Skip to content

Commit a3e90e4

Browse files
dssengsmira
authored and
shanduur
committed
fix: make upgrade work with SELinux enforcing=1
Add a test for this case Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com> Co-authored-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit 3dfa4d6)
1 parent ac91ade commit a3e90e4

File tree

6 files changed

+94
-2
lines changed

6 files changed

+94
-2
lines changed

internal/integration/provision/provision.go

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@ import (
2323
"github.com/siderolabs/go-blockdevice/v2/encryption"
2424
"github.com/siderolabs/go-kubernetes/kubernetes/upgrade"
2525
"github.com/siderolabs/go-pointer"
26+
"github.com/siderolabs/go-procfs/procfs"
2627
"github.com/siderolabs/go-retry/retry"
2728
sideronet "github.com/siderolabs/net"
2829
"github.com/stretchr/testify/suite"
@@ -440,6 +441,8 @@ type clusterOptions struct {
440441
ControlplaneNodes int
441442
WorkerNodes int
442443

444+
InjectExtraKernelArgs *procfs.Cmdline
445+
443446
SourceKernelPath string
444447
SourceInitramfsPath string
445448
SourceDiskImagePath string
@@ -648,7 +651,8 @@ func (suite *BaseSuite) setupCluster(options clusterOptions) {
648651
Size: DefaultSettings.DiskGB * 1024 * 1024 * 1024,
649652
},
650653
},
651-
Config: suite.configBundle.ControlPlane(),
654+
Config: suite.configBundle.ControlPlane(),
655+
SDStubKernelArgs: options.InjectExtraKernelArgs,
652656
},
653657
)
654658
}
@@ -667,7 +671,8 @@ func (suite *BaseSuite) setupCluster(options clusterOptions) {
667671
Size: DefaultSettings.DiskGB * 1024 * 1024 * 1024,
668672
},
669673
},
670-
Config: suite.configBundle.Worker(),
674+
Config: suite.configBundle.Worker(),
675+
SDStubKernelArgs: options.InjectExtraKernelArgs,
671676
},
672677
)
673678
}

internal/integration/provision/upgrade.go

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,16 +10,24 @@ import (
1010
"fmt"
1111
"path/filepath"
1212

13+
"github.com/cosi-project/runtime/pkg/resource/rtestutils"
14+
"github.com/siderolabs/go-procfs/procfs"
15+
"github.com/stretchr/testify/assert"
16+
1317
"github.com/siderolabs/talos/cmd/talosctl/pkg/mgmt/helpers"
1418
"github.com/siderolabs/talos/pkg/images"
19+
talosclient "github.com/siderolabs/talos/pkg/machinery/client"
1520
"github.com/siderolabs/talos/pkg/machinery/config/machine"
1621
"github.com/siderolabs/talos/pkg/machinery/constants"
22+
"github.com/siderolabs/talos/pkg/machinery/resources/runtime"
1723
)
1824

1925
//nolint:maligned
2026
type upgradeSpec struct {
2127
ShortName string
2228

29+
InjectExtraKernelArgs *procfs.Cmdline
30+
2331
SourceKernelPath string
2432
SourceInitramfsPath string
2533
SourceDiskImagePath string
@@ -42,6 +50,7 @@ type upgradeSpec struct {
4250
WithEncryption bool
4351
WithBios bool
4452
WithApplyConfig bool
53+
WithEnforcing bool
4554
}
4655

4756
const (
@@ -226,6 +235,38 @@ func upgradeCurrentToCurrentNewCmdline() upgradeSpec {
226235
}
227236
}
228237

238+
func upgradeCurrentToCurrentEnforcing() upgradeSpec {
239+
installerImage := fmt.Sprintf(
240+
"%s/%s:%s",
241+
DefaultSettings.TargetInstallImageRegistry,
242+
images.DefaultInstallerImageName,
243+
DefaultSettings.CurrentVersion,
244+
)
245+
246+
return upgradeSpec{
247+
ShortName: fmt.Sprintf("%s-same-ver-enforcing", DefaultSettings.CurrentVersion),
248+
249+
InjectExtraKernelArgs: procfs.NewCmdline("enforcing=1"),
250+
251+
SourceISOPath: helpers.ArtifactPath("metal-amd64.iso"),
252+
SourceInstallerImage: installerImage,
253+
SourceVersion: DefaultSettings.CurrentVersion,
254+
SourceK8sVersion: currentK8sVersion,
255+
256+
TargetInstallerImage: installerImage,
257+
TargetVersion: DefaultSettings.CurrentVersion,
258+
TargetK8sVersion: currentK8sVersion,
259+
260+
ControlplaneNodes: 1,
261+
WorkerNodes: 0,
262+
263+
TargetCmdlineContains: "enforcing=1",
264+
265+
WithApplyConfig: true,
266+
WithEnforcing: true,
267+
}
268+
}
269+
229270
// UpgradeSuite ...
230271
type UpgradeSuite struct {
231272
BaseSuite
@@ -264,6 +305,8 @@ func (suite *UpgradeSuite) TestRolling() {
264305
ControlplaneNodes: suite.spec.ControlplaneNodes,
265306
WorkerNodes: suite.spec.WorkerNodes,
266307

308+
InjectExtraKernelArgs: suite.spec.InjectExtraKernelArgs,
309+
267310
SourceKernelPath: suite.spec.SourceKernelPath,
268311
SourceInitramfsPath: suite.spec.SourceInitramfsPath,
269312
SourceDiskImagePath: suite.spec.SourceDiskImagePath,
@@ -283,6 +326,18 @@ func (suite *UpgradeSuite) TestRolling() {
283326
// verify initial cluster version
284327
suite.assertSameVersionCluster(client, suite.spec.SourceVersion)
285328

329+
// verify enforcing state
330+
for _, node := range suite.Cluster.Info().Nodes {
331+
rtestutils.AssertResource(
332+
talosclient.WithNode(suite.ctx, node.IPs[0].String()),
333+
suite.T(), client.COSI,
334+
runtime.SecurityStateID,
335+
func(r *runtime.SecurityState, asrt *assert.Assertions) {
336+
asrt.Equal(suite.spec.WithEnforcing, r.TypedSpec().SELinuxState == runtime.SELinuxStateEnforcing)
337+
},
338+
)
339+
}
340+
286341
options := upgradeOptions{
287342
TargetInstallerImage: suite.spec.TargetInstallerImage,
288343
UpgradeStage: suite.spec.UpgradeStage,
@@ -306,6 +361,18 @@ func (suite *UpgradeSuite) TestRolling() {
306361
// verify final cluster version
307362
suite.assertSameVersionCluster(client, suite.spec.TargetVersion)
308363

364+
// verify enforcing state
365+
for _, node := range suite.Cluster.Info().Nodes {
366+
rtestutils.AssertResource(
367+
talosclient.WithNode(suite.ctx, node.IPs[0].String()),
368+
suite.T(), client.COSI,
369+
runtime.SecurityStateID,
370+
func(r *runtime.SecurityState, asrt *assert.Assertions) {
371+
asrt.Equal(suite.spec.WithEnforcing, r.TypedSpec().SELinuxState == runtime.SELinuxStateEnforcing)
372+
},
373+
)
374+
}
375+
309376
// upgrade Kubernetes if required
310377
suite.upgradeKubernetes(suite.spec.SourceK8sVersion, suite.spec.TargetK8sVersion, suite.spec.SkipKubeletUpgrade)
311378

@@ -337,5 +404,6 @@ func init() {
337404
&UpgradeSuite{specGen: upgradeCurrentToCurrentBios, track: 0},
338405
&UpgradeSuite{specGen: upgradeStableToCurrentPreserveStage, track: 1},
339406
&UpgradeSuite{specGen: upgradeCurrentToCurrentNewCmdline, track: 2},
407+
&UpgradeSuite{specGen: upgradeCurrentToCurrentEnforcing, track: 1},
340408
)
341409
}

internal/pkg/install/pull.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ import (
1616
"github.com/containerd/errdefs"
1717

1818
"github.com/siderolabs/talos/internal/pkg/containers/image"
19+
"github.com/siderolabs/talos/internal/pkg/selinux"
1920
"github.com/siderolabs/talos/pkg/machinery/constants"
2021
)
2122

@@ -67,6 +68,10 @@ func PullAndValidateInstallerImage(ctx context.Context, registryBuilder image.Re
6768
oci.WithProcessArgs(args...),
6869
}
6970

71+
if selinux.IsEnabled() {
72+
specOpts = append(specOpts, oci.WithSelinuxLabel(constants.SelinuxLabelInstaller))
73+
}
74+
7075
containerOpts := []containerd.NewContainerOpts{
7176
containerd.WithImage(img),
7277
containerd.WithNewSnapshot(containerID, img),

pkg/provision/providers/qemu/launch.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@ type LaunchConfig struct {
4343
ExtraISOPath string
4444
PFlashImages []string
4545
KernelArgs string
46+
SDStubKernelArgs string
4647
MonitorPath string
4748
DefaultBootOrder string
4849
BootloaderEnabled bool
@@ -458,6 +459,10 @@ func patchKernelArgs(config *LaunchConfig, httpServerAddr net.Addr) error {
458459

459460
config.sdStubExtraCmdline = "console=ttyS0"
460461

462+
if config.SDStubKernelArgs != "" {
463+
config.sdStubExtraCmdline += " " + config.SDStubKernelArgs
464+
}
465+
461466
if strings.Contains(config.KernelArgs, "{TALOS_CONFIG_URL}") {
462467
config.KernelArgs = strings.ReplaceAll(config.KernelArgs, "{TALOS_CONFIG_URL}", fmt.Sprintf("http://%s/config.yaml", configServerAddr))
463468
config.sdStubExtraCmdlineConfig = fmt.Sprintf(" talos.config=http://%s/config.yaml", httpServerAddr)

pkg/provision/providers/qemu/node.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -221,6 +221,10 @@ func (p *provisioner) createNode(ctx context.Context, state *provision.State, cl
221221
launchConfig.Network.Hostname = nodeReq.Name
222222
}
223223

224+
if nodeReq.SDStubKernelArgs != nil {
225+
launchConfig.SDStubKernelArgs = nodeReq.SDStubKernelArgs.String()
226+
}
227+
224228
if !nodeReq.PXEBooted && launchConfig.IPXEBootFileName == "" {
225229
launchConfig.KernelImagePath = strings.ReplaceAll(clusterReq.KernelPath, constants.ArchVariable, opts.TargetArch)
226230
launchConfig.InitrdPath = strings.ReplaceAll(clusterReq.InitramfsPath, constants.ArchVariable, opts.TargetArch)

pkg/provision/request.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -218,6 +218,11 @@ type NodeRequest struct {
218218
// This doesn't apply to boots from ISO or from the disk image.
219219
ExtraKernelArgs *procfs.Cmdline
220220

221+
// SDStubKernelArgs passes additional kernel args via the systemd-stub.
222+
//
223+
// This applies to boots from ISO and from the disk image.
224+
SDStubKernelArgs *procfs.Cmdline
225+
221226
// UUID allows to specify the UUID of the node (VMs only).
222227
//
223228
// If not specified, a random UUID will be generated.

0 commit comments

Comments
 (0)