Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add volume mounting ':Z' label #309

Merged
merged 1 commit into from
Aug 11, 2022
Merged

add volume mounting ':Z' label #309

merged 1 commit into from
Aug 11, 2022

Conversation

dmitris
Copy link
Contributor

@dmitris dmitris commented Aug 10, 2022

PR adds the volume mount :Z option for the docker run (or podman run) command to work properly with SELinux. This is to prevent the following error with the current code:

$ CONTAINER_ENGINE='sudo podman' make tetragon-bpf-container
/bin/sh: docker: command not found
sudo podman rm tetragon-clang || true
a53e97d50c0bd557ddaa234c835d62c5af982415688743fcff30d3022e1c5de4
sudo podman run -v /home/dmitris/dev/hack/gh/cilium/tetragon:/tetragon -u $(id -u) --name tetragon-clang quay.io/cilium/clang:7ea8dd5b610a8864ce7b56e10ffeb61030a0c50e@sha256:02ad7cc1d08d85c027557099b88856945be5124b5c31aeabce326e7983e3913b make -C /tetragon/bpf
make: *** /tetragon/bpf: Permission denied.  Stop.
make: *** [Makefile:71: tetragon-bpf-container] Error 2

sealert shows:

SELinux is preventing /usr/bin/make from read access on the file Makefile.

With the added :Z label, the make command works:

$ CONTAINER_ENGINE='sudo podman' make tetragon-bpf-container
/bin/sh: docker: command not found
sudo podman rm tetragon-clang || true
a2869369ae2a45e08ede410dda2337e4deefe1f4ddf4155e29ae1d89f3a82d8e
sudo podman run -v /home/dmitris/dev/hack/gh/cilium/tetragon:/tetragon:Z -u $(id -u) --name tetragon-clang quay.io/cilium/clang:7ea8dd5b610a8864ce7b56e10ffeb61030a0c50e@sha256:02ad7cc1d08d85c027557099b88856945be5124b5c31aeabce326e7983e3913b make -C /tetragon/bpf
make: Entering directory '/tetragon/bpf'
make: Nothing to be done for 'all'.
make: Leaving directory '/tetragon/bpf'
sudo podman rm tetragon-clang
15110f581bf8c5762686d8516833dd52f192c78a74a4bf3aa723d9dc1717d61f

Credit to @maditya for suggesting to use the :Z label.

@dmitris
add volume mounting ':Z' label
385479b 
Signed-off-by: Dmitry Savintsev <[email protected]>
@dmitris dmitris requested a review from a team as a code owner August 10, 2022 19:31
@dmitris dmitris requested a review from sharlns August 10, 2022 19:31
michi-covalent
michi-covalent approved these changes Aug 11, 2022
View reviewed changes
Copy link
Contributor

@michi-covalent michi-covalent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks! i didn't know about :Z option. just for my own record: https://docs.docker.com/engine/reference/commandline/run/#mount-volumes-from-container---volumes-from

To change the label in the container context, you can add either of two suffixes :z or :Z to the volume mount. These suffixes tell Docker to relabel file objects on the shared volumes. The z option tells Docker that two containers share the volume content. As a result, Docker labels the content with a shared content label. Shared volume labels allow all containers to read/write content. The Z option tells Docker to label the content with a private unshared label. Only the current container can use a private volume.

@michi-covalent
Copy link
Contributor

✅ also tested make tetragon-bpf-container on ubuntu with docker. time to ship.

@michi-covalent michi-covalent merged commit a62f841 into cilium:main Aug 11, 2022
@dmitris dmitris deleted the volume-label branch August 16, 2022 10:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michi-covalent michi-covalent michi-covalent approved these changes

@sharlns sharlns Awaiting requested review from sharlns sharlns is a code owner automatically assigned from cilium/tetragon

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dmitris @michi-covalent