[BUG] longhorn-manager /usr/local/sbin/ volume and noexec configuration
lenglet-k opened this issue · comments
Describe the bug
We want to use longhorn on CIS Benchmark Linux servers. In the CIS rules, the /var/ volume must have the noexec option enabled, this volume is propagated by containerd when a container mounts a volume, this is the case of longhorn-manager here.
In my case, longhorn-manager gets the permission denied error because the noexec option is propagated to the container automatically.
My question is: why did you create a volume in longhorn-manager on /usr/local/sbin? is it useful?
To Reproduce
- Create a mountpoint with noexec options on /var.
- Install Kubernetes and install containerd on /var/lib/containerd
- Deploy longhorn.
- See crashloopback state
Expected behavior
Have the possibility to run longhorn-manager on hardening system from scratch and without error
My question is: why did you create a volume in longhorn-manager on /usr/local/sbin? is it useful?
launch-manager
, longhorn-manager
and nsmounter
are put in /usr/local/sbin
. Some utilities such as engine-binaries
are in /var/lib/longhorn
.
I'm not familiar with CIS benchmark Linux. Can you provide a support bundle for checking what the error is? Thank you.
BTW, @innobead /var/lib/longhorn
is hard-coded path. Do you think we should make it configurable in the future?
There is a possibilty to hide private information with a support bundle ? In state, i can't send you this file with sensitive information.
There is a possibilty to hide private information with a support bundle ? In state, i can't send you this file with sensitive information.
You can manually hide the private information, or you can send the support bundle to longhorn-support-bundle@suse.com which is only accessible by Longhorn members.
@derekbit I have just sent this file by mail. WIth anonymous data.
I'have also create theses PR:
longhorn/longhorn-engine#1135
longhorn/longhorn-instance-manager#526
And this one has been merged yesterday : longhorn/longhorn-manager#2893
Pre Ready-For-Testing Checklist
- Where is the reproduce steps/test steps documented?
The reproduce steps/test steps are at:
Verify regression test all passed
-
Does the PR include the explanation for the fix or the feature?
-
Have the backend code been merged (Manager, Engine, Instance Manager, BackupStore etc) (including
backport-needed/*
)?
The PR is at
longhorn/longhorn-manager#2893
- Which areas/issues this PR might have potential impacts on?
Area: longhorn-manager
Issues
Verified pass on longhorn master(longhorn-manager 77ac26
, longhorn-engine 004f20
, longhorn-instance-manager 4dd756
)
From daily regression, did not observe new outstanding issue.