-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
services.setup: Pull Grafana image from docker.io #3388
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -35,6 +35,12 @@ EOF | |
chmod 755 /root/run-freeipa | ||
/root/run-freeipa | ||
|
||
# HACK: Podman fails to relabel symlinks properly, accidentally relabelling their targets instead | ||
# https://github.com/opencontainers/selinux/pull/173 | ||
# Disable relabelling for subsequent runs and make SELinux permissive. | ||
sed -i 's/data:Z/data/' /root/run-freeipa | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is both ugly and error prone, and also not even necessary any more with disabling SELinux below. I suggest to simply drop the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah, you want to drop this again at some point when this is fixed, I see. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
It is, unfortunately. podman crashes regardless of whether SELinux is enabled or not. |
||
sed -i 's/enforcing/permissive/' /etc/selinux/config | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. FTR, 👍 from me. This has fooled us too many times, and it's completely irrelevant to what we want to test. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hmm, this is meant to be a "temporary" workaround, and hopefully we can just remove these two lines once the fix to #173 has reached us. |
||
|
||
podman logs -f freeipa & | ||
LOGS=$! | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Without properly labeled files, we need to switch off SELinux entirely.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like it shouldn't be necessary. The logic here is that we need to relabel the first time we run it because the empty directory should have the correct label. After that, everything in that directory will have been created by the container itself and shouldn't need relabelling.
At the same time
So 👍 to disabling selinux to deal with this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have no idea how podman works, but doesn't it need to relabel the inside of a container every time a new one is created?