Skip to content

gf-oemid: Don't use the container's /tmp #394

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cgwalters merged 1 commit into from
Mar 6, 2019
Merged

gf-oemid: Don't use the container's /tmp #394

cgwalters merged 1 commit into from
Mar 6, 2019

Conversation

@jlebon
Copy link
Member

@jlebon jlebon commented Mar 6, 2019

We were previously hitting issues with the final images having an MCS
label. This turned out to be due to the gf-oemid using /tmp within
the container. In the unprivileged path, the whole container filesystem
uses MCS and so the image created there would inherit that label.

Just fix this by making gf-oemid use a tmpdir in the destination path;
we're already in a temporary work directory anyway when calling it from
cmd-build. Staying on the same bind mount also ensures that we're not
copying the image across filesystems (and with reflinks on, even the
first copy is a no-op!), so this should make the build process a bit
faster too.

Finally, this also allows us to drop the call to chcon, which is
problematic for systems without SELinux enabled on the host.

@jlebon jlebon mentioned this pull request Mar 6, 2019
Closed
@cgwalters
Copy link
Member

cgwalters commented Mar 6, 2019

Awesome, thanks for tracking this down! Looks like it just needs a shellcheck fix.

@jlebon
gf-oemid: Don't use the container's /tmp
aa1f7a3 
We were previously hitting issues with the final images having an MCS
label. This turned out to be due to the `gf-oemid` using `/tmp` within
the container. In the unprivileged path, the whole container filesystem
uses MCS and so the image created there would inherit that label.

Just fix this by making `gf-oemid` use a tmpdir in the destination path;
we're already in a temporary work directory anyway when calling it from
`cmd-build`. Staying on the same bind mount also ensures that we're not
copying the image across filesystems (and with reflinks on, even the
first copy is a no-op!), so this should make the build process a bit
faster too.

Finally, this also allows us to drop the call to `chcon`, which is
problematic for systems without SELinux enabled on the host.
@jlebon
Copy link
Member Author

jlebon commented Mar 6, 2019

Fixed!

@cgwalters cgwalters merged commit 9d3e10b into coreos:master Mar 6, 2019
@dustymabe dustymabe mentioned this pull request Sep 13, 2019
Merged
@jlebon jlebon deleted the pr/no-chcon branch July 6, 2020 20:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jlebon @cgwalters