-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default to SELinux private label for play kube mounts #2575
Default to SELinux private label for play kube mounts #2575
Conversation
@ikke-t you can check this out if you want to test, but my logs now spit out some sql server output. |
cmd/podman/play_kube.go
Outdated
@@ -282,7 +282,7 @@ func kubeContainerToCreateConfig(containerYAML v1.Container, runtime *libpod.Run | |||
if err := validateVolumeCtrDir(volume.MountPath); err != nil { | |||
return nil, errors.Wrapf(err, "error in parsing MountPath") | |||
} | |||
containerConfig.Volumes = append(containerConfig.Volumes, fmt.Sprintf("%s:%s", host_path, volume.MountPath)) | |||
containerConfig.Volumes = append(containerConfig.Volumes, fmt.Sprintf("%s:%s:z", host_path, volume.MountPath)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we make appending :z
conditional on SELinux being enabled?
@rhatdan thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mheon honestly I'm not even happy with this solution. The k8s api isn't expressive enough for what we need here (what if a user wants ro). I think I'm going to default to appending :z if the user doesn't specify in the path (<ctr_path>:z) in the yaml. Only way I can think to add the correct permission but also not mess with k8s api...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be handled automatically by the command. The default for volumes is to create them with a shared label.
If I create a volume there is a good chance I will want more then one container to use it.
So no need to pass in the :z. Just when the tool creates the volume it should be labeled correctly.
9ece6c7
to
77f1e6f
Compare
Forgot to remove WIP. This is good to go. PTAL (edit: upon further inspection I have deemed that to be a lie) |
cmd/podman/play_kube.go
Outdated
@@ -282,7 +282,7 @@ func kubeContainerToCreateConfig(containerYAML v1.Container, runtime *libpod.Run | |||
if err := validateVolumeCtrDir(volume.MountPath); err != nil { | |||
return nil, errors.Wrapf(err, "error in parsing MountPath") | |||
} | |||
containerConfig.Volumes = append(containerConfig.Volumes, fmt.Sprintf("%s:%s", host_path, volume.MountPath)) | |||
containerConfig.Volumes = append(containerConfig.Volumes, fmt.Sprintf("%s:%s:z", host_path, volume.MountPath)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be handled automatically by the command. The default for volumes is to create them with a shared label.
If I create a volume there is a good chance I will want more then one container to use it.
So no need to pass in the :z. Just when the tool creates the volume it should be labeled correctly.
cmd/podman/play_kube.go
Outdated
@@ -28,6 +29,7 @@ import ( | |||
const ( | |||
// https://kubernetes.io/docs/concepts/storage/volumes/#hostpath | |||
createDirectoryPermission = 0755 | |||
defaultMountLabel = "z" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not used?
@haircommander Are you going to update this one? |
77f1e6f
to
edad1a0
Compare
@rhatdan so, it turns out I don't think DirectoryOrCreate something we should support right now. We don't have a containers mount label until the container is created, so we'd have to go through all of the volumes a second time and relabel. I think we should do more thinking on the way that DirectoryOrCreate would work, if someone is looking for support for it. |
If a named volume is created then it should be labeled with the shared label. This is what happens when you execute
So if podman play creates a volume it should create it the same way. |
(Last test failures were due to known certificate problem, rebase against latest master and they should run better) |
edad1a0
to
a12a610
Compare
b2fac48
to
c5b64fd
Compare
I record here my latest failure with the mounts: awxweb container can't acces it's exported share. Are the mounts done right by podman?
here you can see the mount points from host side, it's the awx-data what is prevented from acces:
Note how the nextcloud and others have more selinux numbers there, where as the one for awx does not have the same as processes inside containers do have. The yml file for this is here: where you can see how mounts are done. Seems like podman won't create correct labels now for existing dirs. Data was moved from docker backup, that's why they are not empty dirs. |
Please ignore my previous comment. I found the user error with directory permissions. |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: haircommander, mheon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Code LGTM on my side |
|
||
// LabelVolumePath takes a mount path for a volume and gives it an | ||
// selinux label of either shared or not | ||
func LabelVolumePath(path string, shared bool) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are you passing in shared, and never using it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah was supposed to be using it, fixed
Remove the shared param, and then it LGTM |
c5b64fd
to
043654b
Compare
I opted to actually use it instead. PTAL |
LGTM |
libpod/util_linux.go
Outdated
return errors.Wrapf(err, "error releasing label %q", mountLabel) | ||
} | ||
if err := label.Relabel(path, mountLabel, shared); err != nil { | ||
return errors.Wrapf(err, "error setting selinux label for %s to %q", path, mountLabel) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
might be good to work the shared value into the error here, in case it make a difference.
One suggestion for consideration, tests aren't hip atm. Code LGTM otherwise. |
Tests both seem like flakes, restarting |
cmd/podman/play_kube.go
Outdated
@@ -299,6 +304,9 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container | |||
if err := shared.ValidateVolumeCtrDir(volume.MountPath); err != nil { | |||
return nil, errors.Wrapf(err, "error in parsing MountPath") | |||
} | |||
// At this point, we know the name of tho host and the container path, but we don't know the SElinux MountLabel of the container. | |||
// Therefore, we can't set the permissions of the mount here. Instead, mark the mount as shared (sharedMountPermission), | |||
// and allow libpod to correctly set the permissions once the container is created | |||
containerConfig.Volumes = append(containerConfig.Volumes, fmt.Sprintf("%s:%s", host_path, volume.MountPath)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not seeing sharedMountPermission anywhere here, though?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oof out of date comment
Before, there were SELinux denials when a volume was bind-mounted by podman play kube. Partially fix this by setting the default private label for mounts created by play kube (with DirectoryOrCreate) For volumes mounted as Directory, the user will have to set their own SELinux permissions on the mount point also remove left over debugging print statement Signed-off-by: Peter Hunt <[email protected]>
043654b
to
0d0ad59
Compare
bot, retest this please |
bot, retest this please |
Before, there were SELinux denials when a volume was mounted podman play kube. Fix this by hardcoding a shared label into the Volume.