Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Automatically label containers running systemd with the correct label #3754

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 2 commits into from
May 12, 2020
Merged

Automatically label containers running systemd with the correct label #3754

openshift-merge-robot merged 2 commits into from
May 12, 2020

Conversation

@haircommander
Copy link
Member

@haircommander haircommander commented May 12, 2020

/kind Feature

Newer versions of container-selinux, container-selinux-2.132.0 or newer,
supply a container_init_t label. If CRI-O is running systemd or init inside
of the container, then the container will require different SELinux privs
to run the container.

By using the new SELinux label, we can run ordinary containers with a tighter
selinux policy then those running the init system, makeing the overlay system
more secure.

The eliminates the need to turn on the container_manage_cgroup SELinux boolean.

Ie. no need to execute

setsebool -P container_manage_cgroup 1

Any longer. On systems without the updated container-selnux package, the containers will still
attempt to run the standard container type container_t, and still require the boolean.

Signed-off-by: Daniel J Walsh [email protected]

What type of PR is this?

/kind feature

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

containers running `init` or `systemd` are now given a new selinux label `container_init_t`, giving it selinux privileges more appropriate for the workload

rhatdan and others added 2 commits May 12, 2020 14:59
@rhatdan @haircommander
Automatically label containers running systemd with the correct label
e620394 
Newer versions of container-selinux, container-selinux-2.132.0 or newer,
supply a `container_init_t` label.  If CRI-O is running systemd or init inside
of the container, then the container will require different SELinux privs
to run the container.

By using the new SELinux label, we can run ordinary containers with a tighter
selinux policy then those running the init system, makeing the overlay system
more secure.

The eliminates the need to turn on the container_manage_cgroup SELinux boolean.

Ie no need to execute

```
setsebool -P container_manage_cgroup 1
```

Any longer. On systems without the updated container-selnux package, the containers will still
attempt to run the standard container type `container_t`, and still require the boolean.

Signed-off-by: Daniel J Walsh <[email protected]>
@haircommander
bump version of libpod to get selinux
25fcca8 
Signed-off-by: Peter Hunt <[email protected]>
@openshift-ci-robot openshift-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label May 12, 2020
@openshift-ci-robot
Copy link

openshift-ci-robot commented May 12, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label May 12, 2020
@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 12, 2020
@haircommander haircommander changed the title Kvm labels Automatically label containers running systemd with the correct label May 12, 2020
@haircommander
Copy link
Member Author

haircommander commented May 12, 2020

taking over #3707

@umohnani8
Copy link
Member

umohnani8 commented May 12, 2020

LGTM

@rhatdan
Copy link
Contributor

rhatdan commented May 12, 2020

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label May 12, 2020
@openshift-merge-robot openshift-merge-robot merged commit 3dc5679 into cri-o:master May 12, 2020
@umohnani8
Copy link
Member

umohnani8 commented May 13, 2020

/cherry-pick release-1.18

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request May 13, 2020
Closed
@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented May 13, 2020

@umohnani8: failed to push cherry-picked changes in GitHub: pushing failed, output: "To https://github.com/openshift-cherrypick-robot/cri-o\n ! [remote rejected] cherry-pick-3754-to-release-1.18 -> cherry-pick-3754-to-release-1.18 (cannot lock ref 'refs/heads/cherry-pick-3754-to-release-1.18': reference already exists)\nerror: failed to push some refs to 'https://openshift-cherrypick-robot:[email protected]/openshift-cherrypick-robot/cri-o'\n", error: exit status 1

Details

In response to this:

/cherry-pick release-1.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented May 13, 2020

@umohnani8: new pull request created: #3764

Details

In response to this:

/cherry-pick release-1.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@carbonin carbonin mentioned this pull request May 14, 2020
Closed
@haircommander haircommander mentioned this pull request Jun 17, 2020
Closed
@openshift-ci-robot openshift-ci-robot mentioned this pull request Jun 23, 2020
Closed
@haircommander haircommander deleted the kvm-labels branch September 27, 2021 16:54
@bitoku bitoku mentioned this pull request Dec 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp

@runcom runcom Awaiting requested review from runcom

@rhatdan rhatdan Awaiting requested review from rhatdan

Assignees

@rhatdan rhatdan

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@haircommander @openshift-ci-robot @umohnani8 @rhatdan @openshift-cherrypick-robot @openshift-merge-robot