[BUG] longhorn-manager /usr/local/sbin/ volume and noexec configuration

Question

[BUG] longhorn-manager /usr/local/sbin/ volume and noexec configuration

lenglet-k opened this issue a month ago · comments

Describe the bug

We want to use longhorn on CIS Benchmark Linux servers. In the CIS rules, the /var/ volume must have the noexec option enabled, this volume is propagated by containerd when a container mounts a volume, this is the case of longhorn-manager here.

In my case, longhorn-manager gets the permission denied error because the noexec option is propagated to the container automatically.

My question is: why did you create a volume in longhorn-manager on /usr/local/sbin? is it useful?

To Reproduce

Create a mountpoint with noexec options on /var.
Install Kubernetes and install containerd on /var/lib/containerd
Deploy longhorn.
See crashloopback state

Expected behavior

Have the possibility to run longhorn-manager on hardening system from scratch and without error

Derek Su · Answer 1 · Wed Jun 19 2024 00:18:19 GMT+0800 (China Standard Time)

My question is: why did you create a volume in longhorn-manager on /usr/local/sbin? is it useful?

launch-manager, longhorn-manager and nsmounter are put in /usr/local/sbin. Some utilities such as engine-binaries are in /var/lib/longhorn.
I'm not familiar with CIS benchmark Linux. Can you provide a support bundle for checking what the error is? Thank you.

BTW, @innobead /var/lib/longhorn is hard-coded path. Do you think we should make it configurable in the future?

lenglet-k · Answer 2 · Wed Jun 19 2024 00:33:22 GMT+0800 (China Standard Time)

There is a possibilty to hide private information with a support bundle ? In state, i can't send you this file with sensitive information.

Derek Su · Answer 3 · Wed Jun 19 2024 00:39:11 GMT+0800 (China Standard Time)

There is a possibilty to hide private information with a support bundle ? In state, i can't send you this file with sensitive information.

You can manually hide the private information, or you can send the support bundle to longhorn-support-bundle@suse.com which is only accessible by Longhorn members.

lenglet-k · Answer 4 · Wed Jun 19 2024 16:21:56 GMT+0800 (China Standard Time)

@derekbit I have just sent this file by mail. WIth anonymous data.

I'have also create theses PR:

longhorn/longhorn-engine#1135
longhorn/longhorn-instance-manager#526
And this one has been merged yesterday : longhorn/longhorn-manager#2893

Longhorn GitHub Bot · Answer 5 · Mon Jun 24 2024 07:56:39 GMT+0800 (China Standard Time)

Pre Ready-For-Testing Checklist

Where is the reproduce steps/test steps documented?
The reproduce steps/test steps are at:

Verify regression test all passed

Does the PR include the explanation for the fix or the feature?
Have the backend code been merged (Manager, Engine, Instance Manager, BackupStore etc) (including backport-needed/*)?
The PR is at

longhorn/longhorn-manager#2893

Which areas/issues this PR might have potential impacts on?
Area: longhorn-manager
Issues

chrisc · Answer 6 · Fri Jun 28 2024 09:57:10 GMT+0800 (China Standard Time)

Verified pass on longhorn master(longhorn-manager 77ac26, longhorn-engine 004f20, longhorn-instance-manager 4dd756)

From daily regression, did not observe new outstanding issue.