K3s: Fresh Install on CentOS 8 Fails

Created on 25 Sep 2019  路  3Comments  路  Source: k3s-io/k3s

Describe the bug
I did a vanilla install of k3s on top of a minimal CentOS 8 installation. At first it complained about missing semanage. I rectified that and systemd is getting denied the power to execute /usr/sbin/k3s now.

To Reproduce
Steps to reproduce the behavior:

  1. Install minimal CentOS 8 (CentOS Linux release 8.0.1905 (Core)).
  2. Install yum install policycoreutils-python-utils-2.8-16.1.el8.noarch
  3. Run the vanilla k3s install command: curl -sfL https://get.k3s.io | sh -

    • I have k3s version v0.9.1 (755bd1c6)

  4. Check systemctl status k3s and you will see that it failed

    • Process: 1910 ExecStart=/usr/local/bin/k3s server (code=exited, status=203/EXEC)

  5. grep k3s /var/log/audit/audit.log | grep denied leads to:
type=AVC msg=audit(1569410142.898:230): avc:  denied  { execute } for  pid=1950 comm="(k3s)" name="k3s" dev="dm-0" ino=67579747 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
  1. Also note the odd labels in use:
> ls -laZ /usr/local/bin/k3s                                                                                   
-rwxr-xr-x.  1 root root unconfined_u:object_r:user_tmp_t:s0 45613024 Sep 25 06:48 k3s

Expected behavior
I expected the instructions to work. After waiting some amount of time, k3s kubctl get node should just work.

Additional context
I think I can fix this with the right SELinux labels. I am trying to figure those out.

kinbug ocentos
Source
picture theonewolf

Most helpful comment

Maybe it's because I was missing semanage on my first attempted install? And the second run didn't fix things after getting that utility?

I used these two commands to enable the k3s service to run successfully via systemd control:

> semanage fcontext -a -t bin_t /usr/local/bin/k3s
> restorecon -v /usr/local/bin/k3s

and then k3s starts normally:

> systemctl start k3s
> systemctl status k3s
....
Active: active (running) since Wed 2019-09-25 07:23:09 EDT; 1min 19s ago
picture theonewolf on 25 Sep 2019
👍2

All 3 comments

Maybe it's because I was missing semanage on my first attempted install? And the second run didn't fix things after getting that utility?

I used these two commands to enable the k3s service to run successfully via systemd control:

> semanage fcontext -a -t bin_t /usr/local/bin/k3s
> restorecon -v /usr/local/bin/k3s

and then k3s starts normally:

> systemctl start k3s
> systemctl status k3s
....
Active: active (running) since Wed 2019-09-25 07:23:09 EDT; 1min 19s ago
theonewolf picture theonewolf on 25 Sep 2019
👍2

Reopening as would like QA to have the opportunity to validate this regardless of the simplicity of the change to the install script.

davidnuzik picture davidnuzik on 4 Dec 2019

Resolved. Closing issue.

ShylajaDevadiga picture ShylajaDevadiga on 15 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ashrafgt picture ashrafgt  路  3Comments
giezi picture giezi  路  3Comments
wpwoodjr picture wpwoodjr  路  3Comments
joakimr-axis picture joakimr-axis  路  3Comments
Moep90 picture Moep90  路  3Comments