Relabel containerenv files #5484
Conversation
|
Hi @gkurz. Thanks for your PR. I'm waiting for a cri-o member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Let me do some local tests here, but it should be fairly straight forward to test on your downstream. |
Codecov Report
@@ Coverage Diff @@
## main #5484 +/- ##
==========================================
- Coverage 43.49% 43.48% -0.01%
==========================================
Files 120 120
Lines 11909 11911 +2
==========================================
Hits 5180 5180
- Misses 6237 6239 +2
Partials 492 492 |
|
@gkurz, may I also ask you to share the error you're facing? |
|
/ok-to-test |
|
/ok-to-test |
|
Running with 1e2f62a I can see the following error happening: And looking at the AVC: With Greg's patch applied everything work as expected. |
|
@gkurz, you may want to add parts of #5484 (comment) in your commit message (I'd suggest doing so). I'll approve after hearing back from you on what's your preference (to change the commit message or to keep it as it is). |
Running with 1e2f62a the following error happens when creating a POD: Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 13m default-scheduler Successfully assigned default/nginx to centos Warning Failed 10m (x12 over 13m) kubelet Error: CreateContainer failed: Permission denied (os error 13): unknown This is paired with the following AVC on the host: time->Thu Dec 2 15:48:39 2021 type=PROCTITLE msg=audit(1638460119.594:9168): proctitle=2F7573722F6C6962657865632F6B6174612D71656D752F76697274696F667364002D2D7379736C6F67002D6F0063616368653D6175746F002D6F006E6F5F706F7369785F6C6F636B002D6F00736F757263653D2F72756E2F6B6174612D636F6E7461696E6572732F7368617265642F73616E64626F7865732F31393264323362 type=SYSCALL msg=audit(1638460119.594:9168): arch=c000003e syscall=262 success=no exit=-13 a0=2a1 a1=7fbd5516ca79 a2=7fbcceffca00 a3=1100 items=0 ppid=190783 pid=190791 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pool" exe="/usr/libexec/kata-qemu/virtiofsd" subj=system_u:system_r:container_kvm_t:s0:c645,c719 key=(null) type=AVC msg=audit(1638460119.594:9168): avc: denied { getattr } for pid=190791 comm="pool" path="/6a75cf9f9cf706b1ed0dc5eee91831bea5eb2911d1b8526ee7a6f64586a9f361-b204284ea4f1f3a1-.containerenv" dev="vda1" ino=5718410 scontext=system_u:system_r:container_kvm_t:s0:c645,c719 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0 As it is already done for 'hostname' and 'resolv.conf', apply proper security labels so that the containerenv file is accessible in environments that require it, e.g. kata-containers under SELinux. Fixes cri-o#5843 Tested-by: Fabiano Fidêncio <[email protected]> Signed-off-by: Greg Kurz <[email protected]>
432340f to
3162e05
Compare
|
LGTM @haircommander, mind to also take a look? |
|
LGTM |
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gkurz, haircommander The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
10 similar comments
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
@gkurz: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
This adds a relabelling of the containerenv file that is missing in #5463. This is needed to run kata-containers on an SELinux enabled host.
Which issue(s) this PR fixes:
Fixes #5483
Special notes for your reviewer:
Change comes from code inspection. I haven't had time to try this fix yet but I'm proposing it anyway for review, as it is currently blocking our downstream workflow.
Does this PR introduce a user-facing change?