Do not add powercap mask if no paths are masked #20510
Conversation
openshift-ci
bot
added
release-note-none
approved
|
We'll also need this in 4.7.2 @lsm5 |
mheon
force-pushed
the
powercap_2
branch
2 times, most recently
from
aa0d0f9 to
0568cdc
Compare
| @@ -31,6 +31,6 @@ Note: Labeling can be disabled for all <<|pods/>>containers by setting label=fal | |||
| for the possible mount options are specified in the **proc(5)** man page. | |||
|
|
|||
| - **unmask**=_ALL_ or _/path/1:/path/2_, or shell expanded paths (/proc/*): Paths to unmask separated by a colon. If set to **ALL**, it unmasks all the paths that are masked or made read-only by default. | |||
| The default masked paths are **/proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux**. The default paths that are read-only are **/proc/asound**, **/proc/bus**, **/proc/fs**, **/proc/irq**, **/proc/sys**, **/proc/sysrq-trigger**, **/sys/fs/cgroup**. | |||
| The default masked paths are **/proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux**. The default paths that are read-only are **/proc/asound**, **/proc/bus**, **/proc/fs**, **/proc/irq**, **/proc/sys**, **/proc/sysrq-trigger**, **/sys/fs/cgroup**, **/sys/devices/virtual/powercap**. | |||
There was a problem hiding this comment.
this is not a readonly path, it should go after /sys/fs/selinux in the sentence before.
This solves `--security-opt unmask=ALL` still masking the path. [NO NEW TESTS NEEDED] Can't easily test this as we do not have access to it in CI. Signed-off-by: Matthew Heon <[email protected]>
openshift-ci
bot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, Luap99, mheon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/cherry-pick v4.7 |
|
@mheon: once the present PR merges, I will cherry-pick it on top of v4.7 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
@mheon: #20510 failed to apply on top of branch "v4.7": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Should this be masked in podman build? In buildah, we have Seems like these should be centralized somewhere. |
|
Yeah, it should also be masked in Buildah, Good point. |
|
/cherry-pick v4.7 |
|
@mheon: new pull request created: #20514 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
containers/buildah#5110 for buildah |
|
I am not seeing this masked by default? $ podman run alpine ls /sys/devices/virtual/powercap/ |
|
Works over here. Upstream Podman (4.7.1): My branch, with both Powercap patches: |
|
Partially addresses https://issues.redhat.com/browse/RHEL-12098 and https://issues.redhat.com/browse/RHEL-12097. A vendor of Buildah with the fix is needed to complete the fix. |
github-actions
bot
added
the
locked - please file new issue/PR
This solves
--security-opt unmask=ALLstill masking the path.[NO NEW TESTS NEEDED] Can't easily test this as we do not have access to it in CI.
Does this PR introduce a user-facing change?