From 38109e6c9d7876747d4fccce54498132f967536e Mon Sep 17 00:00:00 2001 From: Chris Kim Date: Mon, 19 Oct 2020 13:24:02 -0700 Subject: [PATCH 1/2] Add auto-install capability to install.sh for k3s-selinux Signed-off-by: Chris Kim --- install.sh | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/install.sh b/install.sh index a35fa974d1..fe23b29a7b 100755 --- a/install.sh +++ b/install.sh @@ -76,6 +76,9 @@ set -e # - INSTALL_K3S_SELINUX_WARN # If set to true will continue if k3s-selinux policy is not found. # +# - INSTALL_K3S_SKIP_SELINUX_RPM +# If set to true will skip automatic installation of the k3s RPM. +# # - INSTALL_K3S_CHANNEL_URL # Channel URL for fetching k3s download URL. # Defaults to 'https://update.k3s.io/v1-release/channels'. @@ -429,15 +432,27 @@ setup_binary() { # --- setup selinux policy --- setup_selinux() { + + rpm_site="rpm.rancher.io" + if [ "${INSTALL_K3S_CHANNEL}" = "testing" ]; then + rpm_site="rpm-${INSTALL_K3S_CHANNEL}.rancher.io" + fi + policy_hint="please install: yum install -y container-selinux selinux-policy-base - yum install -y https://rpm.rancher.io/k3s-selinux-0.1.1-rc1.el7.noarch.rpm + yum install -y https://${rpm_site}/k3s/${INSTALL_K3S_CHANNEL}/common/centos/7/noarch/k3s-selinux-0.2-1.el7_8.noarch.rpm " policy_error=fatal if [ "$INSTALL_K3S_SELINUX_WARN" = true ]; then policy_error=warn fi + if [ "$INSTALL_K3S_SKIP_SELINUX_RPM" = true ] || can_skip_download; then + info "Skipping installation of SELinux RPM" + else + install_selinux_rpm ${rpm_site} + fi + if ! $SUDO chcon -u system_u -r object_r -t container_runtime_exec_t ${BIN_DIR}/k3s >/dev/null 2>&1; then if $SUDO grep '^\s*SELINUX=enforcing' /etc/selinux/config >/dev/null 2>&1; then $policy_error "Failed to apply container_runtime_exec_t to ${BIN_DIR}/k3s, ${policy_hint}" @@ -449,6 +464,28 @@ setup_selinux() { fi } +# --- if on an el7/el8 system, install k3s-selinux +install_selinux_rpm() { + if [ -r /etc/redhat-release ] || [ -r /etc/centos-release ] || [ -r /etc/oracle-release ]; then + dist_version="$(. /etc/os-release && echo "$VERSION_ID")" + maj_ver=$(echo "$dist_version" | sed -E -e "s/^([0-9]+)\.?[0-9]*$/\1/") + if [ -r /etc/redhat-release ] && [ "${maj_ver}" = "7" ]; then + yum -y install yum-utils + yum-config-manager --enable rhel-7-server-extras-rpms + fi + cat <<-EOF >"/etc/yum.repos.d/rancher-k3s-common-${INSTALL_K3S_CHANNEL}.repo" +[rancher-k3s-common-${INSTALL_K3S_CHANNEL}] +name=Rancher K3s Common (${INSTALL_K3S_CHANNEL}) +baseurl=https://${1}/k3s/${INSTALL_K3S_CHANNEL}/common/centos/${maj_ver}/noarch +enabled=1 +gpgcheck=1 +gpgkey=https://${1}/public.key +EOF + yum -y install "k3s-selinux" + fi + return +} + # --- download and verify k3s --- download_and_verify() { if can_skip_download; then From 96fc4c4b21d42a3f043ef25714e40562d4237e12 Mon Sep 17 00:00:00 2001 From: Chris Kim Date: Mon, 26 Oct 2020 15:02:47 -0400 Subject: [PATCH 2/2] Add iptable_nat to modprobe list Signed-off-by: Chris Kim --- pkg/agent/syssetup/setup.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/agent/syssetup/setup.go b/pkg/agent/syssetup/setup.go index d0c3fe2e53..d19310fdbc 100644 --- a/pkg/agent/syssetup/setup.go +++ b/pkg/agent/syssetup/setup.go @@ -31,6 +31,7 @@ func Configure() { loadKernelModule("overlay") loadKernelModule("nf_conntrack") loadKernelModule("br_netfilter") + loadKernelModule("iptable_nat") // Kernel is inconsistent about how devconf is configured for // new network namespaces between ipv4 and ipv6. Make sure to