Add el9 selinux rpm

.github/workflows/install.yaml

@@ -30,7 +30,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        vm: [centos-7, rocky-8, fedora, opensuse-leap, ubuntu-focal]
+        vm: [centos-7, rocky-8, rocky-9, fedora, opensuse-leap, ubuntu-focal]
       max-parallel: 2
     defaults:
       run:

install.sh

@@ -518,13 +518,17 @@ setup_selinux() {
         rpm_target=el7
         rpm_site_infix=centos/7
         package_installer=yum
+    elif [ "${VERSION_ID%%.*}" = "8" ] || [ "${VERSION_ID%%.*}" = "37" ]; then
+        rpm_target=el8
+        rpm_site_infix=centos/8
+        package_installer=yum
     elif [ "${ID_LIKE:-}" = coreos ] || [ "${VARIANT_ID:-}" = coreos ]; then
         rpm_target=coreos
         rpm_site_infix=coreos
         package_installer=rpm-ostree
     else
-        rpm_target=el8
-        rpm_site_infix=centos/8
+        rpm_target=el9
+        rpm_site_infix=centos/9
         package_installer=yum
     fi
 
@@ -558,7 +562,7 @@ setup_selinux() {
             $policy_error "Failed to apply container_runtime_exec_t to ${BIN_DIR}/k3s, ${policy_hint}"
         fi
     elif [ ! -f /usr/share/selinux/packages/k3s.pp ]; then
-        if [ -x /usr/sbin/transactional-update ]; then
+        if [ -x /usr/sbin/transactional-update ] || [ "${ID_LIKE:-}" = coreos ] || [ "${VARIANT_ID:-}" = coreos ]; then
             warn "Please reboot your machine to activate the changes and avoid data loss."
         else
             $policy_error "Failed to find the k3s-selinux policy, ${policy_hint}"
@@ -592,9 +596,12 @@ EOF
         sle)
             rpm_installer="zypper --gpg-auto-import-keys"
             if [ "${TRANSACTIONAL_UPDATE=false}" != "true" ] && [ -x /usr/sbin/transactional-update ]; then
+                transactional_update_run="transactional-update --no-selfupdate -d run"
                 rpm_installer="transactional-update --no-selfupdate -d run ${rpm_installer}"
                 : "${INSTALL_K3S_SKIP_START:=true}"
             fi
+            # create the /var/lib/rpm-state in SLE systems to fix the prein selinux macro
+            ${transactional_update_run} mkdir -p /var/lib/rpm-state
             ;;
         coreos)
             rpm_installer="rpm-ostree"
@@ -607,13 +614,41 @@ EOF
         esac
         if [ "${rpm_installer}" = "yum" ] && [ -x /usr/bin/dnf ]; then
             rpm_installer=dnf
+        fi
+	    if rpm -q --quiet k3s-selinux && [ "${3}" == "el9" ]; then 
+            # remove k3s-selinux module in el9 before upgrade to allow container-selinux to upgrade safely
+            if check_available_upgrades container-selinux ${3} && check_available_upgrades k3s-selinux ${3}; then
+                MODULE_PRIORITY=$($SUDO semodule --list=full | grep k3s | cut -f1 -d" ")
+                if [ -n "${MODULE_PRIORITY}" ]; then
+                    $SUDO semodule -X $MODULE_PRIORITY -r k3s || true
+                fi
+            fi
         fi
         # shellcheck disable=SC2086
         $SUDO ${rpm_installer} install -y "k3s-selinux"
     fi
     return
 }
 
+check_available_upgrades() {
+    set +e
+    case ${2} in
+        sle)
+            available_upgrades=$($SUDO zypper -q -t -s 11 se -s -u --type package $1 | tail -n 1 | grep -v "No matching" | awk '{print $3}')
+            ;;
+        coreos)
+            # currently rpm-ostree does not support search functionality https://github.com/coreos/rpm-ostree/issues/1877
+            ;;
+        *)
+            available_upgrades=$($SUDO yum -q --refresh list $1 --upgrades | tail -n 1 | awk '{print $2}')
+            ;;
+    esac
+    set -e
+    if [ -n "${available_upgrades}" ]; then
+        return 0
+    fi
+    return 1
+}
 # --- download and verify k3s ---
 download_and_verify() {
     if can_skip_download_binary; then

tests/install/rocky-9/Vagrantfile

@@ -0,0 +1,114 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+#
+
+ENV['TEST_INSTALL_SH'] ||= '../../../install.sh'
+ENV['INSTALL_K3S_CHANNEL'] ||= 'testing'
+
+Vagrant.configure("2") do |config|
+  config.vagrant.plugins = {
+    'vagrant-k3s' => {:version => '~> 0.1.3'},
+  }
+  config.vm.box = "generic/rocky9"
+  config.vm.boot_timeout = ENV['TEST_VM_BOOT_TIMEOUT'] || 600 # seconds
+  config.vm.synced_folder '.', '/vagrant', disabled: true
+
+  config.vm.define 'install-rocky-9', primary: true do |test|
+    test.vm.hostname = 'smoke'
+    test.vm.provision "disable-firewall", type: "shell", inline: "systemctl stop firewalld"
+    test.vm.provision 'k3s-upload', type: 'file', run: 'always', source: ENV['TEST_INSTALL_SH'], destination: 'install.sh'
+    test.vm.provision 'k3s-install', type: 'k3s', run: 'once' do |k3s|
+      k3s.installer_url = 'file:///home/vagrant/install.sh'
+      k3s.args = %w[server]
+      k3s.env = ENV.select{|k,v| k.start_with?('K3S_') || k.start_with?('INSTALL_K3S_')}.merge({
+        :INSTALL_K3S_NAME => 'server',
+      })
+      k3s.config = <<~YAML
+        selinux: true
+        token: 'vagrant'
+      YAML
+      k3s.config_mode = '0644' # side-step https://github.com/k3s-io/k3s/issues/4321
+    end
+    test.vm.provision "k3s-wait-for-node", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
+      sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" }
+      sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        set -eu -o pipefail
+        echo 'Waiting for node to be ready ...'
+        time timeout 300 bash -c 'while ! (kubectl wait --for condition=ready node/$(hostname) 2>/dev/null); do sleep 5; done'
+        kubectl get node,all -A -o wide
+      SHELL
+    end
+    test.vm.provision "k3s-wait-for-coredns", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
+      sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" }
+      sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        set -eu -o pipefail
+        function describe-coredns {
+          RC=$?
+          if [[ $RC -ne 0 ]]; then
+            kubectl describe node
+            kubectl --namespace kube-system describe pod -l k8s-app=kube-dns
+            kubectl --namespace kube-system logs -l k8s-app=kube-dns
+          fi
+          exit $RC
+        }
+        trap describe-coredns EXIT
+        time timeout 300 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/coredns 2>/dev/null); do sleep 5; done'
+      SHELL
+    end
+    test.vm.provision "k3s-wait-for-local-storage", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
+      sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" }
+      sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        set -eu -o pipefail
+        time timeout 300 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/local-path-provisioner 2>/dev/null); do sleep 5; done'
+      SHELL
+    end
+    test.vm.provision "k3s-wait-for-metrics-server", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
+      sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" }
+      sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        set -eu -o pipefail
+        time timeout 300 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/metrics-server 2>/dev/null); do sleep 5; done'
+      SHELL
+    end
+    test.vm.provision "k3s-wait-for-traefik", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
+      sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" }
+      sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        set -eu -o pipefail
+        time timeout 300 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/traefik 2>/dev/null); do sleep 5; done'
+      SHELL
+    end
+    test.vm.provision "k3s-status", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
+      sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" }
+      sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        set -eux -o pipefail
+        kubectl get node,all -A -o wide
+      SHELL
+    end
+    test.vm.provision "k3s-procps", type: "shell", run: ENV['CI'] == 'true' ? 'never' : 'once' do |sh|
+      sh.env = { :PATH => "/usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" }
+      sh.inline = <<~SHELL
+        #!/usr/bin/env bash
+        set -eux -o pipefail
+        ps auxZ | grep -E 'k3s|kube|container' | grep -v grep
+      SHELL
+    end
+  end
+
+  config.vm.provision 'selinux-status', type: 'shell', run: 'once', inline: 'sestatus'
+
+  %w[libvirt virtualbox vmware_desktop].each do |p|
+    config.vm.provider p do |v|
+      v.cpus = ENV['TEST_VM_CPUS'] || 2
+      v.memory = ENV['TEST_VM_MEMORY'] || 2048
+    end
+  end
+  config.vm.provider :virtualbox do |v,o|
+    v.gui = false
+    v.check_guest_additions = false
+  end
+end