From 0cb0af314b0e303c05594a134ad76b24a4867b2e Mon Sep 17 00:00:00 2001 From: jthapliya Date: Mon, 30 Oct 2023 13:24:08 -0400 Subject: [PATCH 1/2] Update README.md Added known issue section for rpm install of RKE2 on RHEL OSs with fapolicyd daemon running. Customers using hardened RHEL are running into this issue while using this code base. --- README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/README.md b/README.md index 15ee3257..0359277e 100644 --- a/README.md +++ b/README.md @@ -129,6 +129,21 @@ ansible -i 18.217.113.10, all -u ec2-user -a "/usr/local/bin/rke2-uninstall.sh" ``` On rare occasions you may have to run the uninstall commands a second time. +Known Issues +------------------ +- For RHEL8+ Operating Systems that have fapolicyd daemon running, rpm installation of RKE2 will fail due to a permission error while starting containerd. Users have to add the following rules file before installing RKE2. This is not an issue if the install.sh script is used to install RKE2. The RPM issue is expected to be fixed later versions of RKE2. +```bash +cat <<-EOF >>"/etc/fapolicyd/rules.d/80-rke2.rules" +allow perm=any all : dir=/var/lib/rancher/ +allow perm=any all : dir=/opt/cni/ +allow perm=any all : dir=/run/k3s/ +allow perm=any all : dir=/var/lib/kubelet/ +EOF + +systemctl restart fapolicyd + +``` + Author Information ------------------ From 88db391b2cd606e5e9e9c9be5ad0769bccd01018 Mon Sep 17 00:00:00 2001 From: jthapliya Date: Mon, 30 Oct 2023 13:26:22 -0400 Subject: [PATCH 2/2] Update README.md Added known issue section for rpm install of RKE2 on RHEL OSs with fapolicyd daemon running. Customers using hardened RHEL are running into this issue while using this code base. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0359277e..e0c36dba 100644 --- a/README.md +++ b/README.md @@ -131,7 +131,7 @@ On rare occasions you may have to run the uninstall commands a second time. Known Issues ------------------ -- For RHEL8+ Operating Systems that have fapolicyd daemon running, rpm installation of RKE2 will fail due to a permission error while starting containerd. Users have to add the following rules file before installing RKE2. This is not an issue if the install.sh script is used to install RKE2. The RPM issue is expected to be fixed later versions of RKE2. +- For RHEL8+ Operating Systems that have fapolicyd daemon running, rpm installation of RKE2 will fail due to a permission error while starting containerd. Users have to add the following rules file before installing RKE2. This is not an issue if the install.sh script is used to install RKE2. The RPM issue is expected to be fixed in later versions of RKE2. ```bash cat <<-EOF >>"/etc/fapolicyd/rules.d/80-rke2.rules" allow perm=any all : dir=/var/lib/rancher/