SUSE Support

Here When You Need Us

RKE2 installation failed with permission denied error

This document (000021821) is provided subject to the disclaimer at the end of this document.

Environment

RKE2 


Situation

RKE2 deployment/rke2 service startup failing in a hardened Red Hat Linux server. This Red Hat Linux is hardened as per the CIS baseline.

The RKE2 Installation is failing with the following error:

Error loading shared library libreadline.so.8: Permission denied (needed by /usr/bin/entry)
Error relocating /usr/bin/entry: unstifle_history: symbol not found
Error relocating /usr/bin/entry: rl_make_bare_keymap: symbol not found
Error relocating /usr/bin/entry: rl_bind_key_if_unbound_in_map: symbol not found

The etcd error:

failed to verify flags","error":"open /var/lib/rancher/rke2/server/db/etcd/config: permission denied"}

Please note that these library reference names may vary according to the OS variant.

Resolution

The cluster nodes originally had a umask of 027 because of security settings on the operating system. Later, this was changed to umask 022 by adding UMask=022 to the RKE2 systemd service file, which replaced the nonstandard default enforced by the OS hardening policy.

Cause

When the umask value is set to 027,  the user has read and write access to the files, and read, write, and search permissions for the directories. Both files and directories, all others (groups and others) do not have full access. The group has only read-only access to the files and read/execute access to the directories. Others have no access to files and only have execute access to directories.  

For the RKE2 startup, the umask value should be set to 022, as RKE2 creates files that need to be read by other processes or users (e.g., container runtimes, system daemons).

Status

Top Issue

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021821
  • Creation Date: 05-May-2025
  • Modified Date:15-May-2025
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.