fedora 34: create cluster fails with permission denied error on /dev/dma_heap

What happened:

After updating my Fedora Linux to the latest kernel (5.12.8-300.fc34.x86_64) i tried to run kind create cluster and hit this error:

Creating cluster "mgmt" ...                                                                                                               
 ✓ Ensuring node image (kindest/node:v1.21.1) 🖼                                                                                           
 ✗ Preparing nodes 📦                                                                                                                     
ERROR: failed to create cluster: docker run error: command "docker run --hostname mgmt-control-plane --name mgmt-control-plane --label io.
x-k8s.kind.role=control-plane --privileged --security-opt seccomp=unconfined --security-opt apparmor=unconfined --tmpfs /tmp --tmpfs /run 
--volume /var --volume /lib/modules:/lib/modules:ro -e KIND_EXPERIMENTAL_CONTAINERD_SNAPSHOTTER --device /dev/fuse --detach --tty --label 
io.x-k8s.kind.cluster=mgmt --net kind --restart=on-failure:1 --init=false --volume=/var/run/docker.sock:/var/run/docker.sock --publish=127
.0.0.1:40963:6443/TCP -e KUBECONFIG=/etc/kubernetes/admin.conf kindest/node:v1.21.1@sha256:80773e2069dd4a80a4929fdef050c1e463e1d5578c2cd9a
f3962cfbc230e1500" failed with error: exit status 126                                                                                     
Command Output: 6a36fe59f40c4d4338b75c0b357d0ceb4f789319550fe61196c3f76dbdb8ec3b                                                          
docker: Error response from daemon: open /dev/dma_heap: permission denied.

What you expected to happen:

Cluster to be created as normal.

How to reproduce it (as minimally and precisely as possible):

  1. Install Fedora 34
  2. run dnf --refresh upgrade -y to update to latest kernel
  3. run kind create cluster

Anything else we need to know?:


  • kind version: kind v0.12.0-alpha+1188d9bd86afbf go1.16.4 linux/amd64
  • Kubernetes version: 1.21.1
  • Docker version: 20.10.6
  • OS (e.g. from /etc/os-release): Fedora 34
Asked Nov 20 '21 04:11
avatar elmiko

3 Answer:

So I just ran into this and it looks like the policy was fixed. A relabel/restorecon is needed, however.

All steps as root

Update the package

dnf -y update selinux-policy

Then before you relabel/restore; you need to set SELinux to permissive

setenforce 0

Now either relabel, or just restore from the updated policy

restorecon -vR /dev/dma_heap

Set SELinux to enforcing

setenforce 1
Answered Jun 11 '21 at 20:08
avatar  of christianh814

FYI https://github.com/fedora-selinux/selinux-policy/pull/763

Answered Jun 14 '21 at 16:24
avatar  of tao12345666333

I PR'd the known issue. Once the Fedora 33 backport lands, it should be updated (to tell users to update their SELinux policy).

Answered Jun 29 '21 at 04:49
avatar  of dlipovetsky