docker: fix delimiter for selinux label for read-only volumes #23750
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tgross
force-pushed
the
selinux-label-docker-vols
branch
from
629c4b8
to
cebf14a
Compare
tgross
added
backport/ent/1.6.x+ent
tgross
force-pushed
the
selinux-label-docker-vols
branch
from
7a7169d
to
f51ae9b
Compare
tgross
force-pushed
the
selinux-label-docker-vols
branch
2 times, most recently
from
91dc067
to
e57e7ba
Compare
tgross
force-pushed
the
selinux-label-docker-vols
branch
from
e57e7ba
to
1be928f
Compare
tgross
force-pushed
the
selinux-label-docker-vols
branch
from
1be928f
to
f0419f6
Compare
|
Tested end-to-end on Amazon Linux (which has SELinux) with the following agent configuration: agent.hclbind_addr = "0.0.0.0"
enable_debug = true
log_level = "debug"
data_dir = "/var/run/nomad"
server {
enabled = true
}
client {
enabled = true
}
plugin "docker" {
config {
allow_privileged = true
volumes {
enabled = true
selinuxlabel = "z"
}
gc {
image = false
}
}
}and the following jobspec: example.nomad.hcljob "example" {
group "group" {
task "task" {
driver = "docker"
config {
image = "busybox:1"
command = "httpd"
args = ["-vv", "-f", "-p", "8001", "-h", "/local"]
volumes = ["/etc/ssl/certs:/etc/ssl/certs:ro"]
}
resources {
cpu = 50
memory = 50
}
}
}
}Logs from the client:
And resulting mounts on the Docker container: |
tgross
force-pushed
the
selinux-label-docker-vols
branch
from
f0419f6
to
9e9610c
Compare
The Docker driver's `volume` field to specify bind-mounts takes a list of strings that consist of three `:`-delimited fields: source, destination, and options. We append the SELinux label from the plugin configuration as the third field. But when the user has already specified the volume is read-only with `:ro`, we're incorrectly appending the SELinux label with another `:` instead of the required `,`. Combine the options into a single field value before appending them to the bind mounts configuration. Updated the tests to split out Windows behavior (which doesn't accept options) and to ensure the test task has the expected environment for bind mounts. Fixes: #23690
tgross
force-pushed
the
selinux-label-docker-vols
branch
from
9e9610c
to
c75ea1d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The Docker driver's
volumefield to specify bind-mounts takes a list of strings that consist of three:-delimited fields: source, destination, and options. We append the SELinux label from the plugin configuration as the third field. But when the user has already specified the volume is read-only with:ro, we're incorrectly appending the SELinux label with another:instead of the required,.Combine the options into a single field value before appending them to the bind mounts configuration. Updated the tests to split out Windows behavior (which has a different volume specification format) and to ensure the test task has the expected environment for bind mounts.
Fixes: #23690