[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [atomic] Kubernetes and /etc/hosts

From: Jonathan Rogers <jrogers emphasys-software com>
To: Seth Jennings <sjenning redhat com>
Cc: atomic projectatomic io
Subject: Re: [atomic] Kubernetes and /etc/hosts
Date: Sat, 10 Sep 2016 15:43:25 -0400

Yes, that fixed it for me, though I had to use single quotes around the
regular expression to prevent the shell from looking inside. Should I
add a comment with this workaround on the bug or is there a better place?

On 09/08/2016 11:25 AM, Seth Jennings wrote:
> Hey Jonathan,
> 
> Yes this is an issue.
> 
> kube mounts /etc/hosts into the container from something like:
> 
> /var/lib/kubelet/pods/9679b088-75d6-11e6-9f2b-fa163eebc035/etc-host
> 
> on the host.  That file is currently labeled with docker_var_lib_t:
> 
> # ls -alZ etc-hosts
> -rw-r--r--. root root system_u:object_r:docker_var_lib_t:s0 etc-hosts
> 
> This should be resolved by this yet-to-be-released fix to selinux-policy:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1369159
> 
> Should be fixed in selinux-policy > 3.13.1-95.el7.
> 
> In the meantime, you can override the selinux policy on your system manually:
> 
> # semanage fcontext -l | grep kubelet
> /var/lib/kubelet(/.*)?                             all files
> system_u:object_r:docker_var_lib_t:s0
> 
> # semanage fcontext -a -t svirt_sandbox_file_t "/var/lib/kubelet(/.*)?"
> 
> # restorecon -Rv /var/lib/kubelet
> 
> Hope this helps!
> 
> Seth
> 
> On Sun, Sep 4, 2016 at 8:15 PM, Jonathan Rogers
> <jrogers emphasys-software com> wrote:
>> I'm using CentOS Atomic Host 7. I can run Docker containers directly and
>> they function as expected. I set up a small Kubernetes cluster using the
>> Atomic and Kubernetes documentation. I can also run containers using
>> Kubernetes, but /etc/hosts is unreadable in the containers because of
>> SELinux configuration. I found this be true in containers based on both
>> the "busybox" Docker image as well as my CentOS 6-based image.
>>
>> I see that Kubernetes sets up a mount just for /etc/hosts, overriding
>> Docker's default behavior. Why is this necessary? It seems that
>> Kubernetes fails to apply the necessary label(s) to the hosts file it
>> provides. If I use the chcon command on the host to add
>> "svirt_sandbox_file_t" to the Kubernetes-managed hosts file, the
>> container can read it via /etc/hosts. Of course, disabling SELinux
>> enforcement also avoids the problem.
>>
>> Since this doesn't seem to be a common problem, I can't tell if it's
>> Kubernetes, CentOS or Atomic at fault. I found a long discussion about
>> SELinux vs Kubernetes which seems related. However, the Docker volume in
>> question was generated automatically by Kubernetes without any explicit
>> configuration.
>>
>> https://github.com/projectatomic/adb-atomic-developer-bundle/issues/117
>>
>> --
>> Jonathan Rogers
>> Socialserve.com by Emphasys Software
>> jrogers emphasys-software com
>>
>>
> 


-- 
Jonathan Rogers
Socialserve.com by Emphasys Software
jrogers emphasys-software com

References:
- [atomic] Kubernetes and /etc/hosts
  - From: Jonathan Rogers
- Re: [atomic] Kubernetes and /etc/hosts
  - From: Seth Jennings

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]