RKE2 installation failed with permission denied error
This document (000021821) is provided subject to the disclaimer at the end of this document.
Environment
RKE2
Situation
RKE2 deployment/rke2 service startup failing in a hardened Red Hat Linux server. This Red Hat Linux is hardened as per the CIS baseline.
The RKE2 Installation is failing with the following error:
Error loading shared library libreadline.so.8: Permission denied (needed by /usr/bin/entry)
Error relocating /usr/bin/entry: unstifle_history: symbol not found
Error relocating /usr/bin/entry: rl_make_bare_keymap: symbol not found
Error relocating /usr/bin/entry: rl_bind_key_if_unbound_in_map: symbol not found
The etcd error:
failed to verify flags","error":"open /var/lib/rancher/rke2/server/db/etcd/config: permission denied"}
Please note that these library reference names may vary according to the OS variant.
Resolution
The cluster nodes originally had a umask of 027 because of security settings on the operating system. Later, this was changed to umask 022 by adding UMask=022 to the RKE2 systemd service file, which replaced the nonstandard default enforced by the OS hardening policy.
Cause
When the umask value is set to 027, the user has read and write access to the files, and read, write, and search permissions for the directories. Both files and directories, all others (groups and others) do not have full access. The group has only read-only access to the files and read/execute access to the directories. Others have no access to files and only have execute access to directories.
For the RKE2 startup, the umask value should be set to 022, as RKE2 creates files that need to be read by other processes or users (e.g., container runtimes, system daemons).
Status
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021821
- Creation Date: 05-May-2025
- Modified Date:15-May-2025
-
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com