Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add no-relabeling option to backupPVC configmap #8288

Merged
merged 1 commit into from
Oct 15, 2024
Merged

add no-relabeling option to backupPVC configmap #8288

merged 1 commit into from
Oct 15, 2024

Conversation

sseago
Copy link
Collaborator

@sseago sseago commented Oct 11, 2024
edited
Loading

Thank you for contributing to Velero!

Please add a summary of your change

The previous SELinux fix handled podified datamover problems for users who are not setting the readOnly field for their storageclass. When the readOnly field is set (needed for ceph shallow copy), SELinux relabeling can't happen, so datamover backup will fail. This fix adds the spc_t SELinux option in cases when users set this field in the backupPVC configmap. This should only be needed for storageclasses that are already setting readOnly=true, so a new map key won't be needed, just a new value in the struct.

{
    "backupPVC": {
        "storage-class-1": {
            "readOnly": true,
            "spcNoRelabeling": true
        }
    }
}

Does your change fix a particular issue?

Fixes #(issue)

Please indicate you've done the following:

@codecov Codecov
Copy link

codecov bot commented Oct 11, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 20.00000% with 8 lines in your changes missing coverage. Please review.

Project coverage is 59.19%. Comparing base (b34e011) to head (b1035dd).
Report is 4 commits behind head on main.

Files with missing lines Patch % Lines
pkg/exposer/csi_snapshot.go 20.00% 6 Missing and 2 partials ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #8288   +/-   ##
=======================================
  Coverage   59.18%   59.19%           
=======================================
  Files         367      367           
  Lines       30838    30850   +12     
=======================================
+ Hits        18253    18263   +10     
- Misses      11124    11125    +1     
- Partials     1461     1462    +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Lyndon-Li
Lyndon-Li reviewed Oct 12, 2024
View reviewed changes
pkg/exposer/csi_snapshot.go Outdated
if value, exists := csiExposeParam.BackupPVCConfig[csiExposeParam.StorageClass]; exists {
if value.StorageClass != "" {
backupPVCStorageClass = value.StorageClass
}

backupPVCReadOnly = value.ReadOnly
spcNoRelabeling = value.SPCNoRelabeling
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

spcNoRelabeling is only required to set when backupPVCReadOnly=true. However, here we allow users to set it separately.
This would be a security risk strictly speaking, so would we change it to:

if backupPVCReadOnly == true {
     spcNoRelabeling = value.SPCNoRelabeling
}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 sounds good, lets just document this behavior explicitly (i.e. SPCNoRelabeling key would be ignored if backupPVCReadOnly is not set to true.)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I'll do that and update the doc as well.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Lyndon-Li Slight modification to your suggestion -- if SPCNoRelabeling is true and backupPVCReadOnly is false, then we log a warning and ignore. Also, docs updated to make it clear that the no relabeling field is ignored if readOnly=false.

shubham-pampattiwar
shubham-pampattiwar approved these changes Oct 14, 2024
View reviewed changes
Copy link
Collaborator

@shubham-pampattiwar shubham-pampattiwar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@Lyndon-Li Lyndon-Li merged commit 34d4f18 into vmware-tanzu:main Oct 15, 2024
44 of 45 checks passed
@Lyndon-Li Lyndon-Li mentioned this pull request Oct 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Lyndon-Li Lyndon-Li Lyndon-Li approved these changes

@shubham-pampattiwar shubham-pampattiwar shubham-pampattiwar approved these changes

@kaovilai kaovilai kaovilai approved these changes

Assignees

@sseago sseago

Labels
Documentation has-changelog target/1.15-rc.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@sseago @kaovilai @shubham-pampattiwar @Lyndon-Li @reasonerjt