server: conditionally relabel volumes given annotation #5373

haircommander · 2021-10-01T16:27:50Z

What type of PR is this?

/kind feature

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Add support for "io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel" annotation, which tells CRI-O to skip relabeling volumes if the top level is already correctly labeled

haircommander · 2021-10-01T16:28:37Z

wip because I have vendored opencontainers/selinux#161

codecov · 2021-10-01T18:48:07Z

Codecov Report

Merging #5373 (9dda811) into main (fc8d744) will decrease coverage by 0.01%.
The diff coverage is 14.28%.

❗ Current head 9dda811 differs from pull request most recent head 87b8e5d. Consider uploading reports for the commit 87b8e5d to get more accurate results

@@            Coverage Diff             @@
##             main    #5373      +/-   ##
==========================================
- Coverage   43.75%   43.73%   -0.02%     
==========================================
  Files         118      118              
  Lines       11737    11746       +9     
==========================================
+ Hits         5135     5137       +2     
- Misses       6114     6121       +7     
  Partials      488      488

kolyshkin · 2021-10-04T16:48:42Z

pkg/annotations/annotations.go

 	OCISeccompBPFHookAnnotation = "io.containers.trace-syscall"
+
+	// MaybeSELinuxLabelAnnotation is the annotation used for optionally skipping relabeling a volume with the specified SELinux label.
+	// The label will not happen if the top layer is already labeled correctly.


nit: s/The label will not happen /The relabeling will be skipped /

kolyshkin

LGTM overall, let's just wait for opencontainers/selinux#161

haircommander · 2021-10-04T20:20:44Z

we don't technically need the SELinux commit, though it makes it safer. I've dropped and it can be included asynchronously

haircommander · 2021-10-04T20:24:29Z

@cri-o/cri-o-maintainers PTAL
/retest

TomSweeneyRedHat · 2021-10-04T22:08:12Z

server/container_create_linux.go

 	// of the translation between CRI config -> oci/storage container in the container package
+
+	// TODO: eventually, this should be in the container package, but it's going through a lot of churn
+	// and SpecAddAnnotations is already passed too many arguments


nit of a nit, ignore unless you get other changes

Suggested change

// and SpecAddAnnotations is already passed too many arguments

// and SpecAddAnnotations is already passing too many arguments

TomSweeneyRedHat · 2021-10-04T22:11:22Z

LGTM
assuming happy tests

saschagrunert

LGTM, just one non blocking nit

saschagrunert · 2021-10-05T07:31:32Z

pkg/annotations/annotations.go

+	// MaybeSELinuxLabelAnnotation is the annotation used for optionally skipping relabeling a volume with the specified SELinux label.
+	// The relabeling will be skipped if the top layer is already labeled correctly.
+	MaybeSELinuxLabelAnnotation = "io.kubernetes.cri-o.MaybeSELinuxLabel"


non blocking nit because this may already been discussed: I would prefer having something more specific here like "io.kubernetes.cri-o.SkipSELinuxLabel" or "io.kubernetes.cri-o.SkipVolumeSELinuxLabel"

changed it to TrySkipSELinuxLabel

does that work for you? also wondering @kolyshkin 's thought

Works for me, yes thank you!

nee1esh · 2021-10-05T19:50:18Z

/retest-required

openshift-ci · 2021-10-07T15:17:01Z

@haircommander: Overrode contexts on behalf of haircommander: ci/openshift-jenkins/integration_rhel

Details

In response to this:

/override ci/openshift-jenkins/integration_rhel

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-bot · 2021-10-07T15:26:41Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-10-07T18:28:42Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-10-07T18:41:43Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-10-07T18:54:42Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-10-07T19:20:48Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-10-07T19:33:54Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

haircommander · 2021-10-07T19:47:10Z

/hold

found a bug

haircommander · 2021-10-07T21:15:03Z

/unhold

it works 🎉

Signed-off-by: Peter Hunt <[email protected]>

haircommander · 2021-10-07T22:05:33Z

/override ci/openshift-jenkins/e2e_rhel
/override ci/openshift-jenkins/integration_rhel

openshift-ci · 2021-10-07T22:05:37Z

@haircommander: Overrode contexts on behalf of haircommander: ci/openshift-jenkins/e2e_rhel, ci/openshift-jenkins/integration_rhel

Details

In response to this:

/override ci/openshift-jenkins/e2e_rhel
/override ci/openshift-jenkins/integration_rhel

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

mrunalp

/lgtm

openshift-ci · 2021-10-07T22:55:14Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander, kolyshkin, mrunalp, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [haircommander,kolyshkin,mrunalp,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-bot · 2021-10-07T22:56:46Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-10-07T23:09:01Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-10-07T23:20:44Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-ci · 2021-10-07T23:35:04Z

@haircommander: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/openshift-jenkins/e2e_crun_cgroupv2	`ce3cfaa`	link	false	`/test e2e_cgroupv2`
ci/openshift-jenkins/integration_crun_cgroupv2	`87b8e5d`	link	false	`/test integration_cgroupv2`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

haircommander · 2021-10-07T23:37:04Z

/override ci/openshift-jenkins/integration_rhel

openshift-ci · 2021-10-07T23:37:08Z

@haircommander: Overrode contexts on behalf of haircommander: ci/openshift-jenkins/integration_rhel

Details

In response to this:

/override ci/openshift-jenkins/integration_rhel

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

haircommander requested review from mrunalp and runcom as code owners October 1, 2021 16:27

openshift-ci bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/feature Categorizes issue or PR as related to a new feature. labels Oct 1, 2021

openshift-ci bot requested a review from vrothberg October 1, 2021 16:27

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 1, 2021

haircommander changed the title ~~server: conditionally relabel volumes given annotation~~ WIP server: conditionally relabel volumes given annotation Oct 1, 2021

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 1, 2021

haircommander force-pushed the selinux-maybe branch 4 times, most recently from 3e426c9 to 502f4e9 Compare October 1, 2021 18:32

haircommander force-pushed the selinux-maybe branch from 502f4e9 to 8dd0250 Compare October 1, 2021 20:11

kolyshkin reviewed Oct 4, 2021

View reviewed changes

kolyshkin approved these changes Oct 4, 2021

View reviewed changes

haircommander mentioned this pull request Oct 4, 2021

add allowed annotations to workloads #5358

Merged

haircommander force-pushed the selinux-maybe branch from 8dd0250 to b21561f Compare October 4, 2021 20:20

haircommander changed the title ~~WIP server: conditionally relabel volumes given annotation~~ server: conditionally relabel volumes given annotation Oct 4, 2021

openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 4, 2021

TomSweeneyRedHat reviewed Oct 4, 2021

View reviewed changes

saschagrunert reviewed Oct 5, 2021

View reviewed changes

haircommander force-pushed the selinux-maybe branch 2 times, most recently from 8c0675d to d1b16bb Compare October 5, 2021 14:54

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 7, 2021

haircommander force-pushed the selinux-maybe branch from ce3cfaa to 551d78a Compare October 7, 2021 20:52

openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Oct 7, 2021

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 7, 2021

haircommander added 2 commits October 7, 2021 17:37

server: conditionally relabel volumes given annotation

0e02798

Signed-off-by: Peter Hunt <[email protected]>

server: FilterDisallowedAnnotations of containers earlier

87b8e5d

Signed-off-by: Peter Hunt <[email protected]>

haircommander force-pushed the selinux-maybe branch from 551d78a to 87b8e5d Compare October 7, 2021 21:37

mrunalp approved these changes Oct 7, 2021

View reviewed changes

openshift-ci bot assigned mrunalp Oct 7, 2021

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 7, 2021

openshift-merge-robot merged commit b393084 into cri-o:main Oct 7, 2021

openshift-ci bot mentioned this pull request Oct 21, 2021

5368/Adding-documentation-for-certificates Adding documentation for C… #5374

Closed

	// and SpecAddAnnotations is already passed too many arguments
	// and SpecAddAnnotations is already passing too many arguments

server: conditionally relabel volumes given annotation #5373

server: conditionally relabel volumes given annotation #5373

Uh oh!

Conversation

haircommander commented Oct 1, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Uh oh!

haircommander commented Oct 1, 2021

Uh oh!

codecov bot commented Oct 1, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

kolyshkin Oct 4, 2021

Choose a reason for hiding this comment

Uh oh!

kolyshkin left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

haircommander commented Oct 4, 2021

Uh oh!

haircommander commented Oct 4, 2021

Uh oh!

TomSweeneyRedHat Oct 4, 2021

Choose a reason for hiding this comment

Uh oh!

haircommander Oct 5, 2021

Choose a reason for hiding this comment

Uh oh!

TomSweeneyRedHat commented Oct 4, 2021

Uh oh!

saschagrunert left a comment

Choose a reason for hiding this comment

Uh oh!

saschagrunert Oct 5, 2021

Choose a reason for hiding this comment

Uh oh!

haircommander Oct 5, 2021

Choose a reason for hiding this comment

Uh oh!

haircommander Oct 5, 2021

Choose a reason for hiding this comment

Uh oh!

saschagrunert Oct 6, 2021

Choose a reason for hiding this comment

Uh oh!

nee1esh commented Oct 5, 2021

Uh oh!

openshift-ci bot commented Oct 7, 2021

Uh oh!

openshift-bot commented Oct 7, 2021

Uh oh!

openshift-bot commented Oct 7, 2021

Uh oh!

openshift-bot commented Oct 7, 2021

Uh oh!

openshift-bot commented Oct 7, 2021

Uh oh!

openshift-bot commented Oct 7, 2021

Uh oh!

openshift-bot commented Oct 7, 2021

Uh oh!

haircommander commented Oct 7, 2021

Uh oh!

haircommander commented Oct 7, 2021

Uh oh!

haircommander commented Oct 7, 2021

Uh oh!

openshift-ci bot commented Oct 7, 2021

Uh oh!

mrunalp left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci bot commented Oct 7, 2021

haircommander commented Oct 1, 2021 •

edited

Loading

codecov bot commented Oct 1, 2021 •

edited

Loading

kolyshkin left a comment •

edited

Loading

openshift-ci bot commented Oct 7, 2021 •

edited

Loading