[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [atomic] Kubernetes and /etc/hosts

From: Seth Jennings <sjenning redhat com>
To: Jonathan Rogers <jrogers emphasys-software com>
Cc: atomic projectatomic io
Subject: Re: [atomic] Kubernetes and /etc/hosts
Date: Thu, 8 Sep 2016 10:25:22 -0500

Hey Jonathan,

Yes this is an issue.

kube mounts /etc/hosts into the container from something like:

/var/lib/kubelet/pods/9679b088-75d6-11e6-9f2b-fa163eebc035/etc-host

on the host.  That file is currently labeled with docker_var_lib_t:

# ls -alZ etc-hosts
-rw-r--r--. root root system_u:object_r:docker_var_lib_t:s0 etc-hosts

This should be resolved by this yet-to-be-released fix to selinux-policy:

https://bugzilla.redhat.com/show_bug.cgi?id=1369159

Should be fixed in selinux-policy > 3.13.1-95.el7.

In the meantime, you can override the selinux policy on your system manually:

# semanage fcontext -l | grep kubelet
/var/lib/kubelet(/.*)?                             all files
system_u:object_r:docker_var_lib_t:s0

# semanage fcontext -a -t svirt_sandbox_file_t "/var/lib/kubelet(/.*)?"

# restorecon -Rv /var/lib/kubelet

Hope this helps!

Seth

On Sun, Sep 4, 2016 at 8:15 PM, Jonathan Rogers
<jrogers emphasys-software com> wrote:
> I'm using CentOS Atomic Host 7. I can run Docker containers directly and
> they function as expected. I set up a small Kubernetes cluster using the
> Atomic and Kubernetes documentation. I can also run containers using
> Kubernetes, but /etc/hosts is unreadable in the containers because of
> SELinux configuration. I found this be true in containers based on both
> the "busybox" Docker image as well as my CentOS 6-based image.
>
> I see that Kubernetes sets up a mount just for /etc/hosts, overriding
> Docker's default behavior. Why is this necessary? It seems that
> Kubernetes fails to apply the necessary label(s) to the hosts file it
> provides. If I use the chcon command on the host to add
> "svirt_sandbox_file_t" to the Kubernetes-managed hosts file, the
> container can read it via /etc/hosts. Of course, disabling SELinux
> enforcement also avoids the problem.
>
> Since this doesn't seem to be a common problem, I can't tell if it's
> Kubernetes, CentOS or Atomic at fault. I found a long discussion about
> SELinux vs Kubernetes which seems related. However, the Docker volume in
> question was generated automatically by Kubernetes without any explicit
> configuration.
>
> https://github.com/projectatomic/adb-atomic-developer-bundle/issues/117
>
> --
> Jonathan Rogers
> Socialserve.com by Emphasys Software
> jrogers emphasys-software com
>
>

Follow-Ups:
- Re: [atomic] Kubernetes and /etc/hosts
  - From: Jonathan Rogers
- Re: [atomic] Kubernetes and /etc/hosts
  - From: Jonathan Rogers

References:
- [atomic] Kubernetes and /etc/hosts
  - From: Jonathan Rogers

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]