Skip to content

Podman Fails on macOS due to SELinux Labels #756

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
4 of 11 tasks
Alexhuszagh opened this issue Jun 5, 2022 · 7 comments · Fixed by #1260
Closed
4 of 11 tasks

Podman Fails on macOS due to SELinux Labels #756

Alexhuszagh opened this issue Jun 5, 2022 · 7 comments · Fixed by #1260
Labels
A-container-engine Area: container engines A-macos-host Area: macos hosts A-podman Area: podman container engine bug upstream

Comments

@Alexhuszagh
Copy link
Contributor

Alexhuszagh commented Jun 5, 2022
edited
Loading

Checklist

Describe your issue

Related to containers/podman#13631

This bug has likely been around a long time, and reproduces on any tested cross version. Removing the SELinux labels works. You can create a simple test case with:

podman run -it --rm -v "$PWD"/target:/target:Z ubuntu:20.04 bash

And this will fail with the described error.

What target(s) are you cross-compiling for?

other (specify in description)

Which operating system is the host (e.g computer cross is on) running?

  • macOS
  • Windows
  • Linux / BSD
  • other OS (specify in description)

What architecture is the host?

  • x86_64 / AMD64
  • arm32
  • arm64 (including Mac M1)

What container engine is cross using?

  • docker
  • podman
  • other container engine (specify in description)

cross version

latest main build

Example

cargo install cross --git https://github.com/cross-rs/cross
git clone https://github.com/cross-rs/rust-cpp-hello-word
cd rust-cpp-hello-word
cross run --target ... # any target

Which produces an error of error preparing container $(ID) for attach: lsetxattr $(PATH): operation not supported.

Additional information / notes

It seems this is podman specific due to the description below. Basically, on macOS and with Podman, remove the SELinux labels.
@Alexhuszagh Alexhuszagh added bug A-container-engine Area: container engines labels Jun 5, 2022
@Alexhuszagh Alexhuszagh mentioned this issue Jun 5, 2022
Merged
Alexhuszagh added a commit to Alexhuszagh/cross that referenced this issue Jun 5, 2022
@Alexhuszagh
Remove SELinux labels when using macOS and podman.
da65450 
Currently, podman does not support SELinux labels due to how they mount volumes. This causes the build to fail, with `lsetxattr` being unsupported.

The relevant podman issue is [here](containers/podman#13631), and the description of the issue and volume mounts is [here](containers/podman#13631 (comment)).

Closes cross-rs#756.
Alexhuszagh added a commit to Alexhuszagh/cross that referenced this issue Jun 5, 2022
@Alexhuszagh
Remove SELinux labels when using macOS and podman.
3e2ec8a 
Currently, podman does not support SELinux labels due to how they mount volumes. This causes the build to fail, with `lsetxattr` being unsupported.

The relevant podman issue is [here](containers/podman#13631), and the description of the issue and volume mounts is [here](containers/podman#13631 (comment)).

Closes cross-rs#756.
@Alexhuszagh
Copy link
Contributor Author

It looks like Podman's going to require substantial more work on macOS, and I'm not going to prioritize this right now. When I try to build with a cross built from @Alexhuszagh:cross/selinux, I get the following error:

sh: 1: cargo: Network dropped connection on reset.

@Alexhuszagh
Copy link
Contributor Author

Alexhuszagh commented Jun 5, 2022
edited
Loading

This other issue seems to be containers/podman#14142, which is the network being dropped in podman if run from a binary mounted from the host (IE, cargo in all our examples), except I'm running on a x86_64 host with an x86_64 image. There might be a way to do bind mount options for this.

@Alexhuszagh Alexhuszagh mentioned this issue Jun 6, 2022
Open
11 tasks
This was referenced Jul 1, 2022
Closed
Closed
@Alexhuszagh Alexhuszagh added A-podman Area: podman container engine A-macos-host Area: macos hosts labels Nov 6, 2022
@oherrala
Copy link
Contributor

oherrala commented May 9, 2023

I've hit this issue (macOS 12.6, podman 4.5.0, arm64). Is there anything I could help with getting this fixed?

I see one obstacle mentioned (#756 (comment)) has been fixed: containers/podman#14142

@Emilgardis
Copy link
Member

I think the only realistic fix for this for us is to drop the labels when the bug/limitation would happen. i.e on macos and using podman

@oherrala
Copy link
Contributor

I think the only realistic fix for this for us is to drop the labels when the bug/limitation would happen. i.e on macos and using podman

@Emilgardis There's a patch (Alexhuszagh@3e2ec8a) which seems to do exactly that.

@oherrala oherrala mentioned this issue May 17, 2023
Merged
@bors bors bot closed this as completed in b7f7ace May 18, 2023
@NickGeek
Copy link

I see this was closed but I'm still running into it. Is there a regression or was a fix not merged?

@Emilgardis
Copy link
Member

@NickGeek #1260 is only on the main branch, it hasnt been released to crates.io yet. Install from the main branch with cargo install cross --git https://github.com/cross-rs/cross

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-container-engine Area: container engines A-macos-host Area: macos hosts A-podman Area: podman container engine bug upstream
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Podman doesn't support SELinux labels oherrala/cross
4 participants
@oherrala @Emilgardis @NickGeek @Alexhuszagh