From d55ec0867586661b811f4c5c8bec74147a977310 Mon Sep 17 00:00:00 2001 From: Hussein Galal Date: Thu, 25 May 2023 02:52:07 +0300 Subject: [PATCH] Add el9 selinux rpm (#7443) * Add el9 to the install script Signed-off-by: galal-hussein * Add rocky-9 install test to test el9 selinux Signed-off-by: galal-hussein * Add rocky-9 install test to test el9 selinux to workflow Signed-off-by: galal-hussein * Use el8 for fedora 37 Signed-off-by: galal-hussein * Add a warning to reboot in coreos systems Signed-off-by: galal-hussein * remove k3s-selinux module in case of upgrade in el9 Signed-off-by: galal-hussein * Check for available container-selinux and k3s-selinux Signed-off-by: galal-hussein * extend selinux upgrade to sle distros Signed-off-by: galal-hussein * create /var/lib/rpm-state in sle systems Signed-off-by: galal-hussein * nit fix Signed-off-by: galal-hussein --------- Signed-off-by: galal-hussein --- .github/workflows/install.yaml | 2 +- install.sh | 41 ++++++++++- tests/install/rocky-9/Vagrantfile | 114 ++++++++++++++++++++++++++++++ 3 files changed, 153 insertions(+), 4 deletions(-) create mode 100644 tests/install/rocky-9/Vagrantfile diff --git a/.github/workflows/install.yaml b/.github/workflows/install.yaml index 767da0ec05..65e589df4d 100644 --- a/.github/workflows/install.yaml +++ b/.github/workflows/install.yaml @@ -30,7 +30,7 @@ jobs: strategy: fail-fast: false matrix: - vm: [centos-7, rocky-8, fedora, opensuse-leap, ubuntu-focal] + vm: [centos-7, rocky-8, rocky-9, fedora, opensuse-leap, ubuntu-focal] max-parallel: 2 defaults: run: diff --git a/install.sh b/install.sh index 044f9641ec..9117baa4f4 100755 --- a/install.sh +++ b/install.sh @@ -518,13 +518,17 @@ setup_selinux() { rpm_target=el7 rpm_site_infix=centos/7 package_installer=yum + elif [ "${VERSION_ID%%.*}" = "8" ] || [ "${VERSION_ID%%.*}" = "37" ]; then + rpm_target=el8 + rpm_site_infix=centos/8 + package_installer=yum elif [ "${ID_LIKE:-}" = coreos ] || [ "${VARIANT_ID:-}" = coreos ]; then rpm_target=coreos rpm_site_infix=coreos package_installer=rpm-ostree else - rpm_target=el8 - rpm_site_infix=centos/8 + rpm_target=el9 + rpm_site_infix=centos/9 package_installer=yum fi @@ -558,7 +562,7 @@ setup_selinux() { $policy_error "Failed to apply container_runtime_exec_t to ${BIN_DIR}/k3s, ${policy_hint}" fi elif [ ! -f /usr/share/selinux/packages/k3s.pp ]; then - if [ -x /usr/sbin/transactional-update ]; then + if [ -x /usr/sbin/transactional-update ] || [ "${ID_LIKE:-}" = coreos ] || [ "${VARIANT_ID:-}" = coreos ]; then warn "Please reboot your machine to activate the changes and avoid data loss." else $policy_error "Failed to find the k3s-selinux policy, ${policy_hint}" @@ -592,9 +596,12 @@ EOF sle) rpm_installer="zypper --gpg-auto-import-keys" if [ "${TRANSACTIONAL_UPDATE=false}" != "true" ] && [ -x /usr/sbin/transactional-update ]; then + transactional_update_run="transactional-update --no-selfupdate -d run" rpm_installer="transactional-update --no-selfupdate -d run ${rpm_installer}" : "${INSTALL_K3S_SKIP_START:=true}" fi + # create the /var/lib/rpm-state in SLE systems to fix the prein selinux macro + ${transactional_update_run} mkdir -p /var/lib/rpm-state ;; coreos) rpm_installer="rpm-ostree" @@ -607,6 +614,15 @@ EOF esac if [ "${rpm_installer}" = "yum" ] && [ -x /usr/bin/dnf ]; then rpm_installer=dnf + fi + if rpm -q --quiet k3s-selinux && [ "${3}" == "el9" ]; then + # remove k3s-selinux module in el9 before upgrade to allow container-selinux to upgrade safely + if check_available_upgrades container-selinux ${3} && check_available_upgrades k3s-selinux ${3}; then + MODULE_PRIORITY=$($SUDO semodule --list=full | grep k3s | cut -f1 -d" ") + if [ -n "${MODULE_PRIORITY}" ]; then + $SUDO semodule -X $MODULE_PRIORITY -r k3s || true + fi + fi fi # shellcheck disable=SC2086 $SUDO ${rpm_installer} install -y "k3s-selinux" @@ -614,6 +630,25 @@ EOF return } +check_available_upgrades() { + set +e + case ${2} in + sle) + available_upgrades=$($SUDO zypper -q -t -s 11 se -s -u --type package $1 | tail -n 1 | grep -v "No matching" | awk '{print $3}') + ;; + coreos) + # currently rpm-ostree does not support search functionality https://github.com/coreos/rpm-ostree/issues/1877 + ;; + *) + available_upgrades=$($SUDO yum -q --refresh list $1 --upgrades | tail -n 1 | awk '{print $2}') + ;; + esac + set -e + if [ -n "${available_upgrades}" ]; then + return 0 + fi + return 1 +} # --- download and verify k3s --- download_and_verify() { if can_skip_download_binary; then diff --git a/tests/install/rocky-9/Vagrantfile b/tests/install/rocky-9/Vagrantfile new file mode 100644 index 0000000000..b1373171a9 --- /dev/null +++ b/tests/install/rocky-9/Vagrantfile @@ -0,0 +1,114 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : +# + +ENV['TEST_INSTALL_SH'] ||= '../../../install.sh' +ENV['INSTALL_K3S_CHANNEL'] ||= 'testing' + +Vagrant.configure("2") do |config| + config.vagrant.plugins = { + 'vagrant-k3s' => {:version => '~> 0.1.3'}, + } + config.vm.box = "generic/rocky9" + config.vm.boot_timeout = ENV['TEST_VM_BOOT_TIMEOUT'] || 600 # seconds + config.vm.synced_folder '.', '/vagrant', disabled: true + + config.vm.define 'install-rocky-9', primary: true do |test| + test.vm.hostname = 'smoke' + test.vm.provision "disable-firewall", type: "shell", inline: "systemctl stop firewalld" + test.vm.provision 'k3s-upload', type: 'file', run: 'always', source: ENV['TEST_INSTALL_SH'], destination: 'install.sh' + test.vm.provision 'k3s-install', type: 'k3s', run: 'once' do |k3s| + k3s.installer_url = 'file:///home/vagrant/install.sh' + k3s.args = %w[server] + k3s.env = ENV.select{|k,v| k.start_with?('K3S_') || k.start_with?('INSTALL_K3S_')}.merge({ + :INSTALL_K3S_NAME => 'server', + }) + k3s.config = <<~YAML + selinux: true + token: 'vagrant' + YAML + k3s.config_mode = '0644' # side-step https://github.com/k3s-io/k3s/issues/4321 + end + test.vm.provision "k3s-wait-for-node", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh| + sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" } + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eu -o pipefail + echo 'Waiting for node to be ready ...' + time timeout 300 bash -c 'while ! (kubectl wait --for condition=ready node/$(hostname) 2>/dev/null); do sleep 5; done' + kubectl get node,all -A -o wide + SHELL + end + test.vm.provision "k3s-wait-for-coredns", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh| + sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" } + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eu -o pipefail + function describe-coredns { + RC=$? + if [[ $RC -ne 0 ]]; then + kubectl describe node + kubectl --namespace kube-system describe pod -l k8s-app=kube-dns + kubectl --namespace kube-system logs -l k8s-app=kube-dns + fi + exit $RC + } + trap describe-coredns EXIT + time timeout 300 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/coredns 2>/dev/null); do sleep 5; done' + SHELL + end + test.vm.provision "k3s-wait-for-local-storage", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh| + sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" } + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eu -o pipefail + time timeout 300 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/local-path-provisioner 2>/dev/null); do sleep 5; done' + SHELL + end + test.vm.provision "k3s-wait-for-metrics-server", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh| + sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" } + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eu -o pipefail + time timeout 300 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/metrics-server 2>/dev/null); do sleep 5; done' + SHELL + end + test.vm.provision "k3s-wait-for-traefik", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh| + sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" } + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eu -o pipefail + time timeout 300 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/traefik 2>/dev/null); do sleep 5; done' + SHELL + end + test.vm.provision "k3s-status", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh| + sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" } + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eux -o pipefail + kubectl get node,all -A -o wide + SHELL + end + test.vm.provision "k3s-procps", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh| + sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" } + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eux -o pipefail + ps auxZ | grep -E 'k3s|kube|container' | grep -v grep + SHELL + end + end + + config.vm.provision 'selinux-status', type: 'shell', run: 'once', inline: 'sestatus' + + %w[libvirt virtualbox vmware_desktop].each do |p| + config.vm.provider p do |v| + v.cpus = ENV['TEST_VM_CPUS'] || 2 + v.memory = ENV['TEST_VM_MEMORY'] || 2048 + end + end + config.vm.provider :virtualbox do |v,o| + v.gui = false + v.check_guest_additions = false + end +end