Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RKE2 install script appends additional fapolicyd rules every time it is run #6335

Closed
brandond opened this issue Jul 15, 2024 · 2 comments
Closed

RKE2 install script appends additional fapolicyd rules every time it is run #6335

brandond opened this issue Jul 15, 2024 · 2 comments
Assignees
@brandond @VestigeJ
Milestone
July 2024 Release...

Comments

@brandond
Copy link
Contributor

brandond commented Jul 15, 2024
edited

from @bordenit in #6309

If fapolicyd is enabled, the install script appends duplicate rules every time it is run.

The install script should not duplicate the fapolicyd rules in the rules file if install.sh script is ran more than once. It should be unlikely that anyone would use this rules file for anything other than RKE2, as the naming of it is specifically for RKE2. This should be a total replacement and not an append.
@brandond brandond self-assigned this Jul 15, 2024
@brandond brandond added this to the July 2024 Release Cycle milestone Jul 15, 2024
@brandond brandond mentioned this issue Jul 15, 2024
Merged
@brandond
Copy link
Contributor Author

No backports necessary, as install script is served off master.

@VestigeJ VestigeJ self-assigned this Jul 22, 2024
@VestigeJ
Copy link
Contributor

Validated with single server install on the latest v1.27.16-rc4+rke2r1, re-ran the v1.27 installation, upgraded using the latest v1.28.12-rc4+rke2r1 which logs to stdout no fapolicyd changes, all confirmed by comparing the file before and after.

$ cat /etc/os-release | grep -i pretty

PRETTY_NAME="Oracle Linux Server 9.4"

$ sudo INSTALL_RKE2_VERSION=$VERSION INSTALL_RKE2_EXEC=server INSTALL_RKE2_METHOD=rpm INSTALL_RKE2_CHANNEL=testing ./install-rke2.sh

[INFO]  using 1.27 series from channel testing
Rancher RKE2 Common (testing)                                                                                         6.0 kB/s | 3.3 kB     00:00
Rancher RKE2 1.27 (testing)                                                                                            39 kB/s |  23 kB     00:00
Dependencies resolved.
======================================================================================================================================================
 Package                           Architecture           Version                                   Repository                                   Size
======================================================================================================================================================
Installing:
 rke2-server                       x86_64                 1.27.16~rc4~rke2r1-1.el9                  rancher-rke2-1.27-testing                   9.1 k
Installing dependencies:
 container-selinux                 noarch                 3:2.229.0-1.el9_3                         ol9_appstream                                66 k
 rke2-common                       x86_64                 1.27.16~rc4~rke2r1-1.el9                  rancher-rke2-1.27-testing                    24 M
 rke2-selinux                      noarch                 0.18-2.el9                                rancher-rke2-common-testing                  22 k

Transaction Summary
======================================================================================================================================================
Install  4 Packages

Total download size: 25 M
Installed size: 100 M
Downloading Packages:
(1/4): container-selinux-2.229.0-1.el9_3.noarch.rpm                                                                   433 kB/s |  66 kB     00:00
(2/4): rke2-server-1.27.16~rc4~rke2r1-1.el9.x86_64.rpm                                                                 50 kB/s | 9.1 kB     00:00
(3/4): rke2-selinux-0.18-2.el9.noarch.rpm                                                                              66 kB/s |  22 kB     00:00
(4/4): rke2-common-1.27.16~rc4~rke2r1-1.el9.x86_64.rpm                                                                 17 MB/s |  24 MB     00:01
------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                  17 MB/s |  25 MB     00:01
Rancher RKE2 Common (testing)                                                                                         9.9 kB/s | 2.4 kB     00:00
Importing GPG key 0xD161F542:
 Userid     : "Rancher (CI) <ci@rancher.com>"
 Fingerprint: 856A 0069 529C A63B 21AA 4E0A 089F A20E D161 F542
 From       : https://rpm-testing.rancher.io/public.key
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                              1/1
  Running scriptlet: container-selinux-3:2.229.0-1.el9_3.noarch                                                                                   1/4
  Installing       : container-selinux-3:2.229.0-1.el9_3.noarch                                                                                   1/4
  Running scriptlet: container-selinux-3:2.229.0-1.el9_3.noarch                                                                                   1/4
  Running scriptlet: rke2-selinux-0.18-2.el9.noarch                                                                                               2/4
  Installing       : rke2-selinux-0.18-2.el9.noarch                                                                                               2/4
  Running scriptlet: rke2-selinux-0.18-2.el9.noarch                                                                                               2/4
  Installing       : rke2-common-1.27.16~rc4~rke2r1-1.el9.x86_64                                                                                  3/4
  Installing       : rke2-server-1.27.16~rc4~rke2r1-1.el9.x86_64                                                                                  4/4
  Running scriptlet: rke2-server-1.27.16~rc4~rke2r1-1.el9.x86_64                                                                                  4/4
  Running scriptlet: container-selinux-3:2.229.0-1.el9_3.noarch                                                                                   4/4
  Running scriptlet: rke2-selinux-0.18-2.el9.noarch                                                                                               4/4
  Running scriptlet: rke2-server-1.27.16~rc4~rke2r1-1.el9.x86_64                                                                                  4/4
  Verifying        : container-selinux-3:2.229.0-1.el9_3.noarch                                                                                   1/4
  Verifying        : rke2-selinux-0.18-2.el9.noarch                                                                                               2/4
  Verifying        : rke2-common-1.27.16~rc4~rke2r1-1.el9.x86_64                                                                                  3/4
  Verifying        : rke2-server-1.27.16~rc4~rke2r1-1.el9.x86_64                                                                                  4/4

Installed:
  container-selinux-3:2.229.0-1.el9_3.noarch            rke2-common-1.27.16~rc4~rke2r1-1.el9.x86_64           rke2-selinux-0.18-2.el9.noarch
  rke2-server-1.27.16~rc4~rke2r1-1.el9.x86_64

Complete!

$ sudo cat /etc/fapolicyd/compiled.rules

## This file is automatically generated from /etc/fapolicyd/rules.d
%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/x-java,application/x-java-applet,application/javascript,text/javascript,text/x-awk,text/x-gawk,text/x-lisp,application/x-elc,text/x-lua,text/x-m4,text/x-nftables,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
allow perm=any uid=0 : dir=/var/tmp/
allow perm=any uid=0 trust=1 : all
allow perm=open exe=/usr/bin/rpm : all
allow perm=open exe=/usr/bin/python3.9 comm=dnf : all
deny_audit perm=any pattern=ld_so : all
deny_audit perm=any all : ftype=application/x-bad-elf
allow perm=open all : ftype=application/x-sharedlib trust=1
deny_audit perm=open all : ftype=application/x-sharedlib
allow perm=execute all : trust=1
allow perm=open all : ftype=%languages trust=1
deny_audit perm=any all : ftype=%languages
allow perm=any all : ftype=text/x-shellscript
allow perm=any all : dir=/var/lib/rancher/
allow perm=any all : dir=/opt/cni/
allow perm=any all : dir=/run/k3s/
allow perm=any all : dir=/var/lib/kubelet/
deny_audit perm=execute all : all
allow perm=open all : all

$ VERSION=v1.28.12-rc4+rke2r1 //manually upgrading to try and get different behavior exposed
$ sudo INSTALL_RKE2_VERSION=$VERSION INSTALL_RKE2_EXEC=server INSTALL_RKE2_METHOD=rpm INSTALL_RKE2_CHANNEL=testing ./install-rke2.sh

[INFO]  using 1.28 series from channel testing
Error: No matching Packages to list
Last metadata expiration check: 0:00:02 ago on Thu 25 Jul 2024 11:16:37 PM UTC.
Dependencies resolved.
=======================================================================================================================================================================================================================================================
 Package                                               Architecture                                     Version                                                              Repository                                                           Size
=======================================================================================================================================================================================================================================================
Upgrading:
 rke2-common                                           x86_64                                           1.28.12~rc4~rke2r1-0.el9                                             rancher-rke2-1.28-testing                                            25 M
 rke2-server                                           x86_64                                           1.28.12~rc4~rke2r1-0.el9                                             rancher-rke2-1.28-testing                                           9.1 k

Transaction Summary
=======================================================================================================================================================================================================================================================
Upgrade  2 Packages

Total download size: 25 M
Downloading Packages:
(1/2): rke2-server-1.28.12~rc4~rke2r1-0.el9.x86_64.rpm                                                                                                                                                                  30 kB/s | 9.1 kB     00:00
(2/2): rke2-common-1.28.12~rc4~rke2r1-0.el9.x86_64.rpm                                                                                                                                                                  18 MB/s |  25 MB     00:01
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                                   18 MB/s |  25 MB     00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                                               1/1
  Upgrading        : rke2-common-1.28.12~rc4~rke2r1-0.el9.x86_64                                                                                                                                                                                   1/4
  Upgrading        : rke2-server-1.28.12~rc4~rke2r1-0.el9.x86_64                                                                                                                                                                                   2/4
  Running scriptlet: rke2-server-1.28.12~rc4~rke2r1-0.el9.x86_64                                                                                                                                                                                   2/4
  Running scriptlet: rke2-server-1.27.16~rc4~rke2r1-1.el9.x86_64                                                                                                                                                                                   3/4
  Cleanup          : rke2-server-1.27.16~rc4~rke2r1-1.el9.x86_64                                                                                                                                                                                   3/4
  Running scriptlet: rke2-server-1.27.16~rc4~rke2r1-1.el9.x86_64                                                                                                                                                                                   3/4
  Running scriptlet: rke2-common-1.27.16~rc4~rke2r1-1.el9.x86_64                                                                                                                                                                                   4/4
  Cleanup          : rke2-common-1.27.16~rc4~rke2r1-1.el9.x86_64                                                                                                                                                                                   4/4
  Running scriptlet: rke2-common-1.27.16~rc4~rke2r1-1.el9.x86_64                                                                                                                                                                                   4/4
  Verifying        : rke2-common-1.28.12~rc4~rke2r1-0.el9.x86_64                                                                                                                                                                                   1/4
  Verifying        : rke2-common-1.27.16~rc4~rke2r1-1.el9.x86_64                                                                                                                                                                                   2/4
  Verifying        : rke2-server-1.28.12~rc4~rke2r1-0.el9.x86_64                                                                                                                                                                                   3/4
  Verifying        : rke2-server-1.27.16~rc4~rke2r1-1.el9.x86_64                                                                                                                                                                                   4/4

Upgraded:
  rke2-common-1.28.12~rc4~rke2r1-0.el9.x86_64                                                                                rke2-server-1.28.12~rc4~rke2r1-0.el9.x86_64

Complete!
/sbin/fagenrules: No change

$ sudo cat /etc/fapolicyd/compiled.rules

## This file is automatically generated from /etc/fapolicyd/rules.d
%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/x-java,application/x-java-applet,application/javascript,text/javascript,text/x-awk,text/x-gawk,text/x-lisp,application/x-elc,text/x-lua,text/x-m4,text/x-nftables,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
allow perm=any uid=0 : dir=/var/tmp/
allow perm=any uid=0 trust=1 : all
allow perm=open exe=/usr/bin/rpm : all
allow perm=open exe=/usr/bin/python3.9 comm=dnf : all
deny_audit perm=any pattern=ld_so : all
deny_audit perm=any all : ftype=application/x-bad-elf
allow perm=open all : ftype=application/x-sharedlib trust=1
deny_audit perm=open all : ftype=application/x-sharedlib
allow perm=execute all : trust=1
allow perm=open all : ftype=%languages trust=1
deny_audit perm=any all : ftype=%languages
allow perm=any all : ftype=text/x-shellscript
allow perm=any all : dir=/var/lib/rancher/
allow perm=any all : dir=/opt/cni/
allow perm=any all : dir=/run/k3s/
allow perm=any all : dir=/var/lib/kubelet/
deny_audit perm=execute all : all
allow perm=open all : all

$ sudo INSTALL_RKE2_VERSION=$VERSION INSTALL_RKE2_EXEC=server INSTALL_RKE2_METHOD=rpm INSTALL_RKE2_CHANNEL=testing ./install-rke2.sh

[INFO]  using 1.28 series from channel testing
Error: No matching Packages to list
Last metadata expiration check: 0:00:02 ago on Thu 25 Jul 2024 11:18:42 PM UTC.
Package rke2-server-1.28.12~rc4~rke2r1-0.el9.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
/sbin/fagenrules: No change

$ sudo cat /etc/fapolicyd/compiled.rules

## This file is automatically generated from /etc/fapolicyd/rules.d
%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/x-java,application/x-java-applet,application/javascript,text/javascript,text/x-awk,text/x-gawk,text/x-lisp,application/x-elc,text/x-lua,text/x-m4,text/x-nftables,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
allow perm=any uid=0 : dir=/var/tmp/
allow perm=any uid=0 trust=1 : all
allow perm=open exe=/usr/bin/rpm : all
allow perm=open exe=/usr/bin/python3.9 comm=dnf : all
deny_audit perm=any pattern=ld_so : all
deny_audit perm=any all : ftype=application/x-bad-elf
allow perm=open all : ftype=application/x-sharedlib trust=1
deny_audit perm=open all : ftype=application/x-sharedlib
allow perm=execute all : trust=1
allow perm=open all : ftype=%languages trust=1
deny_audit perm=any all : ftype=%languages
allow perm=any all : ftype=text/x-shellscript
allow perm=any all : dir=/var/lib/rancher/
allow perm=any all : dir=/opt/cni/
allow perm=any all : dir=/run/k3s/
allow perm=any all : dir=/var/lib/kubelet/
deny_audit perm=execute all : all
allow perm=open all : all

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@VestigeJ VestigeJ

Labels
None yet
Projects
None yet
Milestone
July 2024 Release Cycle
Development

No branches or pull requests
2 participants
@brandond @VestigeJ