Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Amazon Linux 2 k3s install fails with selinux dependency errors #10837

Closed
1 of 2 tasks
aganesh-suse opened this issue Sep 5, 2024 · 3 comments
Closed
1 of 2 tasks

Amazon Linux 2 k3s install fails with selinux dependency errors #10837

aganesh-suse opened this issue Sep 5, 2024 · 3 comments

Comments

@aganesh-suse
Copy link

Environment Details

Infrastructure

  • Cloud
  • Hosted

Node(s) CPU architecture, OS, and Version:

$ cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"

$ uname -m
x86_64

Cluster Configuration:

HA: 3 server/ 1 agent

Describe the bug:

Config.yaml:

token: xxxx
cluster-init: true
write-kubeconfig-mode: "0644"
node-external-ip: 1.1.1.1
node-label:
- k3s-upgrade=server
selinux: true
debug: true

Testing Steps to Reproduce:

  1. Copy config.yaml
$ sudo mkdir -p /etc/rancher/k3s && sudo cp config.yaml /etc/rancher/k3s
  1. Install k3s
curl -sfL https://get.k3s.io | sudo INSTALL_K3S_VERSION='v1.30.4+k3s1' sh -s - server
  1. Verify Cluster Status:
kubectl get nodes -o wide
kubectl get pods -A

Expected behavior:

k3s install is successful - all services, nodes and pods come up successfully

Actual behavior:

$ curl -sfL https://get.k3s.io | sudo INSTALL_K3S_VERSION='v1.30.4+k3s1' sh -s - server
[INFO]  Using v1.30.4+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.30.4+k3s1/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.30.4+k3s1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Finding available k3s-selinux versions
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Resolving Dependencies
--> Running transaction check
---> Package k3s-selinux.noarch 0:1.5-1.el7 will be installed
--> Processing Dependency: container-selinux < 2:2.164.2 for package: k3s-selinux-1.5-1.el7.noarch
--> Processing Dependency: selinux-policy-base >= 3.13.1-252 for package: k3s-selinux-1.5-1.el7.noarch
--> Processing Dependency: container-selinux >= 2:2.107-3 for package: k3s-selinux-1.5-1.el7.noarch
--> Finished Dependency Resolution
Error: Package: k3s-selinux-1.5-1.el7.noarch (rancher-k3s-common-stable)
           Requires: selinux-policy-base >= 3.13.1-252
           Installed: selinux-policy-targeted-3.13.1-192.amzn2.6.8.noarch (installed)
               selinux-policy-base = 3.13.1-192.amzn2.6.8
           Available: selinux-policy-minimum-3.13.1-166.amzn2.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.5
           Available: selinux-policy-minimum-3.13.1-166.amzn2.9.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.9
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.1
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.2
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.3.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.3
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.5
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.7.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.7
           Available: selinux-policy-minimum-3.13.1-192.amzn2.6.8.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.8
           Available: selinux-policy-mls-3.13.1-166.amzn2.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.5
           Available: selinux-policy-mls-3.13.1-166.amzn2.9.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.9
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.1
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.2
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.3.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.3
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.5
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.7.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.7
           Available: selinux-policy-mls-3.13.1-192.amzn2.6.8.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.8
           Available: selinux-policy-targeted-3.13.1-166.amzn2.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.5
           Available: selinux-policy-targeted-3.13.1-166.amzn2.9.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-166.amzn2.9
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.1
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.2
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.3.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.3
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.5.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.5
           Available: selinux-policy-targeted-3.13.1-192.amzn2.6.7.noarch (amzn2-core)
               selinux-policy-base = 3.13.1-192.amzn2.6.7
Error: Package: k3s-selinux-1.5-1.el7.noarch (rancher-k3s-common-stable)
           Requires: container-selinux < 2:2.164.2
Error: Package: k3s-selinux-1.5-1.el7.noarch (rancher-k3s-common-stable)
           Requires: container-selinux >= 2:2.107-3
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

Additional context / logs:
@aganesh-suse aganesh-suse mentioned this issue Sep 5, 2024
Closed
@aganesh-suse
Copy link
Author

aganesh-suse commented Sep 5, 2024
edited
Loading

On bare bones Amazon Linux 2 setup:

$ sudo yum install container-selinux
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
No package container-selinux available.
Error: Nothing to do

To enable selinux policies on the Amazon Linux 2 setup we need to manually run:

sudo amazon-linux-extras enable selinux-ng
sudo yum clean metadata
sudo yum install selinux-policy-targeted

@aganesh-suse
Copy link
Author

With the above mentioned pre-requisite, installation works:

$ curl -sfL https://get.k3s.io | sudo INSTALL_K3S_VERSION='v1.30.4+k3s1' sh -s - server  
[INFO]  Using v1.30.4+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.30.4+k3s1/sha256sum-amd64.txt
[INFO]  Skipping binary downloaded, installed k3s matches hash
[INFO]  Finding available k3s-selinux versions
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Resolving Dependencies
--> Running transaction check
---> Package k3s-selinux.noarch 0:1.5-1.el7 will be installed
--> Processing Dependency: container-selinux < 2:2.164.2 for package: k3s-selinux-1.5-1.el7.noarch
--> Processing Dependency: container-selinux >= 2:2.107-3 for package: k3s-selinux-1.5-1.el7.noarch
--> Running transaction check
---> Package container-selinux.noarch 2:2.120.0-1.911c772.amzn2 will be installed
--> Processing Dependency: policycoreutils-python for package: 2:container-selinux-2.120.0-1.911c772.amzn2.noarch
--> Running transaction check
---> Package policycoreutils-python.x86_64 0:2.5-34.amzn2 will be installed
--> Processing Dependency: setools-libs >= 3.3.8-4 for package: policycoreutils-python-2.5-34.amzn2.x86_64
--> Processing Dependency: libsemanage-python >= 2.5-14 for package: policycoreutils-python-2.5-34.amzn2.x86_64
--> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.5-34.amzn2.x86_64
--> Processing Dependency: python-IPy for package: policycoreutils-python-2.5-34.amzn2.x86_64
--> Processing Dependency: libselinux-python for package: policycoreutils-python-2.5-34.amzn2.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-34.amzn2.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-34.amzn2.x86_64
--> Processing Dependency: libcgroup for package: policycoreutils-python-2.5-34.amzn2.x86_64
--> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-34.amzn2.x86_64
--> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-34.amzn2.x86_64
--> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-34.amzn2.x86_64
--> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.5-34.amzn2.x86_64
--> Running transaction check
---> Package audit-libs-python.x86_64 0:2.8.1-3.amzn2.1 will be installed
---> Package checkpolicy.x86_64 0:2.5-8.amzn2 will be installed
---> Package libcgroup.x86_64 0:0.41-21.amzn2 will be installed
---> Package libselinux-python.x86_64 0:2.5-15.amzn2.0.1 will be installed
---> Package libsemanage-python.x86_64 0:2.5-14.amzn2 will be installed
---> Package python-IPy.noarch 0:0.75-6.amzn2.0.1 will be installed
---> Package setools-libs.x86_64 0:3.3.8-4.amzn2.0.1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package             Arch   Version             Repository                 Size
================================================================================
Installing:
 k3s-selinux         noarch 1.5-1.el7           rancher-k3s-common-stable  16 k
Installing for dependencies:
 audit-libs-python   x86_64 2.8.1-3.amzn2.1     amzn2-core                 79 k
 checkpolicy         x86_64 2.5-8.amzn2         amzn2extra-selinux-ng     288 k
 container-selinux   noarch 2:2.120.0-1.911c772.amzn2
                                                amzn2extra-selinux-ng      40 k
 libcgroup           x86_64 0.41-21.amzn2       amzn2-core                 66 k
 libselinux-python   x86_64 2.5-15.amzn2.0.1    amzn2extra-selinux-ng     234 k
 libsemanage-python  x86_64 2.5-14.amzn2        amzn2extra-selinux-ng     115 k
 policycoreutils-python
                     x86_64 2.5-34.amzn2        amzn2extra-selinux-ng     457 k
 python-IPy          noarch 0.75-6.amzn2.0.1    amzn2-core                 32 k
 setools-libs        x86_64 3.3.8-4.amzn2.0.1   amzn2extra-selinux-ng     605 k

Transaction Summary
================================================================================
Install  1 Package (+9 Dependent packages)

Total download size: 1.9 M
Installed size: 5.9 M
Downloading packages:
warning: /var/cache/yum/x86_64/2/rancher-k3s-common-stable/packages/k3s-selinux-1.5-1.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID e257814a: NOKEY
Public key for k3s-selinux-1.5-1.el7.noarch.rpm is not installed
--------------------------------------------------------------------------------
Total                                              3.8 MB/s | 1.9 MB  00:00     
Retrieving key from https://rpm.rancher.io/public.key
Importing GPG key 0xE257814A:
 Userid     : "Rancher (CI) <[email protected]>"
 Fingerprint: c8cf f216 4551 26e9 b9c9 18be 925e a29a e257 814a
 From       : https://rpm.rancher.io/public.key
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : libcgroup-0.41-21.amzn2.x86_64                              1/10 
  Installing : setools-libs-3.3.8-4.amzn2.0.1.x86_64                       2/10 
  Installing : audit-libs-python-2.8.1-3.amzn2.1.x86_64                    3/10 
  Installing : libsemanage-python-2.5-14.amzn2.x86_64                      4/10 
  Installing : libselinux-python-2.5-15.amzn2.0.1.x86_64                   5/10 
  Installing : checkpolicy-2.5-8.amzn2.x86_64                              6/10 
  Installing : python-IPy-0.75-6.amzn2.0.1.noarch                          7/10 
  Installing : policycoreutils-python-2.5-34.amzn2.x86_64                  8/10 
  Installing : 2:container-selinux-2.120.0-1.911c772.amzn2.noarch          9/10 
setsebool:  SELinux is disabled.
  Installing : k3s-selinux-1.5-1.el7.noarch                               10/10 
  Verifying  : python-IPy-0.75-6.amzn2.0.1.noarch                          1/10 
  Verifying  : checkpolicy-2.5-8.amzn2.x86_64                              2/10 
  Verifying  : libselinux-python-2.5-15.amzn2.0.1.x86_64                   3/10 
  Verifying  : 2:container-selinux-2.120.0-1.911c772.amzn2.noarch          4/10 
  Verifying  : libsemanage-python-2.5-14.amzn2.x86_64                      5/10 
  Verifying  : audit-libs-python-2.8.1-3.amzn2.1.x86_64                    6/10 
  Verifying  : setools-libs-3.3.8-4.amzn2.0.1.x86_64                       7/10 
  Verifying  : policycoreutils-python-2.5-34.amzn2.x86_64                  8/10 
  Verifying  : k3s-selinux-1.5-1.el7.noarch                                9/10 
  Verifying  : libcgroup-0.41-21.amzn2.x86_64                             10/10 

Installed:
  k3s-selinux.noarch 0:1.5-1.el7                                                

Dependency Installed:
  audit-libs-python.x86_64 0:2.8.1-3.amzn2.1                                    
  checkpolicy.x86_64 0:2.5-8.amzn2                                              
  container-selinux.noarch 2:2.120.0-1.911c772.amzn2                            
  libcgroup.x86_64 0:0.41-21.amzn2                                              
  libselinux-python.x86_64 0:2.5-15.amzn2.0.1                                   
  libsemanage-python.x86_64 0:2.5-14.amzn2                                      
  policycoreutils-python.x86_64 0:2.5-34.amzn2                                  
  python-IPy.noarch 0:0.75-6.amzn2.0.1                                          
  setools-libs.x86_64 0:3.3.8-4.amzn2.0.1                                       

Complete!
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Creating /usr/local/bin/ctr symlink to k3s
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
[INFO]  systemd: Enabling k3s unit
Created symlink from /etc/systemd/system/multi-user.target.wants/k3s.service to /etc/systemd/system/k3s.service.
[INFO]  systemd: Starting k3s

$ kubectl get nodes
NAME                                          STATUS   ROLES                       AGE     VERSION
ip-172-31-17-184.us-east-2.compute.internal   Ready    control-plane,etcd,master   6m2s    v1.30.4+k3s1
ip-172-31-19-108.us-east-2.compute.internal   Ready    control-plane,etcd,master   4m43s   v1.30.4+k3s1
ip-172-31-22-170.us-east-2.compute.internal   Ready    control-plane,etcd,master   7m25s   v1.30.4+k3s1
ip-172-31-23-198.us-east-2.compute.internal   Ready    <none>                      3m37s   v1.30.4+k3s1

$ kubectl get pods -A
NAMESPACE        NAME                                      READY   STATUS      RESTARTS   AGE
auto-clusterip   test-clusterip-59fc84d479-5plcx           1/1     Running     0          100s
auto-clusterip   test-clusterip-59fc84d479-dvwhm           1/1     Running     0          100s
auto-daemonset   test-daemonset-2f4wl                      1/1     Running     0          100s
auto-daemonset   test-daemonset-9jpkg                      1/1     Running     0          100s
auto-daemonset   test-daemonset-9zh9s                      1/1     Running     0          100s
auto-daemonset   test-daemonset-mf6n9                      1/1     Running     0          100s
auto-dns         dnsutils                                  1/1     Running     0          100s
auto-ingress     test-ingress-w6tlc                        1/1     Running     0          100s
auto-ingress     test-ingress-wkn26                        1/1     Running     0          100s
auto-nodeport    test-nodeport-69d6dc7f5f-28mfg            1/1     Running     0          100s
auto-nodeport    test-nodeport-69d6dc7f5f-wtfwb            1/1     Running     0          100s
default          clusterip-pod-demo                        1/1     Running     0          103s
default          clusterip-pod-demo-2                      1/1     Running     0          103s
default          clusterip-pod-demo-3                      1/1     Running     0          103s
kube-system      coredns-576bfc4dc7-4jbct                  1/1     Running     0          6m27s
kube-system      helm-install-traefik-6kzs9                0/1     Completed   1          6m27s
kube-system      helm-install-traefik-crd-kxl4h            0/1     Completed   0          6m27s
kube-system      local-path-provisioner-6795b5f9d8-ckc5g   1/1     Running     0          6m27s
kube-system      metrics-server-557ff575fb-h2bgp           1/1     Running     0          6m27s
kube-system      svclb-traefik-e1173e7e-6dhv9              2/2     Running     0          3m37s
kube-system      svclb-traefik-e1173e7e-r9s4l              2/2     Running     0          4m41s
kube-system      svclb-traefik-e1173e7e-t7fbc              2/2     Running     0          6m1s
kube-system      svclb-traefik-e1173e7e-tz952              2/2     Running     0          6m13s
kube-system      traefik-5fb479b77-2fxzw                   1/1     Running     0          6m13s
more-clusterip   test-clusterip-59fc84d479-6chts           1/1     Running     0          21s
more-clusterip   test-clusterip-59fc84d479-bh4jn           1/1     Running     0          21s
more-daemonset   test-daemonset-6dcqb                      1/1     Running     0          20s
more-daemonset   test-daemonset-djj22                      1/1     Running     0          20s
more-daemonset   test-daemonset-dnxb2                      1/1     Running     0          20s
more-daemonset   test-daemonset-mnttx                      1/1     Running     0          20s
more-dns         dnsutils                                  1/1     Running     0          20s
more-ingress     test-ingress-l4v9w                        1/1     Running     0          20s
more-ingress     test-ingress-lvr6c                        1/1     Running     0          20s
more-nodeport    test-nodeport-69d6dc7f5f-lkskn            1/1     Running     0          20s
more-nodeport    test-nodeport-69d6dc7f5f-rmg8x            1/1     Running     0          20s

@github-project-automation github-project-automation bot moved this from New to Done Issue in K3s Development Sep 5, 2024
@brandond
Copy link
Member

brandond commented Sep 5, 2024

@aganesh-suse do we want to create a docs issue to track these requirements?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
K3s Development
Status: Done Issue
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brandond @aganesh-suse