Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UPSTREAM: 58977: Fix pod sandbox privilege. #18820

Conversation

runcom
Copy link
Member

@runcom runcom commented Mar 3, 2018

Aim to fix the selinux issue we're seeing between cri-o and docker on builds

/cc @bparees @smarterclayton @mrunalp @rhatdan @derekwaynecarr

Signed-off-by: Antonio Murdaca [email protected]

@openshift-ci-robot openshift-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Mar 3, 2018
@openshift-merge-robot openshift-merge-robot added the vendor-update Touching vendor dir or related files label Mar 3, 2018
@@ -302,7 +302,7 @@ func GetContainerSpec(pod *v1.Pod, containerName string) *v1.Container {

// HasPrivilegedContainer returns true if any of the containers in the pod are privileged.
func HasPrivilegedContainer(pod *v1.Pod) bool {
for _, c := range pod.Spec.Containers {
for _, c := range append(pod.Spec.Containers, pod.Spec.InitContainers...) {
Copy link
Contributor

@bparees bparees Mar 3, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change seems necessary but I don't think the container where we're seeing the rejection in the bug is an init container(we do have privileged init containers in our build pods but they only come into play in certain circumstances), so i'm uncertain this will actually fix the issue we're seeing.

https://github.com/openshift/origin/blob/master/pkg/build/controller/strategy/sti.go#L73-L177

Basically we use privileged init containers to pull images if you have an "image source input" in your build.

the build in bug https://bugzilla.redhat.com/show_bug.cgi?id=1550015 would not be doing that:
oc new-app --template=nodejs-mongo-persistent

so i think it is failing in the main container, as defined here:
https://github.com/openshift/origin/blob/master/pkg/build/controller/strategy/sti.go#L81-L101

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also since our main container is always privileged, this change wouldn't have any effect on whether this function returns true or false for our pods (it would have returned true before, and it will still return true)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah that's the one we see failing. Need to debug why the privileged isn't taking effect.

@mrunalp
Copy link
Member

mrunalp commented Mar 3, 2018 via email

@derekwaynecarr
Copy link
Member

the root cause for the build failure was identified and was unrelated to this change. the issue was related to our moving docker storage on crio nodes under /var/lib/containers and selinux labeling was wrong.

either way, this is still a useful fix to have.

@derekwaynecarr
Copy link
Member

/approve
/lgtm
/test unit
/test end_to_end

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 6, 2018
@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: derekwaynecarr, runcom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 6, 2018
@derekwaynecarr derekwaynecarr added this to the 3.9.0 milestone Mar 6, 2018
@eparis eparis added kind/bug Categorizes issue or PR as related to a bug. queue/fix labels Mar 7, 2018
@openshift-merge-robot
Copy link
Contributor

/test all [submit-queue is verifying that this PR is safe to merge]

@eparis eparis modified the milestones: v3.9, 3.7.0, v3.10 Mar 7, 2018
@openshift-merge-robot
Copy link
Contributor

Automatic merge from submit-queue.

@openshift-merge-robot openshift-merge-robot merged commit d1947e4 into openshift:release-3.9 Mar 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. queue/fix size/S Denotes a PR that changes 10-29 lines, ignoring generated files. vendor-update Touching vendor dir or related files
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants