Thanks to visit codestin.com
Credit goes to Github.com

Skip to content

Refactor mount and selinux codes in container creation. #9667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bitoku wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Refactor mount and selinux codes in container creation. #9667

bitoku wants to merge 1 commit into from

Conversation

@bitoku
Copy link
Contributor

@bitoku bitoku commented Dec 16, 2025
edited
Loading

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

It decouples selinux code and mount code, and decouple some unrelated codes.
Also it removes some arguments which should be the same as ctr.

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

None

Summary by CodeRabbit

  • Refactor
    • Reorganized container mount and initialization flow for clearer behavior and maintainability.
  • Bug Fixes / Reliability
    • Improved error handling during container setup for more reliable container creation.
    • Ensured host-network choices are applied earlier to mounts and setup.
  • Platform behavior
    • Systemd-related mount handling is performed only when applicable (no-op on unsupported platforms).

✏️ Tip: You can customize this high-level summary in your review settings.

@bitoku bitoku requested a review from mrunalp as a code owner December 16, 2025 15:58
@openshift-ci openshift-ci bot added release-note-none Denotes a PR that doesn't merit a release note. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. labels Dec 16, 2025
@coderabbitai
Copy link

coderabbitai bot commented Dec 16, 2025
edited
Loading

Walkthrough

SELinux label configuration now returns errors and is propagated; host-network decision is computed earlier; mount setup split into base and container-specific functions with updated signatures; systemd mount setup renamed to setupSystemdMounts and reads mounts from the generator pointer.

Changes

Cohort / File(s) Change Summary
SELinux & mount orchestration
server/container_create.go		 configureSELinuxLabels now returns (mountLabel, processLabel string, maybeRelabel, skipRelabel bool, err error) and callers propagate errors; host network (hostNet) is derived earlier and passed into mount setup; removed setupContainerMountsAndSystemd, added setupBaseContainerMounts(ctr, sb, containerConfig, mountLabel, hostNet); setupContainerMounts signature simplified to remove processLabel and now returns error; call sites adjusted.
Container mount logic (Linux core)
server/container_create_linux.go		 setupSystemd renamed to setupSystemdMounts and signature changed from func setupSystemd(mounts []rspec.Mount, g generate.Generator) to func setupSystemdMounts(g *generate.Generator); function now obtains mounts via g.Mounts() and accepts generator by pointer.
Container mount logic (FreeBSD)
server/container_create_freebsd.go		 setupSystemd β†’ setupSystemdMounts(g *generate.Generator); function converted to a no-op with a comment that systemd is not supported on FreeBSD.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant API as Client/API
participant S as Server
participant SB as Sandbox
participant C as Container
participant G as Generator
participant SEL as SELinux subsystem
API->>S: Create container request
S->>SB: load sandbox & securityContext
S->>SEL: configureSELinuxLabels(ctr,sb,containerInfo)
SEL-->>S: mountLabel, processLabel, maybeRelabel, skipRelabel, err
alt err
S-->>API: return error
else
S->>S: derive hostNet from securityContext
S->>C: setupBaseContainerMounts(ctr,sb,containerConfig,mountLabel,hostNet)
S->>C: setupContainerMounts(ctr,sb,containerInfo,ids,mountPoint,mountLabel,ociMounts,volumeMounts)
C->>G: prepare spec (generator)
S->>G: setupSystemdMounts(g)
S-->>API: container created / started
end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

  • Pay attention to SELinux error propagation and handling in server/container_create.go.
  • Verify correct use and propagation of hostNet into mount setup.
  • Review setupBaseContainerMounts vs setupContainerMounts responsibilities and relabel logic.
  • Confirm setupSystemdMounts obtains mounts correctly on Linux and FreeBSD no-op is intentional.

Possibly related PRs

Suggested labels

ok-to-test

Suggested reviewers

  • mrunalp
  • hasan4791

Poem

🐰 I hopped through labels, mounts in tow,

SELinux now speaks when errors show.
Host-net decided early, mounts arranged,
Systemd reads the generator, nicely changed.
A happy hop β€” containers launch with glee! πŸ₯•

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
βœ… Passed checks (2 passed)
Check name Status Explanation
Description Check βœ… Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check βœ… Passed The pull request title 'Refactor mount and selinux codes in container creation' directly matches the main changes described in the PR objectives and raw summary, which focus on reorganizing mount setup functions, updating SELinux label handling, and refactoring container creation logic.
✨ Finishing touches
  • πŸ“ Generate docstrings
πŸ§ͺ Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci bot requested review from hasan4791 and klihub December 16, 2025 15:59
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 16, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: bitoku
Once this PR has been reviewed and has the lgtm label, please assign sohankunkerkar for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@codecov
Copy link

codecov bot commented Dec 16, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 50.00000% with 13 lines in your changes missing coverage. Please review.
βœ… Project coverage is 66.83%. Comparing base (4e2f7db) to head (dd62d21).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #9667      +/-   ##
==========================================
- Coverage   67.10%   66.83%   -0.28%     
==========================================
  Files         208      208              
  Lines       28987    28863     -124     
==========================================
- Hits        19452    19290     -162     
- Misses       7876     7902      +26     
- Partials     1659     1671      +12
πŸš€ New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

coderabbitai[bot]
coderabbitai bot reviewed Dec 16, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
server/container_create.go (1)

804-805: Consider removing duplicate hostNet computation.

The hostNet value is computed here at line 804 and again at line 1199 inside configureSELinuxLabels. Since configureSELinuxLabels uses hostNet internally but doesn't return it, consider either:

  1. Having configureSELinuxLabels return hostNet as it previously did, or
  2. Passing hostNet as a parameter to configureSELinuxLabels

This would eliminate the duplicate computation and reduce the risk of inconsistency if the logic changes.

πŸ“œ Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between 2e590ab and d5dd57f.

πŸ“’ Files selected for processing (2)
  • server/container_create.go (11 hunks)
  • server/container_create_linux.go (1 hunks)
🧰 Additional context used
πŸ““ Path-based instructions (1)
**/*.go

πŸ“„ CodeRabbit inference engine (AGENTS.md)

**/*.go: Use interface-based design and dependency injection patterns in Go code
Propagate context.Context through function calls in Go code
Use fmt.Errorf with %w for error wrapping in Go code
Use logrus with structured fields for logging in Go code
Add comments explaining 'why' not 'what' in Go code
Use platform-specific file naming: *_{linux,freebsd}.go for platform-dependent code

Files:

  • server/container_create_linux.go
  • server/container_create.go
🧬 Code graph analysis (1)
server/container_create.go (2)
internal/storage/runtime.go (1)
  • ContainerInfo (48-55)
server/selinux.go (1)
  • InitLabel (21-31)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (33)
  • GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
  • GitHub Check: unit / arm64 / root
  • GitHub Check: unit / amd64 / rootless
  • GitHub Check: build static / s390x
  • GitHub Check: build-freebsd
  • GitHub Check: space-at-eol
  • GitHub Check: build
  • GitHub Check: binaries / amd64
  • GitHub Check: binaries / arm64
  • GitHub Check: shellcheck
πŸ”‡ Additional comments (8)
server/container_create_linux.go (1)

658-660: Clean refactor to simplify function interface.

The change from accepting mounts as a parameter to deriving them from the generator via g.Mounts() reduces coupling and makes the function self-contained. Using a pointer receiver for *generate.Generator is correct since the function modifies the generator state.

server/container_create.go (7)

680-683: Good addition of error propagation from SELinux label configuration.

The change to propagate errors from configureSELinuxLabels follows Go best practices. Using fmt.Errorf with %w for error wrapping would be preferred if additional context is needed, but the direct return is acceptable here since the function name provides sufficient context.

824-826: LGTM!

The call to setupBaseContainerMounts is correctly structured with proper error handling.

862-865: LGTM!

The refactored setupContainerMounts call properly passes all required parameters and handles errors correctly.

973-1019: Good refactoring with proper error handling.

The function now correctly returns errors using fmt.Errorf with %w for error wrapping, as per the coding guidelines. The separation of mount concerns from systemd setup improves maintainability.

1121-1185: Well-structured consolidation of base mount setup.

The new function cleanly groups related mount operations with consistent error handling for security labeling. The integration of setupSystemdMounts at line 1181 correctly uses the refactored pointer-based signature.

1190-1233: Improved error handling with SELinux label initialization.

The addition of error return and the conditional initialization of processLabel via InitLabel (lines 1213-1218) ensures proper label setup for containers running init processes. The error tuple correctly propagates failures from the underlying SELinux operation.

1210-1218: The code comment claiming container_init_t labeling is inaccurate.

The comment states this should set container_init_t to run init processes, but InitLabel() calls selinux.InitContainerLabels() which returns standard container labels (like container_t), not container_init_t. This type does not exist in SELinux container policies. Update the comment to accurately reflect what label type is actually applied.

coderabbitai[bot]
coderabbitai bot reviewed Dec 16, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
server/container_create.go (1)

1121-1185: Consider adding a function doc comment.

The new setupBaseContainerMounts function handles important mount setup logic, but lacks a doc comment explaining its purpose and responsibilities. Consider adding documentation similar to configureSELinuxLabels (lines 1187-1189) to improve code maintainability.

Example:

+// setupBaseContainerMounts configures the base container mounts including resolv.conf, hostname,
+// hosts file, and systemd-related mounts if the container will run systemd. It applies the
+// appropriate mount labels and permissions based on the container's read-only status.
 func (s *Server) setupBaseContainerMounts(ctr container.Container, sb *sandbox.Sandbox, containerConfig *types.ContainerConfig, mountLabel string, hostNet bool, specgen *generate.Generator) error {
πŸ“œ Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between d5dd57f and 0830bee.

πŸ“’ Files selected for processing (3)
  • server/container_create.go (11 hunks)
  • server/container_create_freebsd.go (1 hunks)
  • server/container_create_linux.go (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • server/container_create_linux.go
🧰 Additional context used
πŸ““ Path-based instructions (1)
**/*.go

πŸ“„ CodeRabbit inference engine (AGENTS.md)

**/*.go: Use interface-based design and dependency injection patterns in Go code
Propagate context.Context through function calls in Go code
Use fmt.Errorf with %w for error wrapping in Go code
Use logrus with structured fields for logging in Go code
Add comments explaining 'why' not 'what' in Go code
Use platform-specific file naming: *_{linux,freebsd}.go for platform-dependent code

Files:

  • server/container_create_freebsd.go
  • server/container_create.go
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (31)
  • GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
  • GitHub Check: binaries / arm64
  • GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
  • GitHub Check: docs
  • GitHub Check: lint
  • GitHub Check: unit / amd64 / root
  • GitHub Check: security-checks
  • GitHub Check: build static / amd64
  • GitHub Check: build static / arm64
  • GitHub Check: build static / ppc64le
  • GitHub Check: build static / s390x
  • GitHub Check: unit / arm64 / root
  • GitHub Check: codeql-build
  • GitHub Check: unit / amd64 / rootless
  • GitHub Check: build
πŸ”‡ Additional comments (4)
server/container_create_freebsd.go (1)

156-157: LGTM: Function signature updated for cross-platform consistency.

The rename from setupSystemd to setupSystemdMounts and the signature change (removing the mounts parameter, using pointer receiver for generator) aligns with the Linux variant and the broader refactoring pattern described in the PR. The empty body remains appropriate for FreeBSD.

server/container_create.go (3)

680-683: LGTM: Proper error propagation from SELinux configuration.

The updated configureSELinuxLabels signature now returns an error, which is correctly checked and propagated. This enables proper error handling for the InitLabel call that was consolidated into this function.

973-1020: LGTM: Clean function signature and proper error handling.

The refactored setupContainerMounts has a cleaner signature (returns only error) and follows coding guidelines with proper error wrapping using %w on line 996.

804-805: LGTM: Function calls updated correctly for the refactored signatures.

The call sites for setupBaseContainerMounts (line 824) and setupContainerMounts (line 862) are properly updated with the new signatures. The local computation of hostNet (line 804) aligns with the PR's goal to compute values locally where needed instead of passing them between functions.

Also applies to: 824-826, 862-865

@bitoku bitoku changed the title Refactor mount codes WIP: Refactor mount codes Dec 16, 2025
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 16, 2025
@bitoku bitoku changed the title WIP: Refactor mount codes Refactor mount and selinux codes in container creation. Dec 17, 2025
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 17, 2025
coderabbitai[bot]
coderabbitai bot reviewed Dec 17, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

πŸ“œ Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between 6b7ecac and dd62d21.

πŸ“’ Files selected for processing (3)
  • server/container_create.go (11 hunks)
  • server/container_create_freebsd.go (1 hunks)
  • server/container_create_linux.go (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • server/container_create_linux.go
🧰 Additional context used
πŸ““ Path-based instructions (1)
**/*.go

πŸ“„ CodeRabbit inference engine (AGENTS.md)

**/*.go: Use interface-based design and dependency injection patterns in Go code
Propagate context.Context through function calls in Go code
Use fmt.Errorf with %w for error wrapping in Go code
Use logrus with structured fields for logging in Go code
Add comments explaining 'why' not 'what' in Go code
Use platform-specific file naming: *_{linux,freebsd}.go for platform-dependent code

Files:

  • server/container_create.go
  • server/container_create_freebsd.go
🧠 Learnings (1)
πŸ“š Learning: 2025-12-03T18:27:19.593Z 
Learnt from: CR
Repo: cri-o/cri-o PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-03T18:27:19.593Z
Learning: Applies to **/*.go : Use `fmt.Errorf` with `%w` for error wrapping in Go code

Applied to files:

  • server/container_create.go
🧬 Code graph analysis (1)
server/container_create.go (3)
internal/storage/runtime.go (1)
  • ContainerInfo (48-55)
server/selinux.go (1)
  • InitLabel (21-31)
pkg/annotations/annotations.go (1)
  • GetAnnotationValue (15-17)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (31)
  • GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-aarch64:fedora-rawhide
  • GitHub Check: binaries / arm64
  • GitHub Check: rpm-build:centos-stream-9-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-43-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-rawhide-x86_64:fedora-rawhide
  • GitHub Check: rpm-build:fedora-rawhide-aarch64:fedora-rawhide
  • GitHub Check: rpm-build:centos-stream-9-x86_64:fedora-rawhide
  • GitHub Check: lint
  • GitHub Check: docs
  • GitHub Check: build static / amd64
  • GitHub Check: unit / arm64 / root
  • GitHub Check: security-checks
  • GitHub Check: unit / amd64 / root
  • GitHub Check: build static / arm64
  • GitHub Check: build static / s390x
  • GitHub Check: unit / amd64 / rootless
  • GitHub Check: build static / ppc64le
  • GitHub Check: build
  • GitHub Check: codeql-build
πŸ”‡ Additional comments (7)
server/container_create_freebsd.go (1)

156-158: LGTM! Clean platform-specific implementation.

The signature change aligns with the Linux counterpart, and the no-op implementation with an explanatory comment is appropriate for FreeBSD where systemd is not supported.

server/container_create.go (6)

680-683: LGTM! Proper error propagation.

The error handling for configureSELinuxLabels follows Go best practices by checking and propagating the error immediately.

804-804: Good refactoring: hostNet computed locally.

Computing hostNet directly from the security context simplifies the flow and aligns with the PR's goal of removing it from configureSELinuxLabels return values.

973-1022: Well-structured function with proper documentation.

The refactored setupContainerMounts has a clear purpose documented in the comment, proper error wrapping using fmt.Errorf with %w, and focuses on OCI/volume/secret mount configuration as intended.

1123-1190: Excellent refactoring with clear separation of concerns.

The new setupBaseContainerMounts function consolidates base mount setup (resolv.conf, hostname, /etc/hosts) and conditionally handles privileged and systemd mounts. The documentation is clear, error handling is consistent, and the systemd mount setup correctly passes ctr.Spec() to setupSystemdMounts.

1216-1225: Good addition: SELinux init label handling.

The container_init_t label initialization for systemd/init containers is properly implemented with clear documentation explaining the requirement. Error wrapping follows coding guidelines using fmt.Errorf with %w.

Based on coding guidelines: "Use fmt.Errorf with %w for error wrapping in Go code"

1195-1240: Solid refactoring with improved error handling.

The refactored configureSELinuxLabels properly returns errors, computes hostNet locally (removing it from return values), and consolidates the container_init_t label initialization logic. The function signature change is consistent with all call sites.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@hasan4791 hasan4791 Awaiting requested review from hasan4791

@klihub klihub Awaiting requested review from klihub

Assignees

No one assigned

Labels

dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. release-note-none Denotes a PR that doesn't merit a release note.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bitoku