From e2089bea18b619c08afac0650595e2976806cc01 Mon Sep 17 00:00:00 2001 From: Jacob Blain Christen Date: Tue, 11 Aug 2020 16:17:32 -0700 Subject: [PATCH] cli: add --selinux flag to agent/server sub-cmds (#2111) * cli: add --selinux flag to agent/server sub-cmds Introduces --selinux flag to affirmatively enable SELinux in containerd. Deprecates --disable-selinux flag which now defaults to true which auto-detection of SELinux configuration for containerd is no longer supported. Specifying both --selinux and --disable-selinux will result in an error message encouraging you to pick a side. * Update pkg/agent/containerd/containerd.go update log warning message about enabled selinux host but disabled runtime Co-authored-by: Brad Davidson Signed-off-by: Jacob Blain Christen --- pkg/agent/config/config.go | 3 +-- pkg/agent/containerd/containerd.go | 13 +++------- pkg/agent/templates/templates.go | 3 +-- pkg/cli/cmds/agent.go | 40 ++++++++++++++++++++++++------ pkg/cli/cmds/server.go | 12 ++++++--- pkg/daemons/config/types.go | 3 ++- 6 files changed, 49 insertions(+), 25 deletions(-) diff --git a/pkg/agent/config/config.go b/pkg/agent/config/config.go index 4a81f157df..fd018ace78 100644 --- a/pkg/agent/config/config.go +++ b/pkg/agent/config/config.go @@ -399,7 +399,7 @@ func get(envInfo *cmds.Agent, proxy proxy.Proxy) (*config.Node, error) { nodeConfig := &config.Node{ Docker: envInfo.Docker, - DisableSELinux: envInfo.DisableSELinux, + SELinux: envInfo.EnableSELinux, ContainerRuntimeEndpoint: envInfo.ContainerRuntimeEndpoint, FlannelBackend: controlConfig.FlannelBackend, } @@ -484,7 +484,6 @@ func get(envInfo *cmds.Agent, proxy proxy.Proxy) (*config.Node, error) { nodeConfig.AgentConfig.DisableKubeProxy = controlConfig.DisableKubeProxy nodeConfig.AgentConfig.Rootless = envInfo.Rootless nodeConfig.AgentConfig.PodManifests = filepath.Join(envInfo.DataDir, DefaultPodManifestPath) - nodeConfig.DisableSELinux = envInfo.DisableSELinux nodeConfig.AgentConfig.ProtectKernelDefaults = envInfo.ProtectKernelDefaults return nodeConfig, nil diff --git a/pkg/agent/containerd/containerd.go b/pkg/agent/containerd/containerd.go index 0a0eac83f8..e8a4efaaf7 100644 --- a/pkg/agent/containerd/containerd.go +++ b/pkg/agent/containerd/containerd.go @@ -233,15 +233,10 @@ func setupContainerdConfig(ctx context.Context, cfg *config.Node) error { if err != nil { return errors.Wrap(err, "failed to detect selinux") } - if cfg.DisableSELinux { - containerdConfig.SELinuxEnabled = false - if selEnabled { - logrus.Warn("SELinux is enabled for system but has been disabled for containerd by override") - } - } else { - containerdConfig.SELinuxEnabled = selEnabled - } - if containerdConfig.SELinuxEnabled && !selConfigured { + switch { + case !cfg.SELinux && selEnabled: + logrus.Warn("SELinux is enabled on this host, but " + version.Program + " has not been started with --selinux - containerd SELinux support is disabled") + case cfg.SELinux && !selConfigured: logrus.Warnf("SELinux is enabled for "+version.Program+" but process is not running in context '%s', "+version.Program+"-selinux policy may need to be applied", SELinuxContextType) } diff --git a/pkg/agent/templates/templates.go b/pkg/agent/templates/templates.go index cd3c0a2c3a..14cc80b611 100644 --- a/pkg/agent/templates/templates.go +++ b/pkg/agent/templates/templates.go @@ -10,7 +10,6 @@ import ( type ContainerdConfig struct { NodeConfig *config.Node IsRunningInUserNS bool - SELinuxEnabled bool PrivateRegistryConfig *Registry } @@ -21,7 +20,7 @@ const ContainerdConfigTemplate = ` [plugins.cri] stream_server_address = "127.0.0.1" stream_server_port = "10010" - enable_selinux = {{ .SELinuxEnabled }} + enable_selinux = {{ .NodeConfig.SELinux }} {{- if .IsRunningInUserNS }} disable_cgroup = true diff --git a/pkg/cli/cmds/agent.go b/pkg/cli/cmds/agent.go index f53b991cc1..300062dbf4 100644 --- a/pkg/cli/cmds/agent.go +++ b/pkg/cli/cmds/agent.go @@ -4,6 +4,7 @@ import ( "os" "path/filepath" + "github.com/pkg/errors" "github.com/rancher/k3s/pkg/version" "github.com/rancher/spur/cli" "github.com/rancher/spur/cli/altsrc" @@ -31,7 +32,7 @@ type Agent struct { Rootless bool RootlessAlreadyUnshared bool WithNodeID bool - DisableSELinux bool + EnableSELinux bool ExtraKubeletArgs []string ExtraKubeProxyArgs []string Labels []string @@ -139,25 +140,47 @@ var ( Destination: &AgentConfig.Labels, } DisableSELinuxFlag = cli.BoolFlag{ - Name: "disable-selinux", - Usage: "(agent/node) Disable SELinux in containerd if currently enabled", - Hidden: true, - Destination: &AgentConfig.DisableSELinux, + Name: "disable-selinux", + Usage: "(deprecated) Use --selinux to explicitly enable SELinux", + Hidden: true, + Value: true, // disabled by default } ProtectKernelDefaultsFlag = cli.BoolFlag{ Name: "protect-kernel-defaults", Usage: "(agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.", Destination: &AgentConfig.ProtectKernelDefaults, } + SELinuxFlag = cli.BoolFlag{ + Name: "selinux", + Usage: "(agent/node) Enable SELinux in containerd", + Hidden: false, + Destination: &AgentConfig.EnableSELinux, + EnvVars: []string{version.ProgramUpper + "_SELINUX"}, + } ) +func CheckSELinuxFlags(ctx *cli.Context) error { + disable, enable := DisableSELinuxFlag.Name, SELinuxFlag.Name + switch { + case ctx.IsSet(disable) && ctx.IsSet(enable): + return errors.Errorf("--%s is deprecated in favor of --%s to affirmatively enable it in containerd", disable, enable) + case ctx.IsSet(disable): + AgentConfig.EnableSELinux = !ctx.Bool(disable) + } + return nil +} func NewAgentCommand(action func(ctx *cli.Context) error) *cli.Command { return &cli.Command{ Name: "agent", Usage: "Run node agent", UsageText: appName + " agent [OPTIONS]", - Before: DebugContext(cli.InitAllInputSource(altsrc.NewConfigFromFlag(ConfigFlag.Name))), - Action: InitLogging(action), + Before: func(ctx *cli.Context) error { + if err := CheckSELinuxFlags(ctx); err != nil { + return err + } + return DebugContext(cli.InitAllInputSource(altsrc.NewConfigFromFlag(ConfigFlag.Name)))(ctx) + }, + Action: InitLogging(action), Flags: []cli.Flag{ &ConfigFlag, &DebugFlag, @@ -194,7 +217,6 @@ func NewAgentCommand(action func(ctx *cli.Context) error) *cli.Command { &NodeLabels, &NodeTaints, &DockerFlag, - &DisableSELinuxFlag, &CRIEndpointFlag, &PauseImageFlag, &SnapshotterFlag, @@ -212,9 +234,11 @@ func NewAgentCommand(action func(ctx *cli.Context) error) *cli.Command { Usage: "(experimental) Run rootless", Destination: &AgentConfig.Rootless, }, + &SELinuxFlag, // Deprecated/hidden below + &DisableSELinuxFlag, &FlannelFlag, &cli.StringFlag{ Name: "cluster-secret", diff --git a/pkg/cli/cmds/server.go b/pkg/cli/cmds/server.go index 688ce8abb5..fbd3c8d8b3 100644 --- a/pkg/cli/cmds/server.go +++ b/pkg/cli/cmds/server.go @@ -63,8 +63,13 @@ func NewServerCommand(action func(*cli.Context) error) *cli.Command { Name: "server", Usage: "Run management server", UsageText: appName + " server [OPTIONS]", - Before: DebugContext(cli.InitAllInputSource(altsrc.NewConfigFromFlag(ConfigFlag.Name))), - Action: InitLogging(action), + Before: func(ctx *cli.Context) error { + if err := CheckSELinuxFlags(ctx); err != nil { + return err + } + return DebugContext(cli.InitAllInputSource(altsrc.NewConfigFromFlag(ConfigFlag.Name)))(ctx) + }, + Action: InitLogging(action), Flags: []cli.Flag{ &ConfigFlag, &DebugFlag, @@ -235,7 +240,6 @@ func NewServerCommand(action func(*cli.Context) error) *cli.Command { &NodeLabels, &NodeTaints, &DockerFlag, - &DisableSELinuxFlag, &CRIEndpointFlag, &PauseImageFlag, &SnapshotterFlag, @@ -290,9 +294,11 @@ func NewServerCommand(action func(*cli.Context) error) *cli.Command { Usage: "(experimental) Enable Secret encryption at rest", Destination: &ServerConfig.EncryptSecrets, }, + &SELinuxFlag, // Hidden/Deprecated flags below + &DisableSELinuxFlag, &FlannelFlag, &cli.StringSliceFlag{ Name: "no-deploy", diff --git a/pkg/daemons/config/types.go b/pkg/daemons/config/types.go index 9511573a13..e0349a9da4 100644 --- a/pkg/daemons/config/types.go +++ b/pkg/daemons/config/types.go @@ -26,7 +26,7 @@ type Node struct { Docker bool ContainerRuntimeEndpoint string NoFlannel bool - DisableSELinux bool + SELinux bool FlannelBackend string FlannelConf string FlannelConfOverride bool @@ -46,6 +46,7 @@ type Containerd struct { Config string Opt string Template string + SELinux bool } type Agent struct {