RKE2 with CIS-1.6 failing on Flatcar OS

[hwaastad]

Environmental Info:
RKE2 Version:
RKE2 v1.21.9+rke2r1

Node(s) CPU architecture, OS, and Version:
Linux docker-ingress 5.10.96-flatcar #1 SMP Thu Feb 3 20:00:07 -00 2022 x86_64 Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz GenuineIntel GNU/Linux

Describe the bug:
Trying to enable CIS-1.6 profile on flatcar fails in finding etcd group/user

Steps To Reproduce:
Enable CIS-1.6 profile on a cluster of FlatCar OS. etcd will not start due to missing group

Expected behavior:
etcd exists on OS and etcd should start

Did a simple test on OS, similar to:

rke2/pkg/cli/cmds/root.go

Line 251 in cc949dd

if _, err := user.LookupGroup("etcd"); err != nil {

package main

import "fmt"
import "os/user"

func main(){
        fmt.Println("Hello world")
        if _, err := user.Lookup("etcd"); err != nil {
                fmt.Println("Missing etcd user")
        } else {
                fmt.Println("Found etcd user")
        }
        if _, err := user.LookupGroup("etcd"); err != nil {
                fmt.Println("missing etcd group")
        } else {
                fmt.Println("Found etcd Group")
        }
        fmt.Println(user.Lookup("etcd"))
        fmt.Println(user.LookupGroup("etcd"))
}

and output is:

Hello world
Found etcd user
Found etcd Group
&{232 232 etcd  /dev/null} <nil>
&{232 etcd} <nil>

So maybe there is another place that this check is done?

br hw

[briandowns]

At the moment, Flatcar isn't part of our support matrix. https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/rancher-v2-6-3/

Is there any chance you'd be able to use one of the supported operating systems?

We may be able to set aside some time to investigate further but using one of the supported OS's will probably get you up and running faster.

[hwaastad]

@briandowns thanks for your reply.
Currently It works if I manually add entries to /etc/passwd and /etcd/group.

I have on my roadmap intentions to try out Micro 😃

/hw

[brandond]

Where are the users and groups stored, if not in /etc/passwd and /etc/group?

[hwaastad]

I think, the /etc/nsswitch.conf has a usrfiles extension:

passwd:      files usrfiles sss systemd
shadow:      files usrfiles sss
group:       files usrfiles sss systemd

And by looking at:
https://github.com/flatcar-linux/coreos-overlay/blob/main/sys-libs/nss-usrfiles/nss-usrfiles-9999.ebuild
the additional files are located under: /usr/share/baselayout.
And /usr is immutable.

It actually seems similar to the way kubic is doing it (/usr/etc)

[ErikLundJensen]

@hwaastad Do you want to share your Flatcar+RKE2 setup with us? ( Ignition configuration and if you use ebuild to add RKE2 binary )

[hwaastad]

@hwaastad Do you want to share your Flatcar+RKE2 setup with us? ( Ignition configuration and if you use ebuild to add RKE2 binary )

Hi @ErikLundJensen , no particular configuration. currently we only add etcd user/group in etc/passwd and etc/group in a rancher install service running on first boot. Its not a good solution but it's running anyhow.
In our setup we're running rancher as cluster manager so everything is managed by rancher, inc cluster setup. Adding binaries and such without, I'd probably use something similar to forklift (without investigating too much)

[caroline-suse-rancher]

Converting this to a discussion since this isn't currently a supported OS