Origin: Forced SELinux relabeling when mounting flexvolumes breaks flexvolumes that don't support SELinux e.g fuse
Since Kubernetes 1.6 on, all Flexvolume driver mounts force a SELinux relabeling (ref. https://github.com/openshift/origin/blob/release-3.6/vendor/k8s.io/kubernetes/pkg/volume/flexvolume/mounter-defaults.go#L55). This option is hardcoded and there is no way to override the default value.
This is very inconvenient as it's impossible to make Flexvolumes which don't support SELinux relabeling to work, for instance those using fuse.
Trying to mount one of these volume results in:
Aug 22 15:59:24 oonodetes001 origin-node[31102]: E0822 15:59:24.493079 31102 kuberuntime_manager.go:719] container start failed: RunContainerError: failed to start container "1fa5454873a3bb27b3ad3b2a80751838222b96be8015a073932a5b5512d49": Error response from daemon: {"message":"SELinux relabeling of /var/lib/origin/openshift.local.volumes/pods/145432da-8742-11e7-a5c8-02163e00ax32/volumes/vendor~vol/pv-vol-test is not allowed: \"operation not supported\""}
In our particular case, our users rely on a Flexvolume that will not work anymore, so we cannot safely upgrade from OpenShift 1.5 to 3.6.
There is a patch for the issue in Kubernetes 1.8 (ref. https://github.com/kubernetes/kubernetes/pull/50843), which allows to disable this setting in the init method of the flexvolume.
Could it be backported to OpenShift 3.6. and/or 3.7
Version
This affects Kubernetes 1.6 and 1.7 so OpenShift 3.6 and most likely 3.7
AlbertoPeon
All 5 comments
Actually, there is a pull request to backport the change to Kubernetes 1.7 (ref. https://github.com/kubernetes/kubernetes/pull/51201). It would be great to have in Openshift 3.7!
AlbertoPeon
on 24 Aug 2017
Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle stale
openshift-bot
on 18 Feb 2018
We ran into the same problem and opened a support ticket at Red Hat. They now pointed to bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1484899 which mentions the capability selinuxRelabel in OCP 3.7. With this option we finally got our cifs flexvolume plugin running :-)
We changed our init method in the flexvolume script to this to make it work:
{"status": "Success", "capabilities": {"attach": false, "selinuxRelabel": false}}
herzogf
on 22 Feb 2018
Stale issues rot after 30d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
/remove-lifecycle stale
openshift-bot
on 25 Mar 2018
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.
/close
openshift-bot
on 24 Apr 2018
Related issues
slmzig
路
3Comments
tnozicka
路
3Comments
ibuler
路
4Comments
nicolaferraro
路
3Comments
enj
路
4Comments
Most helpful comment
We ran into the same problem and opened a support ticket at Red Hat. They now pointed to bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1484899 which mentions the capability selinuxRelabel in OCP 3.7. With this option we finally got our cifs flexvolume plugin running :-)
We changed our init method in the flexvolume script to this to make it work:
{"status": "Success", "capabilities": {"attach": false, "selinuxRelabel": false}}