Add el9 selinux rpm (#7443)

* Add el9 to the install script

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add rocky-9 install test to test el9 selinux

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add rocky-9 install test to test el9 selinux to workflow

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Use el8 for fedora 37

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add a warning to reboot in coreos systems

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* remove k3s-selinux module in case of upgrade in el9

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Check for available container-selinux and k3s-selinux

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* extend selinux upgrade to sle distros

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* create /var/lib/rpm-state in sle systems

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* nit fix

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

---------

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
pull/7608/head
Hussein Galal 2 years ago committed by GitHub
parent fe554fe703
commit d55ec08675
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -30,7 +30,7 @@ jobs:
strategy:
fail-fast: false
matrix:
vm: [centos-7, rocky-8, fedora, opensuse-leap, ubuntu-focal]
vm: [centos-7, rocky-8, rocky-9, fedora, opensuse-leap, ubuntu-focal]
max-parallel: 2
defaults:
run:

@ -518,13 +518,17 @@ setup_selinux() {
rpm_target=el7
rpm_site_infix=centos/7
package_installer=yum
elif [ "${VERSION_ID%%.*}" = "8" ] || [ "${VERSION_ID%%.*}" = "37" ]; then
rpm_target=el8
rpm_site_infix=centos/8
package_installer=yum
elif [ "${ID_LIKE:-}" = coreos ] || [ "${VARIANT_ID:-}" = coreos ]; then
rpm_target=coreos
rpm_site_infix=coreos
package_installer=rpm-ostree
else
rpm_target=el8
rpm_site_infix=centos/8
rpm_target=el9
rpm_site_infix=centos/9
package_installer=yum
fi
@ -558,7 +562,7 @@ setup_selinux() {
$policy_error "Failed to apply container_runtime_exec_t to ${BIN_DIR}/k3s, ${policy_hint}"
fi
elif [ ! -f /usr/share/selinux/packages/k3s.pp ]; then
if [ -x /usr/sbin/transactional-update ]; then
if [ -x /usr/sbin/transactional-update ] || [ "${ID_LIKE:-}" = coreos ] || [ "${VARIANT_ID:-}" = coreos ]; then
warn "Please reboot your machine to activate the changes and avoid data loss."
else
$policy_error "Failed to find the k3s-selinux policy, ${policy_hint}"
@ -592,9 +596,12 @@ EOF
sle)
rpm_installer="zypper --gpg-auto-import-keys"
if [ "${TRANSACTIONAL_UPDATE=false}" != "true" ] && [ -x /usr/sbin/transactional-update ]; then
transactional_update_run="transactional-update --no-selfupdate -d run"
rpm_installer="transactional-update --no-selfupdate -d run ${rpm_installer}"
: "${INSTALL_K3S_SKIP_START:=true}"
fi
# create the /var/lib/rpm-state in SLE systems to fix the prein selinux macro
${transactional_update_run} mkdir -p /var/lib/rpm-state
;;
coreos)
rpm_installer="rpm-ostree"
@ -607,6 +614,15 @@ EOF
esac
if [ "${rpm_installer}" = "yum" ] && [ -x /usr/bin/dnf ]; then
rpm_installer=dnf
fi
if rpm -q --quiet k3s-selinux && [ "${3}" == "el9" ]; then
# remove k3s-selinux module in el9 before upgrade to allow container-selinux to upgrade safely
if check_available_upgrades container-selinux ${3} && check_available_upgrades k3s-selinux ${3}; then
MODULE_PRIORITY=$($SUDO semodule --list=full | grep k3s | cut -f1 -d" ")
if [ -n "${MODULE_PRIORITY}" ]; then
$SUDO semodule -X $MODULE_PRIORITY -r k3s || true
fi
fi
fi
# shellcheck disable=SC2086
$SUDO ${rpm_installer} install -y "k3s-selinux"
@ -614,6 +630,25 @@ EOF
return
}
check_available_upgrades() {
set +e
case ${2} in
sle)
available_upgrades=$($SUDO zypper -q -t -s 11 se -s -u --type package $1 | tail -n 1 | grep -v "No matching" | awk '{print $3}')
;;
coreos)
# currently rpm-ostree does not support search functionality https://github.com/coreos/rpm-ostree/issues/1877
;;
*)
available_upgrades=$($SUDO yum -q --refresh list $1 --upgrades | tail -n 1 | awk '{print $2}')
;;
esac
set -e
if [ -n "${available_upgrades}" ]; then
return 0
fi
return 1
}
# --- download and verify k3s ---
download_and_verify() {
if can_skip_download_binary; then

@ -0,0 +1,114 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
#
ENV['TEST_INSTALL_SH'] ||= '../../../install.sh'
ENV['INSTALL_K3S_CHANNEL'] ||= 'testing'
Vagrant.configure("2") do |config|
config.vagrant.plugins = {
'vagrant-k3s' => {:version => '~> 0.1.3'},
}
config.vm.box = "generic/rocky9"
config.vm.boot_timeout = ENV['TEST_VM_BOOT_TIMEOUT'] || 600 # seconds
config.vm.synced_folder '.', '/vagrant', disabled: true
config.vm.define 'install-rocky-9', primary: true do |test|
test.vm.hostname = 'smoke'
test.vm.provision "disable-firewall", type: "shell", inline: "systemctl stop firewalld"
test.vm.provision 'k3s-upload', type: 'file', run: 'always', source: ENV['TEST_INSTALL_SH'], destination: 'install.sh'
test.vm.provision 'k3s-install', type: 'k3s', run: 'once' do |k3s|
k3s.installer_url = 'file:///home/vagrant/install.sh'
k3s.args = %w[server]
k3s.env = ENV.select{|k,v| k.start_with?('K3S_') || k.start_with?('INSTALL_K3S_')}.merge({
:INSTALL_K3S_NAME => 'server',
})
k3s.config = <<~YAML
selinux: true
token: 'vagrant'
YAML
k3s.config_mode = '0644' # side-step https://github.com/k3s-io/k3s/issues/4321
end
test.vm.provision "k3s-wait-for-node", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" }
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eu -o pipefail
echo 'Waiting for node to be ready ...'
time timeout 300 bash -c 'while ! (kubectl wait --for condition=ready node/$(hostname) 2>/dev/null); do sleep 5; done'
kubectl get node,all -A -o wide
SHELL
end
test.vm.provision "k3s-wait-for-coredns", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" }
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eu -o pipefail
function describe-coredns {
RC=$?
if [[ $RC -ne 0 ]]; then
kubectl describe node
kubectl --namespace kube-system describe pod -l k8s-app=kube-dns
kubectl --namespace kube-system logs -l k8s-app=kube-dns
fi
exit $RC
}
trap describe-coredns EXIT
time timeout 300 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/coredns 2>/dev/null); do sleep 5; done'
SHELL
end
test.vm.provision "k3s-wait-for-local-storage", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" }
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eu -o pipefail
time timeout 300 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/local-path-provisioner 2>/dev/null); do sleep 5; done'
SHELL
end
test.vm.provision "k3s-wait-for-metrics-server", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" }
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eu -o pipefail
time timeout 300 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/metrics-server 2>/dev/null); do sleep 5; done'
SHELL
end
test.vm.provision "k3s-wait-for-traefik", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" }
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eu -o pipefail
time timeout 300 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/traefik 2>/dev/null); do sleep 5; done'
SHELL
end
test.vm.provision "k3s-status", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" }
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
kubectl get node,all -A -o wide
SHELL
end
test.vm.provision "k3s-procps", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" }
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
ps auxZ | grep -E 'k3s|kube|container' | grep -v grep
SHELL
end
end
config.vm.provision 'selinux-status', type: 'shell', run: 'once', inline: 'sestatus'
%w[libvirt virtualbox vmware_desktop].each do |p|
config.vm.provider p do |v|
v.cpus = ENV['TEST_VM_CPUS'] || 2
v.memory = ENV['TEST_VM_MEMORY'] || 2048
end
end
config.vm.provider :virtualbox do |v,o|
v.gui = false
v.check_guest_additions = false
end
end
Loading…
Cancel
Save