el8: keep on truckin (#24)

* el8: keep on truckin - keep up with container-selinux moving past 2.164.1 on el8 Signed-off-by: Jacob Blain Christen <[email protected]>
k3s-io · Oct 27, 2021 · c2d1cb2 · c2d1cb2
1 parent c8423d8
commit c2d1cb2
Show file tree

Hide file tree

Showing 7 changed files with 111 additions and 26 deletions.
diff --git a/.drone.yml b/.drone.yml
@@ -8,7 +8,7 @@ platform:
 
 steps:
 - name: Build EL7
-  image: rancher/dapper:v0.5.0
+  image: rancher/dapper:v0.5.7
   commands:
   - dapper -f Dockerfile.centos7.dapper policy/centos7/scripts/build
   volumes:
@@ -98,7 +98,7 @@ platform:
 
 steps:
 - name: Build EL8
-  image: rancher/dapper:v0.5.0
+  image: rancher/dapper:v0.5.7
   commands:
   - dapper -f Dockerfile.centos8.dapper policy/centos8/scripts/build
   volumes:
@@ -188,7 +188,7 @@ platform:
 
 steps:
 - name: Build SLE
-  image: rancher/dapper:v0.5.0
+  image: rancher/dapper:v0.5.7
   commands:
   - dapper -f Dockerfile.microos.dapper policy/microos/scripts/build
   volumes:

diff --git a/Dockerfile.microos.dapper b/Dockerfile.microos.dapper
@@ -1,11 +1,15 @@
 ARG TUMBLEWEED=opensuse/tumbleweed
 FROM ${TUMBLEWEED}
+ADD https://github.com/AkihiroSuda/clone3-workaround/releases/download/v1.0.0/clone3-workaround.x86_64 /bin/clone3-workaround
+RUN chmod +x /bin/clone3-workaround
+SHELL ["clone3-workaround", "/usr/bin/env", "bash","-c"]
 RUN zypper install -y container-selinux git rpm-build selinux-policy-devel
 
+
 ENV DAPPER_SOURCE /source
 ENV DAPPER_OUTPUT ./dist
 ENV DAPPER_ENV COMBARCH DRONE_TAG TAG
 ENV HOME ${DAPPER_SOURCE}
 WORKDIR ${DAPPER_SOURCE}
 
-ENTRYPOINT ["./policy/microos/scripts/entry"]
+ENTRYPOINT ["clone3-workaround", "./policy/microos/scripts/entry"]
diff --git a/policy/centos8/k3s-selinux.spec b/policy/centos8/k3s-selinux.spec
@@ -17,8 +17,8 @@ restorecon -R /var/run/k3s; \
 restorecon -R /var/run/flannel
 
 
-%define selinux_policyver 3.13.1-252
-%define container_policyver 2.159.0-1
+%define selinux_policyver 3.14.3-67
+%define container_policyver 2.167.0-1
 
 Name:   k3s-selinux
 Version:	%{k3s_selinux_version}
@@ -33,14 +33,15 @@ Source1:	k3s.if
 
 BuildArch: noarch
 BuildRequires: container-selinux >= %{container_policyver}
-BuildRequires: container-selinux < 2:2.164.2
 BuildRequires: git
 BuildRequires: selinux-policy-devel
 
 Requires: policycoreutils, libselinux-utils
-Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= %{container_policyver}, container-selinux < 2:2.164.2
+Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= 2:%{container_policyver}
 Requires(postun): policycoreutils
 
+Provides: %{name} = %{version}-%{release}
+Obsoletes: k3s-selinux < 0.5
 Conflicts: rke2-selinux
 
 %description

diff --git a/policy/centos8/k3s.fc b/policy/centos8/k3s.fc
@@ -1,21 +1,21 @@
 # vim: sw=8:ts=8:et
 
 /etc/systemd/system/k3s.*                                       --  gen_context(system_u:object_r:container_unit_file_t,s0)
-/usr/lib/systemd/system/k3s.*                                   --  gen_context(system_u:object_r:container_unit_file_t,s0)
+#/usr/lib/systemd/system/k3s.*                                   --  gen_context(system_u:object_r:container_unit_file_t,s0)
 /usr/local/lib/systemd/system/k3s.*                             --  gen_context(system_u:object_r:container_unit_file_t,s0)
-/usr/local/s?bin/k3s                                            --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/s?bin/k3s                                                  --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/var/lib/cni(/.*)?                                                  gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/lib/kubelet/pods(/.*)?                                         gen_context(system_u:object_r:container_file_t,s0)
-/var/lib/rancher/k3s(/.*)?                                          gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots           -d  gen_context(system_u:object_r:container_share_t,s0)
-/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*     -d  gen_context(system_u:object_r:container_share_t,s0)
-/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.*      <<none>>
-/var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)?         gen_context(system_u:object_r:container_share_t,s0)
-/var/lib/rancher/k3s/data(/.*)?                                     gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/var/lib/rancher/k3s/storage(/.*)?                                  gen_context(system_u:object_r:container_file_t,s0)
-/var/log/containers(/.*)?                                           gen_context(system_u:object_r:container_log_t,s0)
-/var/log/pods(/.*)?                                                 gen_context(system_u:object_r:container_log_t,s0)
-/var/run/flannel(/.*)?                                              gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/k3s(/.*)?                                                  gen_context(system_u:object_r:container_var_run_t,s0)
-/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?             gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
+#/usr/local/s?bin/k3s                                            --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
+#/usr/s?bin/k3s                                                  --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
+#/var/lib/cni(/.*)?                                                  gen_context(system_u:object_r:container_var_lib_t,s0)
+#/var/lib/kubelet/pods(/.*)?                                         gen_context(system_u:object_r:container_file_t,s0)
+#/var/lib/rancher/k3s(/.*)?                                          gen_context(system_u:object_r:container_var_lib_t,s0)
+#/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots           -d  gen_context(system_u:object_r:container_share_t,s0)
+#/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*     -d  gen_context(system_u:object_r:container_share_t,s0)
+#/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.*      <<none>>
+#/var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)?         gen_context(system_u:object_r:container_share_t,s0)
+#/var/lib/rancher/k3s/data(/.*)?                                     gen_context(system_u:object_r:container_runtime_exec_t,s0)
+#/var/lib/rancher/k3s/storage(/.*)?                                  gen_context(system_u:object_r:container_file_t,s0)
+#/var/log/containers(/.*)?                                           gen_context(system_u:object_r:container_log_t,s0)
+#/var/log/pods(/.*)?                                                 gen_context(system_u:object_r:container_log_t,s0)
+#/var/run/flannel(/.*)?                                              gen_context(system_u:object_r:container_var_run_t,s0)
+#/var/run/k3s(/.*)?                                                  gen_context(system_u:object_r:container_var_run_t,s0)
+#/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?             gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
diff --git a/policy/microos/k3s-selinux.spec b/policy/microos/k3s-selinux.spec
@@ -33,7 +33,6 @@ Source1:	k3s.if
 
 BuildArch: noarch
 BuildRequires: container-selinux >= %{container_policyver}
-BuildRequires: container-selinux < 2:2.164.2
 BuildRequires: git
 BuildRequires: selinux-policy-devel
 

diff --git a/test/centos8/Vagrantfile b/test/centos8/Vagrantfile
@@ -0,0 +1,40 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vagrant.plugins = ["vagrant-k3s"]
+
+  config.vm.box = "centos/8"
+
+  %w[hyperv libvirt virtualbox vmware_desktop].each do |p|
+    config.vm.provider p do |v, o|
+      v.memory = "2048"
+      v.cpus = 2
+    end
+  end
+
+  config.vm.synced_folder '.', '/vagrant', disabled: true
+  config.vm.synced_folder '../../dist/centos8/noarch', '/vagrant/dist', type: 'rsync'
+
+  config.vm.provision :shell, run: 'once', inline: 'set -x; dnf install -y https://github.com/k3s-io/k3s-selinux/releases/download/v0.4.stable.1/k3s-selinux-0.4-1.el8.noarch.rpm'
+  config.vm.provision :shell, run: 'once' do |sh|
+    sh.inline = <<~EOF
+      #!/usr/bin/env bash
+      set -eux -o pipefail
+      dnf install -y \
+          /vagrant/dist/k3s-selinux-*.el8.noarch.rpm
+    EOF
+  end
+
+  # vagrant [up|provision] --provision-with=k3s
+  config.vm.provision :k3s, run: 'never' do |k3s|
+    k3s.env = <<~ENV
+      INSTALL_K3S_NAME=server
+      INSTALL_K3S_SKIP_SELINUX_RPM=true
+      INSTALL_K3S_VERSION=v1.21.5+k3s2
+      K3S_KUBECONFIG_MODE=0644
+      K3S_SELINUX=true
+      K3S_TOKEN=vagrant
+    ENV
+  end
+end
diff --git a/test/fedora34/Vagrantfile b/test/fedora34/Vagrantfile
@@ -0,0 +1,41 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vagrant.plugins = ["vagrant-k3s"]
+
+  config.vm.box = "fedora/34-cloud-base"
+
+  %w[hyperv libvirt virtualbox vmware_desktop].each do |p|
+    config.vm.provider p do |v, o|
+      v.memory = "2048"
+      v.cpus = 2
+    end
+  end
+
+  config.vm.synced_folder '.', '/vagrant', disabled: true
+  config.vm.synced_folder '../../dist/centos8/noarch', '/vagrant/dist', type: 'rsync'
+
+  config.vm.provision :shell, run: 'once', inline: 'set -x; dnf install -y https://github.com/k3s-io/k3s-selinux/releases/download/v0.4.stable.1/k3s-selinux-0.4-1.el8.noarch.rpm'
+  config.vm.provision :shell, run: 'once' do |sh|
+    sh.inline = <<~EOF
+      #!/usr/bin/env bash
+      set -eux -o pipefail
+      dnf install -y \
+          https://kojipkgs.fedoraproject.org/packages/container-selinux/2.170.0/2.fc34/noarch/container-selinux-2.170.0-2.fc34.noarch.rpm \
+          /vagrant/dist/k3s-selinux-*.el8.noarch.rpm
+    EOF
+  end
+
+  # vagrant [up|provision] --provision-with=k3s
+  config.vm.provision :k3s, run: 'never' do |k3s|
+    k3s.env = <<~ENV
+      INSTALL_K3S_NAME=server
+      INSTALL_K3S_SKIP_SELINUX_RPM=true
+      INSTALL_K3S_VERSION=v1.21.5+k3s2
+      K3S_KUBECONFIG_MODE=0644
+      K3S_SELINUX=true
+      K3S_TOKEN=vagrant
+    ENV
+  end
+end