Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ignition: not getting correct context on authorized keys file #2

Closed
dustymabe opened this issue Sep 7, 2018 · 16 comments
Closed

ignition: not getting correct context on authorized keys file #2

dustymabe opened this issue Sep 7, 2018 · 16 comments
Assignees
@jlebon

Comments

@dustymabe
Copy link
Member

Not sure why but ignition doesn't seem to be working with selinux in this repo right now. If I boot the resulting image and set enforcing=0 on the kernel command line in grub I get the system up.

I see that ignition-relabel.service ran but it doesn't touch authorized_keys for some reason

[root@localhost ~]# systemctl status ignition-relabel.service
● ignition-relabel.service - Relabel files created by Ignition
   Loaded: loaded (/run/systemd/system/ignition-relabel.service; enabled; vendor preset: disabled)
   Active: active (exited) since Fri 2018-09-07 01:45:34 UTC; 41s ago
  Process: 952 ExecStart=/usr/bin/rm /etc/selinux/ignition.relabel (code=exited, status=0/SUCCESS)
  Process: 942 ExecStart=/usr/sbin/restorecon -0vRf /etc/selinux/ignition.relabel (code=exited, status=0/SUCCESS)
 Main PID: 952 (code=exited, status=0/SUCCESS)

Sep 07 01:45:33 localhost.localdomain systemd[1]: Starting Relabel files created by Ignition...
Sep 07 01:45:34 localhost.localdomain restorecon[942]: Relabeled /etc/systemd/system/example.service from system_u:object_r:unlabeled_t:s0 to system_u:object_r:systemd_unit_file_t:s0                                                     
Sep 07 01:45:34 localhost.localdomain restorecon[942]: Relabeled /etc/systemd/system-preset/20-ignition.preset from system_u:object_r:unlabeled_t:s0 to system_u:object_r:etc_t:s0                                                         
Sep 07 01:45:34 localhost.localdomain systemd[1]: Started Relabel files created by Ignition.

and I see the AVC denials

[   32.785013] audit: type=1400 audit(1536284755.035:147): avc:  denied  { getattr } for  pid=1115 comm="sshd" path="/var/roothome/.ssh/authorized_keys" dev="dm-0" ino=14729 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

# rpm-ostree db list fedora/28/x86_64/coreos | grep ignition
 ignition-0.28.0-3.gitf707912.fc28.x86_64
 ignition-dracut-0.28.0-3.gitf707912.fc28.noarch

the startup logs from ignition are shown below:

ignition[819]: INFO     : Ignition 0.28.0                                                                                                                                                                                    
ignition[819]: INFO     : reading system config file "/usr/lib/ignition/base.ign"                                                                                                                                            
ignition[819]: INFO     : no config at "/usr/lib/ignition/base.ign"                                                                                                                                                          
ignition[819]: DEBUG    : parsed url from cmdline: ""                                                                                                                                                                        
ignition[819]: INFO     : no config URL provided                                                                                                                                                                             
ignition[819]: INFO     : reading system config file "/usr/lib/ignition/user.ign"                                                                                                                                            
ignition[819]: INFO     : no config at "/usr/lib/ignition/user.ign"                                                                                                                                                          
ignition[819]: INFO     : op(1): [started]  loading QEMU firmware config module
ignition[819]: DEBUG    : op(1): executing: "modprobe" "qemu_fw_cfg"
ignition[819]: INFO     : op(1): [finished] loading QEMU firmware config module
ignition[819]: DEBUG    : parsing config: {               
ignition[819]:   "ignition": { "version": "2.2.0" },
ignition[819]:   "systemd": {                       
ignition[819]:     "units": [{                                   
ignition[819]:       "name": "example.service",                                        
ignition[819]:       "enabled": true,                                                
ignition[819]:       "contents": "[Service]\nType=oneshot\nExecStart=/usr/bin/false\n\n[Install]\nWantedBy=multi-user.target"
ignition[819]:     }]                                                               
ignition[819]:   },                                       
ignition[819]:   "passwd": {                       
ignition[819]:     "users": [                                             
ignition[819]:       {                   
ignition[819]:         "name": "root",      
ignition[819]:         "sshAuthorizedKeys": [                             
ignition[819]:           "ssh-rsa AAAAB"
ignition[819]:         ]          
ignition[819]:       }                                                                                                                                                                                                      
ignition[819]:     ]                                                                                                                                                                                                        
ignition[819]:   }                                                                                                                                                                                                          
ignition[819]: }                                                                                                                                                                                                            
ignition[819]: INFO     : files: createUsers: op(2): [started]  creating or modifying user "root"                                                                                                                           
ignition[819]: DEBUG    : files: createUsers: op(2): executing: "/usr/sbin/usermod" "--root" "/sysroot" "root"                                                                                                              
ignition[819]: INFO     : files: createUsers: op(2): [finished] creating or modifying user "root"                                                                                                                           
ignition[819]: INFO     : files: createUsers: op(3): [started]  adding ssh keys to user "root"                                                                                                                              
ignition[819]: INFO     : files: createUsers: op(3): [finished] adding ssh keys to user "root"                                                                                                                              
ignition[819]: INFO     : files: op(4): [started]  processing unit "example.service"                                                                                                                                        
ignition[819]: INFO     : files: op(4): op(5): [started]  writing unit "example.service" at "etc/systemd/system/example.service"                                                                                            
ignition[819]: INFO     : files: op(4): op(5): [finished] writing unit "example.service" at "etc/systemd/system/example.service"
ignition[819]: INFO     : files: op(4): [finished] processing unit "example.service"                                                                                                                                        
ignition[819]: INFO     : files: op(6): [started]  enabling unit "example.service"      
ignition[819]: INFO     : files: op(6): [finished] enabling unit "example.service"                                                                                                                                          
ignition[819]: INFO     : files: op(7): [started]  processing unit "ignition-relabel.service"
ignition[819]: INFO     : files: op(7): op(8): [started]  writing unit "ignition-relabel.service" at "run/systemd/system/ignition-relabel.service"                                                                          
ignition[819]: INFO     : files: op(7): op(8): [finished] writing unit "ignition-relabel.service" at "run/systemd/system/ignition-relabel.service"
ignition[819]: INFO     : files: op(7): [finished] processing unit "ignition-relabel.service"                                                                                                                               
ignition[819]: INFO     : files: files passed    
ignition[819]: INFO     : Ignition finished successfully
@jlebon
Copy link
Member

jlebon commented Sep 7, 2018

Hmm, that should've been fixed by coreos/ignition#613, which made it in 0.28.0. I'll have to take a closer look.

@cgwalters
Copy link
Member

For me /home/core isn't labeled correctly even:

[root@coreos ~]# ls -aldZ /home/core
drwx------. 2 core core system_u:object_r:unlabeled_t:s0 62 Sep  7 17:57 /home/core

Hmm though that one is going to be made by Anaconda right now.

@jlebon
Copy link
Member

jlebon commented Sep 7, 2018

OK, after familiarizing myself with the assembler again, I finally got to the point of testing this... and it works fine here:

# rpm -qa | grep ignition
ignition-dracut-0.28.0-3.gitf707912.fc29.noarch
ignition-0.28.0-3.gitf707912.fc29.x86_64
# systemctl status ignition-relabel
● ignition-relabel.service - Relabel files created by Ignition
   Loaded: loaded (/run/systemd/system/ignition-relabel.service; enabled-runtime; vendor preset: disabled)
   Active: active (exited) since Fri 2018-09-07 19:51:17 UTC; 34s ago
  Process: 929 ExecStart=/usr/bin/rm /etc/selinux/ignition.relabel (code=exited, status=0/SUCCESS)
  Process: 925 ExecStart=/usr/sbin/restorecon -0vRf /etc/selinux/ignition.relabel (code=exited, status=0/SUCCESS)
 Main PID: 929 (code=exited, status=0/SUCCESS)

Sep 07 19:51:16 localhost.localdomain systemd[1]: Starting Relabel files created by Ignition...
Sep 07 19:51:17 localhost.localdomain restorecon[925]: Relabeled /etc/passwd from system_u:object_r:unlabeled_t:s0 to system_u:object_r:passwd_file_t:s0
Sep 07 19:51:17 localhost.localdomain restorecon[925]: Relabeled /etc/passwd- from system_u:object_r:unlabeled_t:s0 to system_u:object_r:passwd_file_t:s0
Sep 07 19:51:17 localhost.localdomain restorecon[925]: Relabeled /etc/group from system_u:object_r:unlabeled_t:s0 to system_u:object_r:passwd_file_t:s0
Sep 07 19:51:17 localhost.localdomain restorecon[925]: Relabeled /etc/shadow from system_u:object_r:unlabeled_t:s0 to system_u:object_r:shadow_t:s0
Sep 07 19:51:17 localhost.localdomain restorecon[925]: Relabeled /etc/gshadow from system_u:object_r:unlabeled_t:s0 to system_u:object_r:shadow_t:s0
Sep 07 19:51:17 localhost.localdomain restorecon[925]: Relabeled /var/roothome/.ssh/authorized_keys from system_u:object_r:unlabeled_t:s0 to system_u:object_r:ssh_home_t:s0
Sep 07 19:51:17 localhost.localdomain systemd[1]: Started Relabel files created by Ignition.

The big difference is f28 vs f29. Will try again on f28.

Hmm though that one is going to be made by Anaconda right now.

Yeah, that's seems correct. If it's not created by Ignition, then it won't know about it and add it to the list of things to relabel. I guess we could just relabel all of /home? Though it'd be nice to resolve the issues raised in openshift/os#96 too.

@jlebon
Copy link
Member

jlebon commented Sep 7, 2018

Hmm, no also works on f28:

[root@localhost ~]# rpm -qa | grep ignition
ignition-dracut-0.28.0-3.gitf707912.fc28.noarch
ignition-0.28.0-3.gitf707912.fc28.x86_64
[root@localhost ~]# systemctl status ignition-relabel --no-pager
● ignition-relabel.service - Relabel files created by Ignition
   Loaded: loaded (/run/systemd/system/ignition-relabel.service; enabled; vendor preset: disabled)
   Active: active (exited) since Fri 2018-09-07 20:43:21 UTC; 49s ago
  Process: 952 ExecStart=/usr/bin/rm /etc/selinux/ignition.relabel (code=exited, status=0/SUCCESS)
  Process: 945 ExecStart=/usr/sbin/restorecon -0vRf /etc/selinux/ignition.relabel (code=exited, status=0/SUCCESS)
 Main PID: 952 (code=exited, status=0/SUCCESS)

Sep 07 20:43:21 localhost.localdomain systemd[1]: Starting Relabel files created by Ignition...
Sep 07 20:43:21 localhost.localdomain restorecon[945]: Relabeled /etc/group from system_u:object_r:unlabeled_t:s0 to …e_t:s0
Sep 07 20:43:21 localhost.localdomain restorecon[945]: Relabeled /etc/gshadow from system_u:object_r:unlabeled_t:s0 t…w_t:s0
Sep 07 20:43:21 localhost.localdomain restorecon[945]: Relabeled /var/roothome/.ssh/authorized_keys from system_u:obj…e_t:s0
Sep 07 20:43:21 localhost.localdomain systemd[1]: Started Relabel files created by Ignition.
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost ~]# journalctl -b 0 | grep denied
[root@localhost ~]# getenforce
Enforcing

Since the master branch bumped to f29, I used this diff:

diff --git a/fedora-coreos-base.yaml b/fedora-coreos-base.yaml
index dcacc3f..8a6ebd3 100644
--- a/fedora-coreos-base.yaml
+++ b/fedora-coreos-base.yaml
@@ -8,8 +8,8 @@ tmp-is-dir: true
 # Required by Ignition, and makes the system not compatible with Anaconda
 machineid-compat: false

-releasever: 29
-automatic_version_prefix: 29
+releasever: 28
+automatic_version_prefix: 28
 repos:
   - fedora
   - fedora-updates
diff --git a/fedora-coreos.yaml b/fedora-coreos.yaml
index ce035ef..5f7fc0c 100644
--- a/fedora-coreos.yaml
+++ b/fedora-coreos.yaml
@@ -1,9 +1,9 @@
 # unified-core compatible
-ref: fedora/29/x86_64/coreos
+ref: fedora/28/x86_64/coreos
 include: fedora-coreos-base.yaml

 packages:
-  - fedora-release-coreos
+  - fedora-release-atomichost

 rojig:
   license: MIT
diff --git a/fedora.repo b/fedora.repo
index 72ca7f8..6ef6253 100644
--- a/fedora.repo
+++ b/fedora.repo
@@ -6,7 +6,7 @@ enabled=1
 #metadata_expire=7d
 repo_gpgcheck=0
 type=rpm
-gpgcheck=1
+gpgcheck=0
 gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-29-primary
 skip_if_unavailable=False

@@ -17,7 +17,7 @@ metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$rele
 enabled=1
 repo_gpgcheck=0
 type=rpm
-gpgcheck=1
+gpgcheck=0
 metadata_expire=6h
 gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-29-primary
 skip_if_unavailable=False
@@ -27,7 +27,7 @@ name=Fedora $releasever - $basearch - Test Updates
 failovermethod=priority
 metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
 enabled=1
-gpgcheck=1
+gpgcheck=0
 metadata_expire=6h
 gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-29-primary
 skip_if_unavailable=False

@dustymabe
Copy link
Member Author

i'll check again on monday

@dustymabe
Copy link
Member Author

ok. i'm on f29 now and using @cgwalters coreos-assembler run , which doesn't involve authorized keys but one very interesting thing I note is that the core user is actually getting created by ignition itself and not anaconda somehow:

INFO     : files: createUsers: checking if user "core" exists: [Attention] exit status 1: Cmd: "/usr/sbin/chroot" "/sysroot" "/usr/bin/id" "core" Stdout: /usr/bin/id: 'core': no such user
INFO     : files: createUsers: op(2): [started]  creating or modifying user "core"                                                                                                         
DEBUG    : files: createUsers: op(2): executing: "/usr/sbin/useradd" "--root" "/sysroot" "--create-home" "--password" "*" "--groups" "sudo" "core"
INFO     : files: createUsers: op(2): [finished] creating or modifying user "core"

however the user creation was specified in anaconda kickstart:

[root@coreos ~]# cat /root/anaconda-ks.cfg | grep user
user --groups=wheel,sudo,adm,systemd-journal --name=core

I also see this when I first boot, which is probably an artifact (bug??) of ignition creating the user instead of anaconda:

Fedora 29 (CoreOS)            
Kernel 4.18.5-300.fc29.x86_64 on an x86_64 (ttyS0)                         
                                                                           
coreos login: core (automatic login)                                   
                                                                                 
Fedora CoreOS (preview)                                                      
---                                                                    
 -- core: /home/core: change directory failed: Permission denied       
Logging in with home = "/".                                            
[core@coreos /]$

@dustymabe
Copy link
Member Author

one very interesting thing I note is that the core user is actually getting created by ignition itself and not anaconda somehow

figured it out: https://github.com/cgwalters/fedora-coreos-config/issues/4

@dustymabe
Copy link
Member Author

ok #4 is fixed and this is still a problem for me. want to update to latest config and coreos-assembler and see if you can reproduce ?

@jlebon
Copy link
Member

jlebon commented Sep 11, 2018

Sure, let me give it a try.

@jlebon
Copy link
Member

jlebon commented Sep 11, 2018

Yup, looks good here:

[root@localhost ~]# systemctl status ignition-relabel --no-pager
● ignition-relabel.service - Relabel files created by Ignition
   Loaded: loaded (/run/systemd/system/ignition-relabel.service; enabled-runtime; vendor preset: disabled)
   Active: active (exited) since Tue 2018-09-11 21:28:16 UTC; 25s ago
  Process: 956 ExecStart=/usr/bin/rm /etc/selinux/ignition.relabel (code=exited, status=0/SUCCESS)
  Process: 952 ExecStart=/usr/sbin/restorecon -0vRf /etc/selinux/ignition.relabel (code=exited, status=0/SUCCESS)
 Main PID: 956 (code=exited, status=0/SUCCESS)

Sep 11 21:28:16 localhost.localdomain systemd[1]: Starting Relabel files created by Ignition...
Sep 11 21:28:16 localhost.localdomain restorecon[952]: Relabeled /etc/group from system_u:object_r:unlabeled_t:s0 to system_u:object_r:passwd_file_t:s0
Sep 11 21:28:16 localhost.localdomain restorecon[952]: Relabeled /etc/gshadow from system_u:object_r:unlabeled_t:s0 to system_u:object_r:shadow_t:s0
Sep 11 21:28:16 localhost.localdomain restorecon[952]: Relabeled /var/roothome/.ssh/authorized_keys from system_u:object_r:unlabeled_t:s0 to system_u:object_r:ssh_home_t:s0
Sep 11 21:28:16 localhost.localdomain systemd[1]: Started Relabel files created by Ignition.
[root@localhost ~]# rpm -qa | grep ignition
ignition-dracut-0.28.0-3.gitf707912.fc29.noarch
ignition-0.28.0-3.gitf707912.fc29.x86_64

How exactly do you provision your system? Can you paste your ignition config?

@dustymabe
Copy link
Member Author

using virt-install - a command like this:

# virt-install --import --name tester2 --cpu host-passthrough --ram 4096 --vcpus 2 --disk path=/guests/storagepools/manual/fedora-coreos-29.2-1-qemu.qcow231858 --disk path=/guests/storagepools/manual/fedora-coreos-29.2-1-qemu.qcow231858
.2,size=10 --disk path=/guests/storagepools/manual/user-data-iso.iso4064 --disk path=/guests/storagepools/manual/user-data-iso.iso15378 --accelerate --graphics none --force --network network=default,model=virtio --channel 'unix,mode=bin
d,target_type=virtio,name='\''org.qemu.guest_agent.0'\''' --boot menu=on,useserial=on '--qemu-commandline=-fw_cfg name=opt/com.coreos/config,file=/guests/sharedfolder/code/github.com/dustymabe/virtscripts/user-systemd.ign'

with ignition config:

$ cat user-systemd.ign
{
  "ignition": { "version": "2.2.0" },
  "systemd": {
    "units": [{
      "name": "example.service",
      "enabled": true,
      "contents": "[Service]\nType=oneshot\nExecStart=/usr/bin/false\n\n[Install]\nWantedBy=multi-user.target"
    }]
  },
  "passwd": {
    "users": [
      {
        "name": "core",
        "sshAuthorizedKeys": [
          "ssh-rsa AAAAB3...TRUNCATED"                                                                               
        ]
      }
    ]
  }
}

the relabel service doesn't mention the authorized_keys file:

[core@localhost ~]$ systemctl status ignition-relabel.service 
● ignition-relabel.service - Relabel files created by Ignition
   Loaded: loaded (/run/systemd/system/ignition-relabel.service; enabled-runtime; vendor preset: disabled)
   Active: active (exited) since Wed 2018-09-12 03:47:18 UTC; 46s ago
  Process: 934 ExecStart=/usr/bin/rm /etc/selinux/ignition.relabel (code=exited, status=0/SUCCESS)
  Process: 932 ExecStart=/usr/sbin/restorecon -0vRf /etc/selinux/ignition.relabel (code=exited, status=0/SUCCESS)
 Main PID: 934 (code=exited, status=0/SUCCESS)

Sep 12 03:47:17 localhost.localdomain systemd[1]: Starting Relabel files created by Ignition...
Sep 12 03:47:17 localhost.localdomain restorecon[932]: Relabeled /etc/systemd/system/example.service from system_u:object_r:unlabeled_t:s0 to system_u:object_r:systemd_unit_file_t:s0
Sep 12 03:47:17 localhost.localdomain restorecon[932]: Relabeled /etc/systemd/system-preset/20-ignition.preset from system_u:object_r:unlabeled_t:s0 to system_u:object_r:etc_t:s0
Sep 12 03:47:18 localhost.localdomain systemd[1]: Started Relabel files created by Ignition.
[core@localhost ~]$ 
[core@localhost ~]$ rpm -q ignition ignition-dracut
ignition-0.28.0-3.gitf707912.fc29.x86_64
ignition-dracut-0.28.0-3.gitf707912.fc29.noarch

output from ignition-files.service below:

[core@localhost ~]$ journalctl -u ignition-files.service | cat
-- Logs begin at Wed 2018-09-12 03:47:07 UTC, end at Wed 2018-09-12 03:48:34 UTC. --
Sep 12 03:47:15 localhost systemd[1]: Starting Ignition (files)...
Sep 12 03:47:15 localhost ignition[831]: INFO     : Ignition 0.28.0
Sep 12 03:47:15 localhost ignition[831]: INFO     : reading system config file "/usr/lib/ignition/base.ign"
Sep 12 03:47:15 localhost ignition[831]: INFO     : no config at "/usr/lib/ignition/base.ign"
Sep 12 03:47:15 localhost ignition[831]: DEBUG    : parsed url from cmdline: ""
Sep 12 03:47:15 localhost ignition[831]: INFO     : no config URL provided
Sep 12 03:47:15 localhost ignition[831]: INFO     : reading system config file "/usr/lib/ignition/user.ign"
Sep 12 03:47:15 localhost ignition[831]: INFO     : no config at "/usr/lib/ignition/user.ign"
Sep 12 03:47:15 localhost ignition[831]: INFO     : op(1): [started]  loading QEMU firmware config module
Sep 12 03:47:15 localhost ignition[831]: DEBUG    : op(1): executing: "modprobe" "qemu_fw_cfg"
Sep 12 03:47:15 localhost ignition[831]: INFO     : op(1): [finished] loading QEMU firmware config module
Sep 12 03:47:15 localhost ignition[831]: DEBUG    : parsing config: {
Sep 12 03:47:15 localhost ignition[831]:   "ignition": { "version": "2.2.0" },
Sep 12 03:47:15 localhost ignition[831]:   "systemd": {
Sep 12 03:47:15 localhost ignition[831]:     "units": [{
Sep 12 03:47:15 localhost ignition[831]:       "name": "example.service",
Sep 12 03:47:15 localhost ignition[831]:       "enabled": true,
Sep 12 03:47:15 localhost ignition[831]:       "contents": "[Service]\nType=oneshot\nExecStart=/usr/bin/false\n\n[Install]\nWantedBy=multi-user.target"
Sep 12 03:47:15 localhost ignition[831]:     }]
Sep 12 03:47:15 localhost ignition[831]:   },
Sep 12 03:47:15 localhost ignition[831]:   "passwd": {
Sep 12 03:47:15 localhost ignition[831]:     "users": [
Sep 12 03:47:15 localhost ignition[831]:       {
Sep 12 03:47:15 localhost ignition[831]:         "name": "core",
Sep 12 03:47:15 localhost ignition[831]:         "sshAuthorizedKeys": [
Sep 12 03:47:15 localhost ignition[831]:           "ssh-rsa AAAAB..."
Sep 12 03:47:15 localhost ignition[831]:         ]
Sep 12 03:47:15 localhost ignition[831]:       }
Sep 12 03:47:15 localhost ignition[831]:     ]
Sep 12 03:47:15 localhost ignition[831]:   }
Sep 12 03:47:15 localhost ignition[831]: }
Sep 12 03:47:15 localhost ignition[831]: INFO     : files: createUsers: op(2): [started]  creating or modifying user "core"
Sep 12 03:47:15 localhost ignition[831]: DEBUG    : files: createUsers: op(2): executing: "/usr/sbin/usermod" "--root" "/sysroot" "core"
Sep 12 03:47:15 localhost ignition[831]: INFO     : files: createUsers: op(2): [finished] creating or modifying user "core"
Sep 12 03:47:15 localhost ignition[831]: INFO     : files: createUsers: op(3): [started]  adding ssh keys to user "core"
Sep 12 03:47:15 localhost ignition[831]: INFO     : files: createUsers: op(3): [finished] adding ssh keys to user "core"
Sep 12 03:47:15 localhost ignition[831]: INFO     : files: op(4): [started]  processing unit "example.service"
Sep 12 03:47:15 localhost ignition[831]: INFO     : files: op(4): op(5): [started]  writing unit "example.service" at "etc/systemd/system/example.service"
Sep 12 03:47:15 localhost ignition[831]: INFO     : files: op(4): op(5): [finished] writing unit "example.service" at "etc/systemd/system/example.service"
Sep 12 03:47:15 localhost ignition[831]: INFO     : files: op(4): [finished] processing unit "example.service"
Sep 12 03:47:15 localhost ignition[831]: INFO     : files: op(6): [started]  enabling unit "example.service"
Sep 12 03:47:15 localhost ignition[831]: INFO     : files: op(6): [finished] enabling unit "example.service"
Sep 12 03:47:15 localhost ignition[831]: INFO     : files: op(7): [started]  processing unit "ignition-relabel.service"
Sep 12 03:47:15 localhost ignition[831]: INFO     : files: op(7): op(8): [started]  writing unit "ignition-relabel.service" at "run/systemd/system/ignition-relabel.service"
Sep 12 03:47:15 localhost ignition[831]: INFO     : files: op(7): op(8): [finished] writing unit "ignition-relabel.service" at "run/systemd/system/ignition-relabel.service"
Sep 12 03:47:15 localhost ignition[831]: INFO     : files: op(7): [finished] processing unit "ignition-relabel.service"
Sep 12 03:47:15 localhost ignition[831]: INFO     : files: files passed
Sep 12 03:47:15 localhost ignition[831]: INFO     : Ignition finished successfully
Sep 12 03:47:15 localhost systemd[1]: Started Ignition (files).

@jlebon
Copy link
Member

jlebon commented Sep 12, 2018

Hmm, yeah I can reproduce this. At first I thought it was due to what we mentioned above with the core user being created by Anaconda right now. Though injecting the authorized keys from Ignition should've triggered a relabel.

I'll have to investigate further.

@jlebon jlebon self-assigned this Sep 12, 2018
@cgwalters
Copy link
Member

This one blocks having kola work.

cgwalters added a commit to cgwalters/coreos-assembler that referenced this issue Sep 14, 2018
@cgwalters
WIP: Add a kola verb
afff649 
Blocked by coreos/fedora-coreos-config#2
@cgwalters cgwalters mentioned this issue Sep 14, 2018
Merged
@jlebon
Copy link
Member

jlebon commented Sep 14, 2018

Hmm, so surprisingly, it looks like restorecon changed behaviour wrt symlinks between RHCOS and FCOS. In RHCOS:

[root@localhost /]# touch /root/mynewfile
[root@localhost /]# chcon -t unlabeled_t /root/mynewfile
[root@localhost /]# restorecon -vRn /var/roothome
restorecon reset /var/roothome/mynewfile context unconfined_u:object_r:unlabeled_t:s0->unconfined_u:object_r:admin_home_t:s0

In FCOS:

[root@localhost /]# touch /root/mynewfile
[root@localhost /]# chcon -t unlabeled_t /root/mynewfile
[root@localhost /]# restorecon -vRn /root

But resolving the link:

[root@localhost /]# restorecon -vRn $(realpath /home)
Would relabel /var/roothome/mynewfile from unconfined_u:object_r:unlabeled_t:s0 to unconfined_u:object_r:admin_home_t:s0

And the reason I didn't hit this when working on coreos/ignition#569 is that I was testing on RHCOS at the time. Colin did mention it but it was working fine in my tests of course.

Anyway, testing a patch now.

jlebon added a commit to jlebon/ignition that referenced this issue Sep 14, 2018
@jlebon
stages/files: relabel /var/home and /var/roothome
500a4ef 
The behaviour of how `restorecon` handles symlinks changed between RHCOS
and FCOS. More specifically, `restorecon` will follow symlinks that are
part of a given path, but not if the target path is a symlink itself.
On OSTree-based systems, `/home` and `/root` are just symlinks, so the
newer `restorecon` wasn't actually relabeling anything under there.

Add the real paths to the list of dirs to relabel and add `-i` so that
it's not a fatal error on non-OSTree-based systems.

Closes: coreos/fedora-coreos-config#2
@jlebon jlebon mentioned this issue Sep 14, 2018
Merged
@jlebon
Copy link
Member

jlebon commented Sep 14, 2018

coreos/ignition#632

jlebon added a commit to jlebon/ignition that referenced this issue Sep 14, 2018
@jlebon
stages/files: relabel /var/home and /var/roothome
45b7518 
The behaviour of how `restorecon` handles symlinks changed between RHCOS
and FCOS. More specifically, `restorecon` will follow symlinks that are
part of a given path, but not if the target path is a symlink itself.
On OSTree-based systems, `/home` and `/root` are just symlinks, so the
newer `restorecon` wasn't actually relabeling anything under there.

Add the real paths to the list of dirs to relabel and add `-i` so that
it's not a fatal error on non-OSTree-based systems.

Closes: coreos/fedora-coreos-config#2
@jlebon
Copy link
Member

jlebon commented Sep 17, 2018

https://src.fedoraproject.org/rpms/ignition/pull-request/8

c4rt0 pushed a commit to c4rt0/fedora-coreos-config that referenced this issue Mar 27, 2023
@openshift-merge-robot
Merge pull request coreos#2 from cgwalters/duality
547ac91 
Make CentOS a build-time option again
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jlebon jlebon

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cgwalters @dustymabe @jlebon