Merge pull request #117 from andypitcher/el10

feat: add el10 and remove el8 support

Author: andypitcher

.github/workflows/tests.yml

@@ -24,7 +24,7 @@ jobs:
   e2e:
     strategy:
       matrix:
-        distro: [centos8, centos9, fedora42]
+        distro: [centos9, centos10, fedora42]
 
     runs-on: ubuntu-latest
     steps:

Dockerfile

@@ -4,18 +4,7 @@ ARG POLICY
 # to build the SELinux policies and package them as RPM for each
 # of the target platforms.
 
-FROM quay.io/centos/centos:stream8 AS centos8
-
-
-# Stream8 is now EOL and the DNS it relied on for mirror lists
-# (mirrorlist.centos.org), no longer resolves.
-# The adhoc solution is to disable the use of the mirrorlist and default
-# to vault.centos.org instead.
-#
-# https://blog.centos.org/2023/04/end-dates-are-coming-for-centos-stream-8-and-centos-linux-7/
-RUN sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-* && \
-        sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
-
+FROM quay.io/centos/centos:stream9 AS centos9
 RUN yum install -y \
         createrepo_c \
         epel-release \
@@ -25,15 +14,16 @@ RUN yum install -y \
         rpm-build \
         rpm-sign
 
-FROM quay.io/centos/centos:stream9 AS centos9
+FROM quay.io/centos/centos:stream10 AS centos10
 RUN yum install -y \
         createrepo_c \
         epel-release \
         container-selinux \
         selinux-policy-devel \
         yum-utils \
         rpm-build \
-        rpm-sign
+        rpm-sign \
+        gnupg2
 
 FROM fedora:42 AS fedora42
 RUN dnf clean all && dnf install -y \

Makefile

@@ -112,12 +112,10 @@ e2e-%:
 	limactl cp hack/e2e/setup-vm.sh $(subst :,/,$*):/tmp/setup-vm.sh
 	limactl shell $(subst :,/,$*) sudo /tmp/setup-vm.sh
 
-	limactl stop $(subst :,/,$*)
-	limactl delete $(subst :,/,$*)
+	limactl delete -f $(subst :,/,$*)
 
 e2e-%-clean:
-	limactl stop $(subst :,/,$*)
-	limactl delete $(subst :,/,$*)
+	limactl delete -f $(subst :,/,$*)
 
 help: ## display Makefile's help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

README.md

@@ -20,8 +20,8 @@ The following Rancher compnents are covered by the policy:
 
 | Operating System      | Version | Supported          | Policy     | E2E                   |
 | :-------------------- | :------ | :----------------- | :--------- | :-------------------- |
-| RHEL/CentOS/Rocky     | 8       | :white_check_mark: | [centos8]  | :white_check_mark:    |
 | RHEL/CentOS/Rocky     | 9       | :white_check_mark: | [centos9]  | :white_check_mark:    |
+| RHEL/CentOS/Rocky     | 10      | :white_check_mark: | [centos10] | :white_check_mark:    |
 | Fedora                | 42      | :white_check_mark: | [fedora42] | :white_check_mark:    |
 | SUSE SLE/Micro        | Stable  | :white_check_mark: | [microos]  | :construction:        |
 
@@ -50,8 +50,8 @@ The following list shows the expected tag to (example) transformation for RPM's
 | v0.2.testing.1 | Clean | `rancher-selinux-0.2-1.el7.noarch.rpm` | Testing ||
 | v0.2.production.1 | Clean | `rancher-selinux-0.2-1.el7.noarch.rpm` | Production ||
 
-[centos8]: https://github.com/rancher/rancher-selinux/tree/main/policy/centos8
 [centos9]: https://github.com/rancher/rancher-selinux/tree/main/policy/centos9
+[centos10]: https://github.com/rancher/rancher-selinux/tree/main/policy/centos10
 [fedora42]: https://github.com/rancher/rancher-selinux/tree/main/policy/fedora42
 [microos]: https://github.com/rancher/rancher-selinux/tree/main/policy/microos
 [fluentbit]: https://github.com/rancher/charts/blob/262597a41a175cfb4785d70fd76b33d56f8c1f95/charts/rancher-logging/106.0.1%2Bup4.10.0-rancher.4/templates/loggings/k3s/daemonset.yaml#L22

hack/e2e/centos10.yaml

@@ -0,0 +1,5 @@
+images:
+- location: https://dl.rockylinux.org/pub/rocky/10/images/x86_64/Rocky-10-GenericCloud-Base.latest.x86_64.qcow2
+  arch: x86_64
+- location: https://dl.rockylinux.org/pub/rocky/10/images/aarch64/Rocky-10-GenericCloud-Base.latest.aarch64.qcow2
+  arch: aarch64

hack/e2e/centos8.yaml

@@ -6,11 +6,15 @@ function enforceSELinux(){
     echo "> Check SELinux status"
     # Short circuit if SELinux is not being enforced.
     getenforce | grep -q Enforcing
-    # Remove dontaudits from policy for debugging
+    # Remove dontaudits from policy for debugging.
     sudo semodule -DB
-    # Install container-selinux and selinux-policy latest versions
+    # Install extra kernel modules needed for networking/conntrack (EL10 requirement).
+    # See: https://docs.rke2.io/install/requirements#linux
+    # We target $(uname -r) to ensure modules match the running kernel and avoid a reboot.
+    sudo dnf install "kernel-modules-extra-$(uname -r)" -y
+    # Install container-selinux and selinux-policy latest versions.
     sudo dnf install -y container-selinux selinux-policy --best --allowerasing
-    # Install rancher-selinux policy
+    # Install rancher-selinux policy.
     sudo dnf install -y /tmp/rancher-selinux.rpm
 }
 
@@ -40,13 +44,17 @@ function installDependencies(){
 
 function installRKE2(){
     echo "> Installing RKE2"
-    curl -sfL https://get.rke2.io | sh -
+    # Download the official RKE2 installer script and patch the script to include EL10 in the RPM-based OS detection logic.
+    # This changes '7|8|9)' to '7|8|9|10)' so the script doesn't fall back to a generic tarball install.
+    # TODO: use the default install command once https://github.com/rancher/rke2/pull/9557 is merged.
+    curl -sfL https://get.rke2.io -o install.sh
+    sed -i 's/7|8|9)/7|8|9|10)/g' install.sh && sh install.sh
     systemctl start rke2-server.service
     systemctl enable rke2-server.service
 
     export KUBECONFIG=/etc/rancher/rke2/rke2.yaml
     echo "export KUBECONFIG=/etc/rancher/rke2/rke2.yaml" >> ~/.bashrc
-    # Making the kubeconfig world-readable, as this is for tests purposes only.
+    # Making the kubeconfig world-readable, as this is for test purposes only.
     chmod +r /etc/rancher/rke2/rke2.yaml
 
     kubectl wait --for=create node/$(hostname) --timeout=240s
@@ -70,26 +78,24 @@ function installRancher(){
         --namespace cattle-system \
         --set hostname=rancher.local \
         --set replicas=1 \
-    	--wait
-
-    # Background processes, such as Fleet deployment need to take place, which
-    # may result in intermittent errors. Adding some extra verification,
-    # such as rancher-webhook deployment creation.
+        --wait
 
+    # Background processes, such as Fleet deployment need to take place, which may result in intermittent errors.
+    # Adding some extra verification, such as rancher-webhook deployment creation.
     kubectl wait --for=condition=ready -n cattle-system pod -l app=rancher --timeout=600s
     kubectl wait --for=create -n cattle-system deployment/rancher-webhook --timeout=240s
     kubectl wait --for=condition=ready -n cattle-system pod -l app=rancher-webhook --timeout=240s
 }
 
-# Example: installRancherChart "rancher-monitoring" "cattle-monitoring-system" "rancher-monitoring-prometheus-node-exporter" "app.kubernetes.io/name=prometheus-node-exporter" "--set prometheus.prometheusSpec.maximumStartupDurationSeconds=60"
+# Example: installRancherChart "rancher-monitoring" "cattle-monitoring-system" "rancher-monitoring-prometheus-node-exporter" "app.kubernetes.io/name=prometheus-node-exporter" "--set ...".
 function installRancherChart() {
     local CHART_NAME="$1"
     local NAMESPACE="$2"
     local DAEMONSET_NAME="$3"
     local POD_LABEL_SELECTOR="$4"
-    local EXTRA_HELM_ARGS="${@:5}" # Collect any additional arguments
+    local EXTRA_HELM_ARGS="${@:5}" # Collect any additional arguments.
 
-    # Add Rancher charts repository
+    # Add Rancher charts repository.
     helm repo add rancher-charts https://charts.rancher.io/
 
     echo "> Installing CRD chart ${CHART_NAME}-crd in namespace ${NAMESPACE}"
@@ -108,7 +114,7 @@ function installRancherChart() {
         --set global.seLinux.enabled=true \
         ${EXTRA_HELM_ARGS}
 
-    # Wait for DaemonSet creation and Pod readiness
+    # Wait for DaemonSet creation and Pod readiness.
     kubectl wait --for=create -n "${NAMESPACE}" daemonset/"${DAEMONSET_NAME}" --timeout=240s
     kubectl wait --for=condition=ready -n "${NAMESPACE}" pod -l "${POD_LABEL_SELECTOR}" --timeout=240s
 }
@@ -125,12 +131,12 @@ function uninstallRancherChart() {
     echo "> Deleting namespace ${NAMESPACE}"
     kubectl delete ns "${NAMESPACE}" --timeout=120s
 
-    # Force-reclaim caches to provide a clean memory slate for the next chart test
-    # This was added to help mitigate time-out issues in e2e
+    # Force-reclaim caches to provide a clean memory slate for the next chart test.
+    # This was added to help mitigate time-out issues in e2e.
     sudo sync && echo 3 > /proc/sys/vm/drop_caches
 }
 
-# Example: e2eSELinuxVerification "fluentbit" "fluent-bit" "cattle-logging-system" "rke_logreader_t"
+# Example: e2eSELinuxVerification "fluentbit" "fluent-bit" "cattle-logging-system" "rke_logreader_t".
 function e2eSELinuxVerification(){
     local CONTAINER_NAME="$1"
     local CONTAINER_RUNNING_NAME="$2"
@@ -171,45 +177,42 @@ function main(){
     installRKE2
     installRancher
 
-    # Note: Append this list with new components to install and test the rancher-selinux policy
-    # Value: A space-separated list of arguments:
-    #   Namespace DaemonSet PodLabel ContainerName ContainerRunningName SELinuxType ExtraHelmArgs
+    # Note: Append this list with new components to install and test the rancher-selinux policy.
+    # Value: A space-separated list of arguments: Namespace DaemonSet PodLabel ContainerName ContainerRunningName SELinuxType ExtraHelmArgs.
     declare -A COMPONENTS=(
         [rancher-monitoring]="cattle-monitoring-system rancher-monitoring-prometheus-node-exporter app.kubernetes.io/name=prometheus-node-exporter node-exporter node-exporter prom_node_exporter_t --set prometheus.prometheusSpec.maximumStartupDurationSeconds=60"
         [rancher-logging]="cattle-logging-system rancher-logging-root-fluentbit app.kubernetes.io/name=fluentbit fluentbit fluent-bit rke_logreader_t"
     )
 
     for CHART_NAME in "${!COMPONENTS[@]}"; do
-        # Read the space-separated values into individual variables
+        # Read the space-separated values into individual variables.
         read -r NAMESPACE DAEMONSET_NAME POD_LABEL CONTAINER_NAME CONTAINER_RUNNING_NAME SELINUX_TYPE EXTRA_HELM_ARGS <<< "${COMPONENTS[${CHART_NAME}]}"
 
         echo "> Installing and testing Chart: ${CHART_NAME} in Namespace: ${NAMESPACE} with SELinux type ${SELINUX_TYPE}"
 
-        # 1. Install the chart (passing the collected variables)
+        # 1. Install the chart (passing the collected variables).
         installRancherChart \
             "${CHART_NAME}" \
             "${NAMESPACE}" \
             "${DAEMONSET_NAME}" \
             "${POD_LABEL}" \
             "${EXTRA_HELM_ARGS}"
 
-        # 2. Run E2E SELinux Verification
+        # 2. Run E2E SELinux Verification.
         e2eSELinuxVerification \
             "${CONTAINER_NAME}" \
             "${CONTAINER_RUNNING_NAME}" \
             "${NAMESPACE}" \
             "${SELINUX_TYPE}"
 
-        # 3. Uninstall the chart (free some resources)
+        # 3. Uninstall the chart (free some resources).
         uninstallRancherChart \
             "${CHART_NAME}" \
             "${NAMESPACE}"
     done
 }
 
-# This is needed as Rocky does not include it in the PATH,
-# which is required for the Helm install.
+# Rocky does not include this in the PATH by default, which is required for Helm.
 export PATH=$PATH:/usr/local/bin
 
 main
-

hack/e2e/setup-vm.sh

@@ -52,12 +52,12 @@ function aws_auth()
 function upload_artefacts()
 {
     case "${POLICY}" in
-      "centos8")
-        S3_POLICY_DIR="centos/8"
-        ;;
       "centos9")
         S3_POLICY_DIR="centos/9"
         ;;
+      "centos10")
+        S3_POLICY_DIR="centos/10"
+        ;;
       "fedora42")
         S3_POLICY_DIR="fedora/42"
         ;;

hack/upload

@@ -1,15 +1,15 @@
 # vim: sw=4:ts=4:et
 
-%define selinux_policyver 3.14.3-139
-%define container_policyver 2.229.0-2
+%define selinux_policyver 42.1.7-1
+%define container_policyver 2.244.0-1
 
 %define relabel_files() \
 mkdir -p /var/lib/rancher/rke /etc/kubernetes /opt/rke; \
 restorecon -R /var/lib/rancher /etc/kubernetes /opt/rke;
 
 Name:   rancher-selinux
 Version:	%{rancher_selinux_version}
-Release:	%{rancher_selinux_release}.el8
+Release:	%{rancher_selinux_release}.el10
 Summary:	SELinux policy module for Rancher
 Vendor:     SUSE LLC
 Packager:   SUSE LLC <https://www.suse.com/>