add container arguments to specify SELinux contexts for mounts #334
Conversation
|
Ah nice, thanks for submitting this. I'll take a look today and hopefully merge. |
|
Hey @rnorth, Do you want me to take care of this PR? |
|
Sorry @bsideup - yes please |
| * Possible contexts for use with SELinux | ||
| */ | ||
| public enum SelinuxContext { | ||
| SHARED(SELContext.shared), SINGLE(SELContext.single), NONE(SELContext.none); |
There was a problem hiding this comment.
Could you please add a new line after every entry?
| public enum SelinuxContext { | ||
| SHARED(SELContext.shared), SINGLE(SELContext.single), NONE(SELContext.none); | ||
|
|
||
| public final SELContext selContext; |
There was a problem hiding this comment.
FYI since we use Lombok, you can remove "public final" and the constructor and just add a single @Value annotation to the class
There was a problem hiding this comment.
oh. my. word. Where has Lombok been all my life? This is amazing.
Although @Value can't be used on an enum. Went for @AllArgsConstructor instead.
| @@ -204,6 +215,15 @@ public void customClasspathResourceMappingTest() throws IOException { | |||
| } | |||
|
|
|||
| @Test | |||
| public void customClasspathResourceMappingWithSelinuxTest() throws IOException { | |||
| // Note: This functionality doesn't work if you are running your build inside a Docker container; | |||
There was a problem hiding this comment.
I think this comment is outdated and should not be used here
| * Map a file on the classpath to a file in the container, and then expose the content for testing. | ||
| */ | ||
| @ClassRule | ||
| public static GenericContainer alpineClasspathResourceSelinx = new GenericContainer("alpine:3.2") |
| public static GenericContainer alpineClasspathResourceSelinx = new GenericContainer("alpine:3.2") | ||
| .withExposedPorts(80) | ||
| .withClasspathResourceMapping("mappable-resource/test-resource.txt", "/content.txt", READ_WRITE, SHARED) | ||
| .withCommand("/bin/sh", "-c", "while true; do cat /content.txt | nc -l -p 80; done"); |
There was a problem hiding this comment.
Would be helpful to test SELinux mode. Right now these new tests will pass even if we drop selinuxContext passing.
There was a problem hiding this comment.
True story. Not sure how I'd actually go about doing that other than inspecting the assigned seLinux type in the running container or on the host machine. Any suggestions as to how I might inspect that? I'm assuming we don't want our test to call 'inspect'...
…and clarity around SELinux
| SINGLE(SELContext.single), | ||
| NONE(SELContext.none); | ||
|
|
||
| public final SELContext selContext; |
There was a problem hiding this comment.
how about private modifier and @Getter on it? We usually use getters instead of fields access :)
| @@ -204,6 +215,12 @@ public void customClasspathResourceMappingTest() throws IOException { | |||
| } | |||
|
|
|||
| @Test | |||
| public void customClasspathResourceMappingWithSelinuxTest() throws IOException { | |||
There was a problem hiding this comment.
I'm not an SELinux expert, but maybe this might help?
https://www.cyberciti.biz/faq/howto-display-selinux-security-context-using-ls/
There was a problem hiding this comment.
Sure, we can get the labeled context on the container (provided we use a beefier image with SELinux utils installed), but I thought the :Z option used some host configs to label it as the correct type. Wouldn't this also require knowledge of some SELinux context on the host to make sure they match? Thought we'd want to avoid having to interrogate/put dependencies on the host.
|
Hi guys, I'm being asked about this on the aforementioned PR ^. Do I need to make some enhancements to the test? I can't really say that I know of a way to do it without introducing host dependencies as that is what determines a shared SELinux context... |
|
Hi @cainj13 I pinged you about a small minor change, but everything else seems fine to me =) |
I wanted to use the :z/Z mount options with SELinux and saw where they were not exposed. Just a small patch that will expose these from the underlying library.