Skip to content

config: use built-in TOML merge and adhere to label setting #5225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 3 commits into from
Feb 19, 2020
Merged

config: use built-in TOML merge and adhere to label setting #5225

openshift-merge-robot merged 3 commits into from
Feb 19, 2020

Conversation

@vrothberg
Copy link
Member

@vrothberg vrothberg commented Feb 17, 2020

Podman did not check the label setting in the libpod.conf and ignored if the libpod.conf set it to false to disable process labels in the container. While working on that, I found a bug in the config-merge code related to a false merging of booleans. To fix that, use the built-in features of the TOML library to merge/extend config instead of manually working around that.

Fixes: #5087

@openshift-ci-robot
Copy link
Collaborator

openshift-ci-robot commented Feb 17, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vrothberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XL labels Feb 17, 2020
@vrothberg
Copy link
Member Author

vrothberg commented Feb 17, 2020

@mheon @rhatdan PTAL

@rhatdan
Copy link
Member

rhatdan commented Feb 17, 2020

I would rather get in containers.conf, but I have not figured out the last Test failure.
LGTM

TomSweeneyRedHat
TomSweeneyRedHat reviewed Feb 17, 2020
View reviewed changes
libpod/config/config.go Outdated
Copy link
Member

@TomSweeneyRedHat TomSweeneyRedHat Feb 17, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit interatively -> iteratively

TomSweeneyRedHat
TomSweeneyRedHat reviewed Feb 17, 2020
View reviewed changes
libpod/config/config.go Outdated
Copy link
Member

@TomSweeneyRedHat TomSweeneyRedHat Feb 17, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should make a backlog jira card to help to remember to remove this.

@TomSweeneyRedHat
Copy link
Member

TomSweeneyRedHat commented Feb 17, 2020

LGTM

mheon
mheon reviewed Feb 17, 2020
View reviewed changes
@vrothberg
Copy link
Member Author

vrothberg commented Feb 18, 2020

@rhatdan @mheon please take another look. I moved the non-CLI label setting into pkg/spec which to me seems the right place. If you want it somewhere else, please let me know where and I can move it.

@mheon
Copy link
Member

mheon commented Feb 18, 2020

My thinking was mostly that, if I set libpod.conf to disable labelling, we should not use SELinux, no matter where the container originated - so for APIv2 containers, we should not use SELinux even if the remote host requests it.

@vrothberg
Copy link
Member Author

vrothberg commented Feb 18, 2020

My thinking was mostly that, if I set libpod.conf to disable labelling, we should not use SELinux, no matter where the container originated - so for APIv2 containers, we should not use SELinux even if the remote host requests it.

I don't know any other flag where we're doing that as the CLI always (?) wins. Especially in case of booleans we had to distinguish between unset, set and unspecified in the configurations to know if the admin cares and compare that with the CLI but we don't have that.

@mheon
Copy link
Member

mheon commented Feb 18, 2020

I view this less as a default setting for the label flag and more as a configuration bool entirely disabling labelling. I'm not too firm on this, but it might help to have a tiebreaker here. @rhatdan @baude Thoughts?

@rhatdan
Copy link
Member

rhatdan commented Feb 18, 2020

I disagree, I might want to run the bulk of my containers without SELinux separation, but a couple of untrusted ones, I want to run with SELinux.

@rhatdan
Copy link
Member

rhatdan commented Feb 18, 2020

LGTM

@vrothberg
Copy link
Member Author

vrothberg commented Feb 19, 2020

Let me add a commit on top to clarify that in the libpod.conf. The man page is not strictly clear on that and I can understand Matt's idea as well.

@vrothberg
libpod/config: use built-in TOML instead of manually merging
b7b9f8d 
Instead of manually merging the configs, use the built-in features of
TOMP to merge/extend the fields of a data type when encoding a file.
This erases the need for the merge code in libpod/config and also
addresses issues when merging booleans.

Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg
set process labels in pkg/spec
58cbbbc 
Set the (default) process labels in `pkg/spec`. This way, we can also
query libpod.conf and disable labeling if needed.

Fixes: containers#5087
Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg
libpod.conf: clarify label description
0fcaa93 
Clarify that the label option sets the defaults which can still be
overriden by the CLI.

Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg
Copy link
Member Author

vrothberg commented Feb 19, 2020

Done ✔️

@mheon
Copy link
Member

mheon commented Feb 19, 2020

/lgtm

1 similar comment
@mheon
Copy link
Member

mheon commented Feb 19, 2020

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 19, 2020
@openshift-merge-robot openshift-merge-robot merged commit da249e2 into containers:master Feb 19, 2020
This was referenced Feb 19, 2020
Merged
Closed
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 25, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@rhatdan rhatdan rhatdan left review comments

@mheon mheon mheon left review comments

@TomSweeneyRedHat TomSweeneyRedHat TomSweeneyRedHat left review comments

@mrunalp mrunalp Awaiting requested review from mrunalp

Assignees

@mheon mheon

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

label option, from libpod.conf, is not being respected.

6 participants

@vrothberg @openshift-ci-robot @rhatdan @TomSweeneyRedHat @mheon @openshift-merge-robot