Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

services.setup: Pull Grafana image from docker.io #3388

Merged
merged 3 commits into from
May 24, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions images/scripts/services.setup
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,12 @@ EOF
chmod 755 /root/run-freeipa
/root/run-freeipa

# HACK: Podman fails to relabel symlinks properly, accidentally relabelling their targets instead
# https://github.com/opencontainers/selinux/pull/173
# Disable relabelling for subsequent runs and make SELinux permissive.
sed -i 's/data:Z/data/' /root/run-freeipa
Copy link
Member

@mvollmer mvollmer May 23, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without properly labeled files, we need to switch off SELinux entirely.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like it shouldn't be necessary. The logic here is that we need to relabel the first time we run it because the empty directory should have the correct label. After that, everything in that directory will have been created by the container itself and shouldn't need relabelling.

At the same time

  • this is the services image
  • this is a workaround for a known bug in the image
  • we have better things to work on

So 👍 to disabling selinux to deal with this.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logic here is that we need to relabel the first time we run it because the empty directory should have the correct label.

I have no idea how podman works, but doesn't it need to relabel the inside of a container every time a new one is created?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is both ugly and error prone, and also not even necessary any more with disabling SELinux below. I suggest to simply drop the :Z where it writes the script above, and drop this.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, you want to drop this again at some point when this is fixed, I see.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also not even necessary any more with disabling SELinux below.

It is, unfortunately. podman crashes regardless of whether SELinux is enabled or not.

sed -i 's/enforcing/permissive/' /etc/selinux/config
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FTR, 👍 from me. This has fooled us too many times, and it's completely irrelevant to what we want to test.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, this is meant to be a "temporary" workaround, and hopefully we can just remove these two lines once the fix to #173 has reached us.


podman logs -f freeipa &
LOGS=$!

Expand Down Expand Up @@ -197,7 +203,7 @@ podman run -d --rm --name grafana -p 3000:3000 \
-e GF_SECURITY_ADMIN_PASSWORD=foobar \
-e GF_INSTALL_PLUGINS="redis-datasource,performancecopilot-pcp-app=https://github.com/performancecopilot/grafana-pcp/releases/download/${latest_ver}/performancecopilot-pcp-app-${latest_ver#v}.zip" \
-e GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS="performancecopilot-pcp-app,redis-datasource" \
quay.io/bitnami/grafana
docker.io/bitnami/grafana

# wait until set up completed
until curl http://localhost:3000; do sleep 1; done
Expand All @@ -210,7 +216,7 @@ podman run -d --rm --name grafana -p 3000:3000 \
-v grafana-data-plugins:/opt/bitnami/grafana/data/plugins \
-e GF_SECURITY_ADMIN_PASSWORD=foobar \
-e GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS="performancecopilot-pcp-app,redis-datasource" \
quay.io/bitnami/grafana
docker.io/bitnami/grafana
EOF
chmod 755 /root/run-grafana

Expand Down
2 changes: 1 addition & 1 deletion images/services