Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CPDEV-94365] Add support for RHEL9 family, SELinux #473

Merged
merged 4 commits into from
Nov 10, 2023
Merged

[CPDEV-94365] Add support for RHEL9 family, SELinux #473

merged 4 commits into from
Nov 10, 2023

Conversation

krang404
Copy link
Contributor

@krang404 krang404 commented Jul 18, 2023
edited by ilia1243
Loading

Description

Selinux 3.5 introduces real support for security contexts. Therefore, installing on the latest versions of rhel-like OS will always fail. That happens because in scripts that send configuration files to a remote host, the files are moved from /tmp directory preserving the source context.

Solution

  • Support operating systems based on RHEL 9 - RHEL 9, Oracle Linux 9, Rocky Linux 9, CentOS 9 Stream.
  • Move files from /tmp setting the default SELinux context of the target location, using mv -Z option.

Tests

Procedure installation, backup and restore tested on RHEL 9, Oracle Linux 9.2, Rocky Linux 9.2 and CentOS 9 Stream

Checklist

  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • Integration CI passed
  • Unit tests. If Yes list of new/changed tests with brief description
  • There is no merge conflicts

Integration Tests

Unit tests

  • def test_specific_os_family_cri_association_upgrade_required
    Add rhel9 family
  • def _packages_for_cri_os_family
    Add rhel9 family os

@koryaga koryaga added improvement New feature or request help wanted Extra attention is needed external Raised by non NC employee labels Jul 18, 2023
@koryaga koryaga self-assigned this Jul 18, 2023
@koryaga koryaga changed the title Add support for SELinux and OS with polycoreutis package Add support for RHEL9 family, SELinux and OS with polycoreutis package Jul 19, 2023
@koryaga koryaga requested a review from ilia1243 July 20, 2023 12:52
@krang404
Copy link
Contributor Author

In some cases keepalived.service will not start. It nappens, cause enable service --now enable and start service with default config wich contain name eth0. In some virtual machines (like in cloud) default interface named differently. And in new version of systemd start with wrong config will be crushed. I changed logic to install keepalived. In last commit function install in keepalived.py will do install and patch. Service enabled and start in function configure .

ilia1243
ilia1243 reviewed Jul 25, 2023
View reviewed changes
kubemarine/keepalived.py Outdated Show resolved Hide resolved
@ilia1243
Copy link
Contributor

Could you resolve some failed jobs?
https://github.com/krang404/KubeMarine/actions/runs/5690554338/job/15424116930
https://github.com/krang404/KubeMarine/actions/runs/5690554338/job/15424116717

@ilia1243 ilia1243 mentioned this pull request Jul 28, 2023
Open
@koryaga
Copy link
Collaborator

koryaga commented Aug 4, 2023

Going to test this PR on internal RHEL9 environment

@koryaga koryaga removed the help wanted Extra attention is needed label Aug 4, 2023
@koryaga koryaga requested a review from dmyar21 August 4, 2023 11:27
@dmyar21
Copy link
Contributor

dmyar21 commented Aug 8, 2023

Hi @krang404
Please tell me which image of the system do you use for testing?
Please send the output of the cat /etc/*-release command
I want to clarify the id of your image

@krang404
Copy link
Contributor Author

krang404 commented Aug 8, 2023

Hi @krang404 Please tell me which image of the system do you use for testing? Please send the output of the cat /etc/*-release command I want to clarify the id of your image

This PR was tested in Oracle Linux 9.2 (1st) and CentOS 9 Stream (2nd). Also, I installed k8s on Rocky Linux 9.2 with subj.

OL9

NAME="Oracle Linux Server"
VERSION="9.2"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Oracle Linux Server 9.2"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:9:2:server"
HOME_URL="https://linux.oracle.com/"
BUG_REPORT_URL="https://github.com/oracle/oracle-linux"

ORACLE_BUGZILLA_PRODUCT="Oracle Linux 9"
ORACLE_BUGZILLA_PRODUCT_VERSION=9.2
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=9.2

CentOS 9 Stream

NAME="CentOS Stream"
VERSION="9"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="9"
PLATFORM_ID="platform:el9"
PRETTY_NAME="CentOS Stream 9"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:centos:centos:9"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"

Rocky Linux 9

NAME="Rocky Linux"
VERSION="9.2 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.2 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.2"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"

@dmyar21
Copy link
Contributor

dmyar21 commented Aug 9, 2023
edited
Loading

Hi @krang404 Please tell me which image of the system do you use for testing? Please send the output of the cat /etc/*-release command I want to clarify the id of your image

This PR was tested in Oracle Linux 9.2 (1st) and CentOS 9 Stream (2nd). Also, I installed k8s on Rocky Linux 9.2 with subj.

OL9

NAME="Oracle Linux Server"
VERSION="9.2"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Oracle Linux Server 9.2"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:9:2:server"
HOME_URL="https://linux.oracle.com/"
BUG_REPORT_URL="https://github.com/oracle/oracle-linux"

ORACLE_BUGZILLA_PRODUCT="Oracle Linux 9"
ORACLE_BUGZILLA_PRODUCT_VERSION=9.2
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=9.2

CentOS 9 Stream

NAME="CentOS Stream"
VERSION="9"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="9"
PLATFORM_ID="platform:el9"
PRETTY_NAME="CentOS Stream 9"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:centos:centos:9"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"

Rocky Linux 9

NAME="Rocky Linux"
VERSION="9.2 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.2 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.2"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"

Hi @krang404
have you tested RHEL 9 locally?
because I found an interesting point that my RHEL 9 image has an id named rhel.
it turns out your changes with the addition of RHEL 9 to global.yaml not working

NAME="Red Hat Enterprise Linux"
VERSION="9.2 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.2 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.2
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"
Red Hat Enterprise Linux release 9.2 (Plow)
Red Hat Enterprise Linux release 9.2 (Plow)

@krang404
Copy link
Contributor Author

krang404 commented Aug 11, 2023
edited
Loading

Red Hat Enterprise Linux version 9 have a problem with installation of policycoreutils-python-utils package. (it is contained in OL9 Appstream Repo, but conflicted with some packages ). So, I am not including support RHEL9 in this PR. Installation was tested for 3 rhle9-like OS.

@krang404
Copy link
Contributor Author

Also in new versions iptables are replaced to package iptables-nft and cluster.yaml will need this section

    mandatory:
      iptables: false
    install:
      include:
      - ethtool
      - socat
      - iptables-nft

@dmyar21
Copy link
Contributor

dmyar21 commented Aug 14, 2023

Red Hat Enterprise Linux version 9 have a problem with installation of policycoreutils-python-utils package. (it is contained in OL9 Appstream Repo, but conflicted with some packages ). So, I am not including support RHEL9 in this PR. Installation was tested for 3 rhle9-like OS.

This package is in the centos repository, you can use it for testing

image

@krang404
Copy link
Contributor Author

Red Hat Enterprise Linux version 9 have a problem with installation of policycoreutils-python-utils package. (it is contained in OL9 Appstream Repo, but conflicted with some packages ). So, I am not including support RHEL9 in this PR. Installation was tested for 3 rhle9-like OS.

This package is in the centos repository, you can use it for testing
image

This package is contained in many repos, but it has many problems with dependencies with python libs in RHEL9

@dmyar21
Copy link
Contributor

dmyar21 commented Sep 1, 2023

Red Hat Enterprise Linux version 9 have a problem with installation of policycoreutils-python-utils package. (it is contained in OL9 Appstream Repo, but conflicted with some packages ). So, I am not including support RHEL9 in this PR. Installation was tested for 3 rhle9-like OS.

This package is in the centos repository, you can use it for testing

Hi @krang404
Why then do you add to global.yaml version of rhel9, if you haven't tested it?

@krang404
Copy link
Contributor Author

krang404 commented Sep 3, 2023

Hi @krang404 Why then do you add to global.yaml version of rhel9, if you haven't tested it?

Hello. There is a misunderstanding. rhel9 in global.yaml means os_family and then I created this pr I wrote about rhel9 os family, not Red Hat Enterprise Linux version 9. If you look at the text in the description of PR, you will see it.

@dmyar21
Copy link
Contributor

dmyar21 commented Sep 5, 2023

Hi @krang404 Why then do you add to global.yaml version of rhel9, if you haven't tested it?

Hello. There is a misunderstanding. rhel9 in global.yaml means os_family and then I created this pr I wrote about rhel9 os family, not Red Hat Enterprise Linux version 9. If you look at the text in the description of PR, you will see it.

Hi @krang404
Please resolve conflicts in your pr

@krang404
Copy link
Contributor Author

krang404 commented Sep 6, 2023

Hi @krang404 Please resolve conflicts in your pr

Hello @dmyar21. Done.

@dmyar21
Copy link
Contributor

dmyar21 commented Sep 6, 2023
edited
Loading

Hi @krang404 Please resolve conflicts in your pr

Hello @dmyar21. Done.

Hi @krang404
Please update the main branch in your repository from Kubemarine main and make sync fork main to fork selinux-support branch

Because you have an outdated code there

@krang404
Copy link
Contributor Author

krang404 commented Sep 6, 2023

Hi @krang404 Please update the main branch in your repository from Kubemarine main and make sync fork main to fork selinux-support branch

Because you have an outdated code there

Done.

@koryaga
Copy link
Collaborator

koryaga commented Sep 7, 2023

@krang404 thanks for efforts. We are planning to adopt this feature in R2023.4.
If you would like to continue to support this PR pls communicate with @dmyar21 and/or @ilia1243 to update code with latest Kubemarine changes.

@koryaga koryaga requested review from igza0216 and alexarefev and removed request for dmyar21 October 31, 2023 08:26
@krang404
Copy link
Contributor Author

Hi @krang404, I slightly changed the PR. I left only tested OS and removed Rocky 8.8, OL 9.1. Also changed packages compatibility and changed dealing with SELinux security context of files. Please confirm if the new changes still fit your needs.

Also actualized the PR description.

Yes, this is OK, thank you.

@ilia1243 ilia1243 mentioned this pull request Oct 31, 2023
Closed
@ilia1243 ilia1243 changed the title Add support for RHEL9 family, SELinux and OS with polycoreutis package [CPDEV-94365] Add support for RHEL9 family, SELinux and OS with polycoreutis package Oct 31, 2023
@ilia1243 ilia1243 changed the title [CPDEV-94365] Add support for RHEL9 family, SELinux and OS with polycoreutis package [CPDEV-94365] Add support for RHEL9 family, SELinux Oct 31, 2023
@koryaga
Copy link
Collaborator

koryaga commented Nov 2, 2023

@OleksandrIaresko pls validate in QA and provide feedback

@koryaga
Copy link
Collaborator

koryaga commented Nov 9, 2023

@krang404 can you pls resolve conflicts with main and add RHEL9 support for newly added k8s 1.28.3 in main as well. After that we will merge this feature

@krang404 krang404 closed this Nov 10, 2023
@krang404 krang404 reopened this Nov 10, 2023
@krang404
Copy link
Contributor Author

Add support to kubernetes v1.28.3 and test it in local environment for OL 9.2 and Rocky 9.2

ilia1243
ilia1243 reviewed Nov 10, 2023
View reviewed changes
kubemarine/system.py Outdated Show resolved Hide resolved
@ilia1243 ilia1243 self-requested a review November 10, 2023 07:35
@ilia1243 ilia1243 marked this pull request as draft November 10, 2023 08:01
@krang404 @ilia1243
Add rocky 9.2, remove OL 9.1, remove rocky 8.8
5f62bb6 
Remove unnecessary chcon invocations. Instead, use mv -Z to copy files from /tmp

Changed default iptables package for rhel9

Fixed compatibility with haproxy & keeaplived up to minor part

Updated compatibility with docker-ce
@krang404 krang404 marked this pull request as ready for review November 10, 2023 09:06
@koryaga koryaga merged commit e033d3f into Netcracker:main Nov 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexarefev alexarefev alexarefev left review comments

@ilia1243 ilia1243 ilia1243 approved these changes

@koryaga koryaga koryaga approved these changes

@igza0216 igza0216 Awaiting requested review from igza0216

@OleksandrIaresko OleksandrIaresko Awaiting requested review from OleksandrIaresko

Assignees

@koryaga koryaga

Labels
external Raised by non NC employee improvement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@krang404 @ilia1243 @koryaga @dmyar21 @alexarefev @igza0216