Can't connect to Docker daemon when SELinux is in use

[akaihola]

• running Fedora 26
• sudo dnf remove docker-ce and reboot (just in case)
• sudo snap install --edge --classic microk8s (also tried --beta and --stable)
• microk8s.inspect shows everything ok
• microk8s.docker -D -l debug <command> outputs nothing and hangs, no matter what command I try (even --help)
• I see this in the kubelet log:

$ sudo journalctl -u snap.microk8s.daemon-kubelet.service|tail
Oct 16 08:20:44 gogo microk8s.daemon-kubelet[12994]: W1016 08:20:44.727621   12994 manager.go:253] Timeout trying to communicate with docker during initialization, will retry
Oct 16 08:21:24 gogo microk8s.daemon-kubelet[12994]: W1016 08:21:24.727881   12994 manager.go:253] Timeout trying to communicate with docker during initialization, will retry
Oct 16 08:22:04 gogo microk8s.daemon-kubelet[12994]: W1016 08:22:04.728205   12994 manager.go:253] Timeout trying to communicate with docker during initialization, will retry
Oct 16 08:22:44 gogo microk8s.daemon-kubelet[12994]: W1016 08:22:44.728530   12994 manager.go:253] Timeout trying to communicate with docker during initialization, will retry
Oct 16 08:23:24 gogo microk8s.daemon-kubelet[12994]: W1016 08:23:24.728768   12994 manager.go:253] Timeout trying to communicate with docker during initialization, will retry
Oct 16 08:24:04 gogo microk8s.daemon-kubelet[12994]: W1016 08:24:04.729119   12994 manager.go:253] Timeout trying to communicate with docker during initialization, will retry
Oct 16 08:24:44 gogo microk8s.daemon-kubelet[12994]: W1016 08:24:44.729457   12994 manager.go:253] Timeout trying to communicate with docker during initialization, will retry
Oct 16 08:25:24 gogo microk8s.daemon-kubelet[12994]: W1016 08:25:24.729655   12994 manager.go:253] Timeout trying to communicate with docker during initialization, will retry
Oct 16 08:26:04 gogo microk8s.daemon-kubelet[12994]: W1016 08:26:04.729875   12994 manager.go:253] Timeout trying to communicate with docker during initialization, will retry
Oct 16 08:26:44 gogo microk8s.daemon-kubelet[12994]: W1016 08:26:44.730078   12994 manager.go:253] Timeout trying to communicate with docker during initialization, will retry

inspection-report-20181016_082316.tar.gz

[ktsakalozos]

Hi @akaihola ,

Thank you for reporting this.

Here is what happens. When dockerd starts it listens on a socket (unix:///var/snap/microk8s/current/docker.sock), selinux is blocking socket communication by default as discussed in https://forum.snapcraft.io/t/selinux-blocking-socket-activation-on-fedora/6931 . You can verify this by temporarily disabling selinux and restarting microk8s:

sudo setenforce permissive
sudo snap stop microk8s
sudo snap start microk8s

I am taking a look now how/if we can detect selinux and set it to allow the required socket communication.

Thank you for taking the time to report this issue and apologies for any inconvenience.

[akaihola]

Hi @ktsakalozos,

Thanks for pointing out SELinux as the reason for my problem.

I wonder if there's a manual way to allow the required socket communication which I could use as a temporary work-around? I know the basics of SELinux, so if you can give some pointers, I can probably figure it out and post the work-around here.

[ktsakalozos]

Thank you for volunteering @akaihola.

When you have SELinux you get a number of deny audit entries in /var/log/audit/audit.log. Here is a sample I got from microk8s running on a VM https://pastebin.com/L41JPeei . We will need to tell SElinux not to deny operations coming from the microk8s binaries. Then we will patch the install (or configure) hook https://github.com/ubuntu/microk8s/blob/master/snap/hooks/configure to detect the presence of SELinux and apply the rules. In this way any new installation will work.

The part that I would need your help is to translate the audit logs and turn them into a script with appropriate rules. Do you think you could do that?

I appreciate your help. Thank you.

[akaihola]

@ktsakalozos, here's an excerpt from my /var/log/audit/audit/log:

$ sudo egrep "microk8s|docker|kube" /var/log/audit/audit.log
type=SERVICE_START msg=audit(1543238936.928:7757): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=snap.microk8s.daemon-apiserver comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1543238936.931:7758): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=snap.microk8s.daemon-apiserver-kicker comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1543238936.935:7759): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=snap.microk8s.daemon-controller-manager comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1543238936.939:7760): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=snap.microk8s.daemon-docker comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1543238936.942:7761): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=snap.microk8s.daemon-etcd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1543238936.948:7764): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=snap.microk8s.daemon-kubelet comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1543238936.952:7766): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=snap.microk8s.daemon-proxy comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1543238936.953:7767): avc:  denied  { execute_no_trans } for  pid=31172 comm="snap-exec" path="/var/lib/snapd/snap/microk8s/313/command-daemon-apiserver.wrapper" dev="loop5" ino=644 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238936.955:7770): avc:  denied  { ioctl } for  pid=31172 comm="command-daemon-" path="/var/lib/snapd/snap/microk8s/313/command-daemon-apiserver.wrapper" dev="loop5" ino=644 ioctlcmd=0x5401 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=SERVICE_START msg=audit(1543238936.959:7771): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=snap.microk8s.daemon-scheduler comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1543238936.966:7772): avc:  denied  { map } for  pid=31243 comm="ip" path="/var/lib/snapd/snap/microk8s/313/bin/ip" dev="loop5" ino=34 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238936.985:7778): avc:  denied  { map } for  pid=31191 comm="etcd" path="/var/snap/microk8s/common/var/run/etcd/member/snap/db" dev="dm-1" ino=1329028 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:snappy_var_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238936.993:7779): avc:  denied  { setattr } for  pid=31185 comm="dockerd" name="docker.sock" dev="dm-1" ino=1329196 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:snappy_var_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1543238936.995:7780): avc:  denied  { sys_resource } for  pid=31185 comm="dockerd" capability=24  scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:snappy_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1543238936.995:7781): avc:  denied  { write } for  pid=31185 comm="dockerd" name="docker-containerd.sock" dev="dm-1" ino=1329115 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:snappy_var_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1543238937.009:7782): avc:  denied  { unlink } for  pid=31337 comm="docker-containe" name="docker-containerd.sock" dev="dm-1" ino=1329115 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:snappy_var_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1543238937.070:7785): avc:  denied  { read } for  pid=31213 comm="kube-proxy" name="modules.builtin" dev="dm-1" ino=795772 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238937.070:7786): avc:  denied  { open } for  pid=31213 comm="kube-proxy" path="/usr/lib/modules/4.19.2-301.fc29.x86_64/modules.builtin" dev="dm-1" ino=795772 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238937.070:7787): avc:  denied  { getattr } for  pid=31213 comm="kube-proxy" path="/usr/lib/modules/4.19.2-301.fc29.x86_64/modules.builtin" dev="dm-1" ino=795772 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238937.071:7788): avc:  denied  { getattr } for  pid=31213 comm="kube-proxy" path="/usr/bin/kmod" dev="dm-1" ino=656198 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238937.071:7789): avc:  denied  { execute } for  pid=31395 comm="kube-proxy" name="kmod" dev="dm-1" ino=656198 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238937.071:7790): avc:  denied  { read open } for  pid=31395 comm="kube-proxy" path="/usr/bin/kmod" dev="dm-1" ino=656198 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238937.071:7791): avc:  denied  { execute_no_trans } for  pid=31395 comm="kube-proxy" path="/usr/bin/kmod" dev="dm-1" ino=656198 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238937.077:7803): avc:  denied  { name_bind } for  pid=31172 comm="kube-apiserver" src=8080 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1543238937.078:7804): avc:  denied  { read } for  pid=31179 comm="kube-controller" name="kube-controller-manager.crt" dev="tmpfs" ino=807426 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238937.078:7805): avc:  denied  { open } for  pid=31179 comm="kube-controller" path="/run/kubernetes/kube-controller-manager.crt" dev="tmpfs" ino=807426 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238937.078:7806): avc:  denied  { getattr } for  pid=31179 comm="kube-controller" path="/run/kubernetes/kube-controller-manager.crt" dev="tmpfs" ino=807426 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238937.510:7807): avc:  denied  { write } for  pid=31172 comm="kube-apiserver" name="etcd.socket:2379" dev="dm-1" ino=1329193 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:snappy_var_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1543238937.510:7808): avc:  denied  { connectto } for  pid=31172 comm="kube-apiserver" path="/var/snap/microk8s/313/etcd.socket:2379" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:snappy_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1543238937.998:7809): avc:  denied  { getattr } for  pid=31185 comm="dockerd" name="/" dev="dm-1" ino=2 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1543238937.998:7810): avc:  denied  { mounton } for  pid=31185 comm="dockerd" path="/var/snap/microk8s/common/var/lib/docker/overlay2" dev="dm-1" ino=1329046 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:snappy_var_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543238938.002:7811): avc:  denied  { getattr } for  pid=31185 comm="dockerd" path="/proc/sys/net/ipv4/ip_forward" dev="proc" ino=31995 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238938.002:7812): avc:  denied  { getattr } for  pid=31185 comm="dockerd" path="/proc/sys/net/bridge" dev="proc" ino=831900 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543238938.988:7814): avc:  denied  { getattr } for  pid=31196 comm="run-with-config" path="/var/snap/microk8s/313/docker.sock" dev="dm-1" ino=1329196 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:snappy_var_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1543238942.790:7821): avc:  denied  { getattr } for  pid=31213 comm="kube-proxy" path="/proc/31213/net/route" dev="proc" ino=4026532055 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238942.790:7822): avc:  denied  { read } for  pid=31213 comm="kube-proxy" name="route" dev="proc" ino=4026532055 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238942.790:7823): avc:  denied  { open } for  pid=31213 comm="kube-proxy" path="/proc/31213/net/route" dev="proc" ino=4026532055 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238942.791:7824): avc:  denied  { name_connect } for  pid=31172 comm="kube-apiserver" dest=6443 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1543238942.820:7837): avc:  denied  { write } for  pid=31213 comm="kube-proxy" name="cgroup.procs" dev="cgroup" ino=23 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238942.821:7838): avc:  denied  { setsched } for  pid=31213 comm="kube-proxy" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:snappy_t:s0 tclass=process permissive=1
type=AVC msg=audit(1543238942.823:7839): avc:  denied  { write } for  pid=31213 comm="kube-proxy" name="/" dev="cgroup" ino=1 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543238942.823:7840): avc:  denied  { add_name } for  pid=31213 comm="kube-proxy" name="kube-proxy" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543238942.823:7841): avc:  denied  { create } for  pid=31213 comm="kube-proxy" name="kube-proxy" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543238942.823:7842): avc:  denied  { create } for  pid=31213 comm="kube-proxy" name="cgroup.procs" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543238942.825:7843): avc:  denied  { write } for  pid=31213 comm="kube-proxy" name="nf_conntrack_max" dev="proc" ino=799633 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1

I'm now running on a freshly installed Fedora 29 box.

[ktsakalozos]

Thank you @akaihola ,

How do you tell SElinux to allow these operations? I guess I have to do some reading.

[akaihola]

@ktsakalozos, I can't answer that without studying a bit either. I could check if we have more experienced SELinux users at work.

[akaihola]

It sounds to me like Fedora isn't a first-class citizen distro for Snap. Searching for selinux on the Snapcraft forum found several threads that are probably related.

[akaihola]

I ran this command:

audit2allow -M microk8s

and pasted in the lines from audit.log (see my long comment above). It created for me the files microk8s.pp and microk8s.te. The contents of microk8s.te are:

module mypol 1.0;

require {
	type insmod_exec_t;
	type var_run_t;
	type snappy_var_t;
	type proc_net_t;
	type modules_object_t;
	type fs_t;
	type cgroup_t;
	type unlabeled_t;
	type http_cache_port_t;
	type snappy_t;
	type sysctl_net_t;
	type unreserved_port_t;
	class file { create execute execute_no_trans getattr ioctl map open read write };
	class sock_file { getattr setattr unlink write };
	class dir { add_name create getattr mounton write };
	class capability sys_resource;
	class unix_stream_socket connectto;
	class process setsched;
	class tcp_socket { name_bind name_connect };
	class filesystem getattr;
}

#============= snappy_t ==============
allow snappy_t cgroup_t:dir { add_name create write };
allow snappy_t cgroup_t:file { create write };
allow snappy_t fs_t:filesystem getattr;
allow snappy_t http_cache_port_t:tcp_socket name_bind;
allow snappy_t insmod_exec_t:file { execute execute_no_trans getattr open read };
allow snappy_t modules_object_t:file { getattr open read };
allow snappy_t proc_net_t:file { getattr open read };
allow snappy_t self:capability sys_resource;
allow snappy_t self:process setsched;

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow snappy_t self:unix_stream_socket connectto;
allow snappy_t snappy_var_t:dir mounton;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow snappy_t snappy_var_t:file map;
allow snappy_t snappy_var_t:sock_file { getattr setattr unlink write };
allow snappy_t sysctl_net_t:dir getattr;
allow snappy_t sysctl_net_t:file { getattr write };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow snappy_t unlabeled_t:file map;
allow snappy_t unlabeled_t:file { execute_no_trans ioctl };
allow snappy_t unreserved_port_t:tcp_socket name_connect;
allow snappy_t var_run_t:file { getattr open read };

If I run

sudo semodule -i microk8s.pp

then microk8s works as described in the README.

I hope this is helpful for enabling support for SELinux enabled systems.

[ktsakalozos]

I got some success with the process you describe above @akaihola.

However as soon as the first denials were addressed a few others came up.

[akaihola]

@ktsakalozos, you're right, my list wasn't complete. I'll continue exploring this.

[GregoireW]

@ktsakalozos It was great to meet you at the cfgmgmt camp.

On this subject, I was about to extract all rules I added on my computer, but I know it is not a good option as every container we will create will need a new set of rules.

I decide to check how docker / containerd was doing on the subject. They have a pre-defined set of rules inside an rpm (container-selinux) Those are defined in a repo: https://github.com/containers/container-selinux.

My idea was first to try to set the selinux container type on the docker in the snap, but unfortunatly I got a small issue: Snap are read only, so the chcon -t container_runtime_t /snap/microk8s/current/usr/bin/dockerd return a read only fs error.

Not sure how to test that. It would be cool if installing the snap requires the container-selinux RPM then change the type of docker binaries to the container_runtime_t. It would be cooler if it solves every issue ;)

[ktsakalozos]

Nice talking to you face to face @GregoireW .

Indeed the file system with the binaries is read only and I read the labels are filesystem metadata.

I want to see if I can set labels during the build of the snap package. I will have news on this soon.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[westurner]

Has this changed at all?

k3s has made some progress with SELinux support:

• Formally add support for SELinux (Enforced mode) k3s-io/k3s#1372 (comment)
• Use k3s with selinux set to enforce k3s-io/k3s#533

[ktsakalozos]

Has this changed at all?

As MicroK8s is a snap most of the AppArmor and SELinux configuration is taken care by the snapcraft underlying layer. On the MicroK8s side we are working towards a strictly confined snap that would comply with the snapcraft best practices and will take advantage of all the security enhancements offered.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[westurner]

These docs may be helpful for implementing SELinux support at the snapcraft layer: "Formally add support for SELinux (Enforced mode)" k3s-io/k3s#1372 (comment)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.