Fix Calico install-cni crashloop on Pod restarts #724

dghubble · 2020-05-09T23:00:50Z

Set a consistent MCS level/range for Calico install-cni
Note: Rebooting a node was a workaround, because Kubelet relabels /etc/kubernetes(/cni/net.d)

Background:

On SELinux enforcing systems, the Calico CNI install-cni container ran with default SELinux context and a random MCS pair. install-cni places CNI configs by first creating a temporary file and then moving them into place, which means the file MCS categories depend on the containers SELinux context.
calico-node Pod restarts creates a new install-cni container with a different MCS pair that cannot access the earlier written file (it places configs every time), causing the init container to error and calico-node to crash loop
https://github.com/projectcalico/cni-plugin/issues/874

mv: inter-device move failed: '/calico.conf.tmp' to
'/host/etc/cni/net.d/10-calico.conflist'; unable to remove target:
Permission denied
Failed to mv files. This may be caused by selinux configuration on
the
host, or something else.

Note, this isn't a host SELinux configuration issue.

Fix Calico install-cni crashloop on Pod restarts terraform-render-bootstrap#186

* Set a consistent MCS level/range for Calico install-cni * Note: Rebooting a node was a workaround, because Kubelet relabels /etc/kubernetes(/cni/net.d) Background: * On SELinux enforcing systems, the Calico CNI install-cni container ran with default SELinux context and a random MCS pair. install-cni places CNI configs by first creating a temporary file and then moving them into place, which means the file MCS categories depend on the containers SELinux context. * calico-node Pod restarts creates a new install-cni container with a different MCS pair that cannot access the earlier written file (it places configs every time), causing the init container to error and calico-node to crash loop * https://github.com/projectcalico/cni-plugin/issues/874 ``` mv: inter-device move failed: '/calico.conf.tmp' to '/host/etc/cni/net.d/10-calico.conflist'; unable to remove target: Permission denied Failed to mv files. This may be caused by selinux configuration on the host, or something else. ``` Note, this isn't a host SELinux configuration issue. Related: * poseidon/terraform-render-bootstrap#186

* Enable Calico MTU auto-detection * Remove [workaround](#724) to Calico cni-plugin [issue](https://github.com/projectcalico/cni-plugin/issues/874) Rel: poseidon/terraform-render-bootstrap#230

* Enable Calico MTU auto-detection * Remove [workaround](poseidon/typhoon#724) to Calico cni-plugin [issue](https://github.com/projectcalico/cni-plugin/issues/874) Rel: poseidon/terraform-render-bootstrap#230

* Enable Calico MTU auto-detection * Remove [workaround](poseidon#724) to Calico cni-plugin [issue](https://github.com/projectcalico/cni-plugin/issues/874) Rel: poseidon/terraform-render-bootstrap#230

dghubble changed the title ~~Fix Calico node crash loop on Pod restart~~ Fix Calico install-cni crashloop on Pod restarts May 9, 2020

dghubble force-pushed the calico-install-cni-selinux branch from 0fcddbb to 358854e Compare May 9, 2020 23:02

dghubble merged commit 358854e into master May 9, 2020

dghubble deleted the calico-install-cni-selinux branch May 10, 2020 00:38

dghubble mentioned this pull request Nov 25, 2020

Update Calico from v3.16.5 to v3.17.0 #890

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix Calico install-cni crashloop on Pod restarts #724

Fix Calico install-cni crashloop on Pod restarts #724

dghubble commented May 9, 2020

Fix Calico install-cni crashloop on Pod restarts #724

Fix Calico install-cni crashloop on Pod restarts #724

Conversation

dghubble commented May 9, 2020