hack: Add :z to --volume mounts #174
Conversation
openshift-ci-robot
added
size/M
hack/test-bazel-build-tarball.sh
Outdated
| docker run --rm \ | ||
| --env IS_CONTAINER=TRUE \ | ||
| --volume "${PWD}:${PWD}:z" \ | ||
| --volume /tmp:/tmp:z \ |
There was a problem hiding this comment.
This seems dangerous... You might be relabling something on your local host that another process would be using...
There was a problem hiding this comment.
This seems dangerous...
Are you only concerned about the host /tmp? Or are you also concerned about ${PWD}? I expect we can get this working without the /tmp mount, but I don't see a way around the ${PWD} mount.
There was a problem hiding this comment.
only /tmp. GDM, X, systemd, and other things put files in /tmp and expect to be able to access them. If we use :z when mounting /tmp we will be relabeling those files and might remove permission for the proper owner to work. We will also be relabeling /tmp itself and messing up the labels that other programs create in /tmp...
${PWD} won't likely be used by (many) other programs in this case. So relabeling seems quite reasonable.
There was a problem hiding this comment.
Does the container need some content in /tmp?
There was a problem hiding this comment.
Does the container need some content in /tmp?
We may be able to drop the mount, since we didn't have it before. @sallyom, do you remember why you added it?
|
/retest |
|
/test go-fmt Exercising openshift/release#1283. I think @eparis did this earlier, but now I can't find his comment. And the failure I expect will block this PR, but this PR isn't particularly important. |
|
And here are the |
|
merging #181 should fix gofmt... |
|
I pushed a new commit dropping the |
hack/tf-fmt.sh
Outdated
| docker run --rm \ | ||
| --env IS_CONTAINER=TRUE \ | ||
| --volume "${PWD}:${PWD}:ro,z" \ | ||
| --volume /tmp:/tmp:z \ |
There was a problem hiding this comment.
Here as well?
Ah, sorry. Fixed with 876f0af -> df614c4.
Like we did in bootkube.sh in 0fa4eb1 (Fix perm errors with selinux enabled, 2018-08-15, openshift#134). This gives us permission to access the mounted volume when SELinux is enabled (docs in [1]). I've also normalized these invocations for consistency between the various hack/ scripts: * Adding slash separators to put each option on its own line, excepting the final command being run in the container. This makes the long commands slightly easier to skim. It will also make it easier to track down motivation for an option with 'git blame', because commits touching options on other lines won't clutter the blame. * Use long-form options (-v -> --volume, etc.). This makes the options a bit more accessible to newcomers, and now that each option is on it's own line we have plenty of space. * Dropped single quotes from 'TRUE'. There are no shell-sensitive characters in TRUE, so there's no need to quote it. * Use ${PWD} consistently. It's in POSIX [2], so there's no need to execute a pwd process to get this value. * Drop -t. None of these commands should need a pseudoterminal. * Drop explicit rw --volume options. They're the default [3]. [1]: https://github.com/containers/libpod/blame/v0.8.3/docs/podman-run.1.md#L628 [2]: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_03 [3]: https://github.com/containers/libpod/blame/v0.8.3/docs/podman-run.1.md#L646
Eric points out potential issues with relabeling /tmp [1], which is shared by several system-level consumers. For the Bazel script, the /tmp mount is just since c483f59 (Move bazel build tarball test to prow, 2018-08-08, openshift#117), so we can drop it to return to our previous approach. The Terraform container seems to run fine without /tmp as well, although there's no clear history to point to on this front because we used to use Bazel for this. See b8a9bbc (Remove bazel from test process, 2018-08-01, openshift#97). [1]: openshift#174 (comment)
PWD is in POSIX [1], so there's no need to execute a pwd process to
get this value. This fixes everthing found by:
$ git grep '\(pwd\)'
except for hack/*.sh, which is being addressed by [2].
I'm using $PWD instead of ${PWD} in the module files to avoid them
being interpolated [3] on template rendering [4].
[1]: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_03
[2]: openshift#174
[3]: https://www.terraform.io/docs/configuration/interpolation.html
[4]: https://www.terraform.io/docs/providers/template/d/file.html
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wking, yifan-gu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
The e2e-aws error was: Dunno what's going on there. /retest |
|
The e2e-aws error was: I'll give things some time to calm down, reap leaked AWS resources from the Prow account, and kick this again after reaping. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
Like we did in bootkube.sh in 0fa4eb1 (#134). This gives us permission to access the mounted volume when SELinux is enabled (docs here).
I've also normalized these invocations for consistency between the various
hack/scripts:Adding slash separators to put each option on its own line, excepting the final command being run in the container. This makes the long commands slightly easier to skim. It will also make it easier to track down motivation for an option with
git blame, because commits touching options on other lines won't clutter the blame.Use long-form options (
-v->--volume, etc.). This makes the options a bit more accessible to newcomers, and now that each option is on it's own line we have plenty of space.Dropped single quotes from
'TRUE'. There are no shell-sensitive characters inTRUE, so there's no need to quote it.Use
${PWD}consistently. It's in POSIX, so there's no need to execute apwdprocess to get this value.Drop
-t. None of these commands should need a pseudoterminal.Drop explicit
rw--volumeoptions. They're the default.