From bf6c4141c1e387b451b4336e13ebc269b6dd5937 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 15 Mar 2017 16:30:39 -0400 Subject: [PATCH 1/3] Fix golint error golint has figured out an optimization that is blocking other pull requests. This fixes the golint issue. Signed-off-by: Daniel J Walsh --- utils/utils.go | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/utils/utils.go b/utils/utils.go index b5d29a4f901..340e1ba9808 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -69,10 +69,8 @@ func RunUnderSystemdScope(pid int, slice string, unitName string) error { properties = append(properties, newProp("PIDs", []uint32{uint32(pid)})) properties = append(properties, newProp("Delegate", true)) properties = append(properties, newProp("DefaultDependencies", false)) - if _, err := conn.StartTransientUnit(unitName, "replace", properties, nil); err != nil { - return err - } - return nil + _, err = conn.StartTransientUnit(unitName, "replace", properties, nil) + return err } func newProp(name string, units interface{}) systemdDbus.Property { From ff950a8e371d448616c6cd67a663cab04e7c4c10 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 15 Mar 2017 14:57:05 -0400 Subject: [PATCH 2/3] Set SELinux mount label for pod sandbox The pause container is creating an AVC since the /dev/null device is not labeled correctly. Looks like we are only setting the label of the process not the label of the content inside of the container. This change will label content in the pause container correctly and eliminate the AVC. Signed-off-by: Daniel J Walsh --- server/sandbox_run.go | 1 + 1 file changed, 1 insertion(+) diff --git a/server/sandbox_run.go b/server/sandbox_run.go index 234493f4423..7c7d8c260bf 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -201,6 +201,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest return nil, err } g.SetProcessSelinuxLabel(processLabel) + g.SetLinuxMountLabel(mountLabel) } // create shm mount for the pod containers. From 031e1846241babb9a41a8db3cb9dcfc56302664c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 16 Mar 2017 17:03:12 -0400 Subject: [PATCH 3/3] Change lint timeout to 60 seconds, to fix test failure Signed-off-by: Daniel J Walsh --- .tool/lint | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tool/lint b/.tool/lint index e1a12ebdc2a..a2d28fe341b 100755 --- a/.tool/lint +++ b/.tool/lint @@ -18,5 +18,5 @@ for d in $(find . -type d -not -iwholename '*.git*' -a -not -iname '.tool' -a -n --cyclo-over=60 \ --dupl-threshold=100 \ --tests \ - --deadline=30s "${d}" + --deadline=60s "${d}" done