-network-generator and disable it.

+1. I think for our own sanity we shouldn't have anything other than nm-initrd-generator generating things from network kargs.

I would mostly agree but there's some overlap where the systemd-network-generator does some things that are used even if we use NetworkManager (and not systemd-networkd). For example: systemd/systemd#21766 (comment)

[dustymabe]

proposal to go with snoozing for now: coreos/fedora-coreos-config#1400

[dustymabe]

bump-lockfile started failing because of this. We we are now hitting it on the systemd 249.7-2.fc35 -> 249.9-1.fc35 in Fedora 35. Let's pin systemd in testing/next for now and get more involved in the BZ to see if we can push a fix.

[dustymabe]

The snooze for the following tests was extended in coreos/fedora-coreos-config#1543:

• ext.config.networking.prefer-ignition-networking
• ext.config.networking.force-persist-ip
• ext.config.networking.mtu-on-bond-kargs

[dustymabe]

The snooze for the following tests was extended in coreos/fedora-coreos-config#1576:

• ext.config.networking.prefer-ignition-networking
• ext.config.networking.force-persist-ip
• ext.config.networking.mtu-on-bond-kargs

[dustymabe]

I'm going to unfreeze systemd and workaround this for now: coreos/fedora-coreos-config#1604

I'll continue to monitor BZ#2037047 for any updates there.

[dustymabe]

A fix has been built for Fedora 36 for this. I'm not sure the fix is going to go to F35, but we don't necessarily need that. Let's fast-track the package in our next-devel stream (one PR against next-devel) and split out our masking to make it only apply to F35 (another PR to against the testing-devel branch). See coreos/fedora-coreos-config#1660 for an example of how to do this.

[dustymabe]

Closing this out since it's fixed in F36 (next-devel) and Rawhide and will folow into our other streams.