-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RHCOS 8.6 failing on ext.config.rebuild-selinux-policy
#1036
Comments
Digging into this, I think it's caused by libsemanage-2.9-9.el8_6, which has this patch: https://pkgs.devel.redhat.com/cgit/rpms/libsemanage/commit/?h=rhel-8.6.0&id=7b7f71ce7cdd6187b33b738bb6866a00f2149772. Current theory is that |
FYI @WOnder93 |
With -9.el8, `ext.config.rebuild-selinux-policy` fails: openshift#1036 We need to debug this, but for now let's unblock CI and dev pipelines.
Hm... can you point me to the code behind There is a known quirk that after the linked libsemanage patch, the "no-op" path (i.e. when there are no changes in the modules and only the rest of the content is refreshed) produces a different binary policy than the full rebuild "from scratch". The policies are semantically equal, but some things get ordered differently and the resulting policies don't match byte-to-byte. I suppose this might be confusing the test. I know this is not ideal, but it would be technically very difficult to make both paths produce an equal result :/ |
@WOnder93 this is the test: https://github.com/openshift/os/blob/master/tests/kola/rebuild-selinux-policy/test.sh Overall, the "recompile on boot" logic is gated by a |
For reference, all of this comes from #962 as a workaround for https://issues.redhat.com/browse/OCPBUGS-595. |
OK, we just need to patch ostree to turn off this logic on the initial deployment. |
I understand. But longer term, driving binary-level reproducibility into everything we do is important for reproducible builds, binary verification etc. |
That will fix the first boot issue, but I think what we want is to make sure we don't regenerate at all even on the next new deployment, no? So then, maybe a better fix is to run |
Is there a ticket somewhere tracking this? Then we could reference it in our code and that way also be able to know when we don't need to work around this issue anymore. |
``` With -9.el8, ext.config.rebuild-selinux-policy fails: openshift#1036 We need to debug this, but for now let's unblock CI and dev pipelines. ``` cherry-pick openshift@247e64a
``` [jlebon] With -9.el8, ext.config.rebuild-selinux-policy fails: openshift#1036 We need to debug this, but for now let's unblock CI and dev pipelines. ``` cherry-pick openshift@247e64a
Looking at that logic, shouldn't the RHEL version match pattern be |
From memory, we did not fully have things ready in 8.6 at the time we made the workaround. This might have change. We would have to take another look. |
See https://issues.redhat.com/browse/OCPBUGS-595?focusedCommentId=20863310&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-20863310. With https://bugzilla.redhat.com/show_bug.cgi?id=2049186 & https://bugzilla.redhat.com/show_bug.cgi?id=2049189 done and https://bugzilla.redhat.com/show_bug.cgi?id=2057497 (ostree | 2022.2 | 5.el8) tagged in for RHCOS, we should be good. |
If someone else agrees with my assessment, then we can try a revert of this workaround. It's slightly late in 4.12 to do that now but should be good. |
Ugh wait so there's a corollary to this - it looks like for quite some time now we've actually been rebuilding the policy by default on newer systems (current FCOS e.g.). On a stock FCOS I see:
That's quite unfortunate. Hmm, we have a kola test that verifies the set of files in Why is it that we're getting this behavior? We're compiling policy at build time via |
Ouch. 😢 I mean, at least we have policy recompilation now, so users won't be missing out on policy updates. But nodes by default not using the canonical policy is very unfortunate indeed. It'd be nice if we could get those machines back on the canonical policy. I think that's possible and would require implementing some of the follow-up bits we discussed in coreos/fedora-coreos-tracker#701.
I think it's the same issue hitting RHCOS (see #1036 (comment)). Locally inspecting the vanilla qcow2 using
Yeah, I suggested this higher up too. I'll try it out and see if it fixes it, but would be good to have @WOnder93 confirm that's a sane strategy. OK more information on this. Fedora 36 is not affected, only Fedora 37 (i.e. only Currently testing the rpm-ostree |
There is a bug in the latest semanage code which causes an invocation of `semodule --rebuild-if-modules-changed` to still write a policy even though nothing changed since a full policy build. On FCOS and RHCOS, this bug is triggered as early as `ostree admin deploy` in cosa when creating the disk images. This results in shipping images with a policy diff baked in. Hack around this by immediately rerunning `semodule --rebuild-if-modules-changed` after building the policy. Fixes: openshift/os#1036
This is a test for openshift/os#1036. It also exists in the rpm-ostree CI, but let's have it here too since other packages can break this.
OK yup, that does work: coreos/rpm-ostree#4122. Also added an f-c-c test in coreos/fedora-coreos-config#2056. |
I was looking for that and couldn't find it. I filed coreos/fedora-coreos-tracker#1335. |
There is a bug in the latest semanage code which causes an invocation of `semodule --rebuild-if-modules-changed` to still write a policy even though nothing changed since a full policy build. On FCOS and RHCOS, this bug is triggered as early as `ostree admin deploy` in cosa when creating the disk images. This results in shipping images with a policy diff baked in. Hack around this by immediately rerunning `semodule --rebuild-if-modules-changed` after building the policy. Fixes: openshift/os#1036 (cherry picked from commit 479050e)
There is a bug in the latest semanage code which causes an invocation of `semodule --rebuild-if-modules-changed` to still write a policy even though nothing changed since a full policy build. On FCOS and RHCOS, this bug is triggered as early as `ostree admin deploy` in cosa when creating the disk images. This results in shipping images with a policy diff baked in. Hack around this by immediately rerunning `semodule --rebuild-if-modules-changed` after building the policy. Fixes: openshift/os#1036 (cherry picked from commit 479050e)
This is a test for openshift/os#1036. It also exists in the rpm-ostree CI, but let's have it here too since other packages can break this.
This is a test for openshift/os#1036. It also exists in the rpm-ostree CI, but let's have it here too since other packages can break this.
This is a test for openshift/os#1036. It also exists in the rpm-ostree CI, but let's have it here too since other packages can break this.
This is a test for openshift/os#1036. It also exists in the rpm-ostree CI, but let's have it here too since other packages can break this.
This is a test for openshift/os#1036. It also exists in the rpm-ostree CI, but let's have it here too since other packages can break this.
This is a test for openshift/os#1036. It also exists in the rpm-ostree CI, but let's have it here too since other packages can break this.
This is a test for openshift/os#1036. It also exists in the rpm-ostree CI, but let's have it here too since other packages can break this.
Latest 8.6 composes are failing on:
I.e. it seems like we're recompiling the policy on first boot.
The text was updated successfully, but these errors were encountered: