Thanks to visit codestin.com
Credit goes to github.com

Skip to content

OCPBUGS-69402: Ensure InitLabel only sets process label when unset #9666

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 1 commit into from
Dec 16, 2025
Merged

OCPBUGS-69402: Ensure InitLabel only sets process label when unset #9666

openshift-merge-bot merged 1 commit into from
Dec 16, 2025

Conversation

@bitoku
Copy link
Contributor

@bitoku bitoku commented Dec 16, 2025
edited
Loading

What type of PR is this?

/kind bug

What this PR does / why we need it:

When systemd runs in a container, process label will be container_init_t, even if a user specify selinux type explicitly.
This PR fixes the process label of systemd.

ref: #3754

Which issue(s) this PR fixes:

Special notes for your reviewer:

We need an image which can run systemd to write integration tests.

Does this PR introduce a user-facing change?

Respect user specified selinux label for systemd or init container.

Summary by CodeRabbit

Bug Fixes

  • Process label initialization in container creation now conditionally preserves pre-existing labels instead of unconditionally reinitializing them. The initialization only occurs when the label is empty, allowing existing labels to persist while maintaining error handling during container setup and system configuration.

✏️ Tip: You can customize this high-level summary in your review settings.

@bitoku bitoku requested a review from mrunalp as a code owner December 16, 2025 12:45
@openshift-ci openshift-ci bot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Dec 16, 2025
@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Dec 16, 2025
@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Dec 16, 2025
@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Dec 16, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Dec 16, 2025

@bitoku: This pull request references Jira Issue OCPBUGS-69402, which is invalid:

  • expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What type of PR is this?

/kind bug

What this PR does / why we need it:

When systemd runs in a container, process label will be container_init_t, even if a user specify selinux type explicitly.
This PR fixes the process label of systemd.

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Respect user specified selinux label for systemd or init container.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label Dec 16, 2025
@coderabbitai
Copy link

coderabbitai bot commented Dec 16, 2025
edited
Loading

Walkthrough

A single conditional logic modification in server/container_create.go ensures that the process label initialization only occurs when the label is empty, preserving any pre-existing label value instead of unconditionally overwriting it.

Changes

Cohort / File(s) Summary
Process label initialization
server/container_create.go		 Modified setupContainerMountsAndSystemd to conditionally invoke InitLabel only when processLabel is empty, preserving already-set labels while maintaining error handling

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3–5 minutes

  • Single file, single function affected
  • Straightforward conditional logic addition with no structural complexity
  • No method signature changes or cross-component impacts

Poem

🐰 A label once lost, now safely kept,
When empty alone, InitLabel's stepped.
No overwrites here, just gentle grace—
The process label finds its place! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: making InitLabel conditionally set the process label only when unset, which directly aligns with the code modification in setupContainerMountsAndSystemd.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Dec 16, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Dec 16, 2025

@bitoku: This pull request references Jira Issue OCPBUGS-69402, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lyman9966

Details

In response to this:

What type of PR is this?

/kind bug

What this PR does / why we need it:

When systemd runs in a container, process label will be container_init_t, even if a user specify selinux type explicitly.
This PR fixes the process label of systemd.

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Respect user specified selinux label for systemd or init container.

Summary by CodeRabbit

Bug Fixes

  • Process label initialization in container creation now conditionally preserves pre-existing labels instead of unconditionally reinitializing them. The initialization only occurs when the label is empty, allowing existing labels to persist while maintaining error handling during container setup and system configuration.

✏️ Tip: You can customize this high-level summary in your review settings.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 16, 2025

@openshift-ci-robot: GitHub didn't allow me to request PR reviews from the following users: lyman9966.

Note that only cri-o members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

@bitoku: This pull request references Jira Issue OCPBUGS-69402, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lyman9966

In response to this:

What type of PR is this?

/kind bug

What this PR does / why we need it:

When systemd runs in a container, process label will be container_init_t, even if a user specify selinux type explicitly.
This PR fixes the process label of systemd.

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Respect user specified selinux label for systemd or init container.

Summary by CodeRabbit

Bug Fixes

  • Process label initialization in container creation now conditionally preserves pre-existing labels instead of unconditionally reinitializing them. The initialization only occurs when the label is empty, allowing existing labels to persist while maintaining error handling during container setup and system configuration.

✏️ Tip: You can customize this high-level summary in your review settings.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@bitoku
Copy link
Contributor Author

bitoku commented Dec 16, 2025

/jira refresh

@openshift-ci-robot
Copy link

openshift-ci-robot commented Dec 16, 2025

@bitoku: This pull request references Jira Issue OCPBUGS-69402, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lyman9966

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 16, 2025

@openshift-ci-robot: GitHub didn't allow me to request PR reviews from the following users: lyman9966.

Note that only cri-o members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

@bitoku: This pull request references Jira Issue OCPBUGS-69402, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lyman9966

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@codecov
Copy link

codecov bot commented Dec 16, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.10%. Comparing base (2e590ab) to head (4e2f7db).
⚠️ Report is 6 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #9666      +/-   ##
==========================================
- Coverage   67.28%   67.10%   -0.18%     
==========================================
  Files         208      208              
  Lines       28983    28987       +4     
==========================================
- Hits        19500    19452      -48     
- Misses       7819     7876      +57     
+ Partials     1664     1659       -5
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@haircommander
Copy link
Member

haircommander commented Dec 16, 2025

/lgtm
/approve

I'm not sure what's up with CI, but it's very natural for it to break the week of a cri-o release :)

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 16, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 16, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bitoku, haircommander

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 16, 2025
@haircommander
Copy link
Member

haircommander commented Dec 16, 2025

/retest

@openshift-merge-bot openshift-merge-bot bot merged commit 0e42a1f into cri-o:main Dec 16, 2025
69 of 71 checks passed
@openshift-ci-robot
Copy link

openshift-ci-robot commented Dec 16, 2025

@bitoku: Jira Issue OCPBUGS-69402: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-69402 has been moved to the MODIFIED state.

Details

In response to this:

What type of PR is this?

/kind bug

What this PR does / why we need it:

When systemd runs in a container, process label will be container_init_t, even if a user specify selinux type explicitly.
This PR fixes the process label of systemd.

ref: #3754

Which issue(s) this PR fixes:

Special notes for your reviewer:

We need an image which can run systemd to write integration tests.

Does this PR introduce a user-facing change?

Respect user specified selinux label for systemd or init container.

Summary by CodeRabbit

Bug Fixes

  • Process label initialization in container creation now conditionally preserves pre-existing labels instead of unconditionally reinitializing them. The initialization only occurs when the label is empty, allowing existing labels to persist while maintaining error handling during container setup and system configuration.

✏️ Tip: You can customize this high-level summary in your review settings.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@bitoku
Copy link
Contributor Author

bitoku commented Dec 17, 2025

/jira backport release-4.21

@openshift-ci-robot
Copy link

openshift-ci-robot commented Dec 17, 2025

@bitoku: The following backport issues have been created:

Queuing cherrypicks to the requested branches to be created after this PR merges:
/cherrypick release-4.21

Details

In response to this:

/jira backport release-4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Dec 17, 2025

@openshift-ci-robot: cannot checkout release-4.21: error checking out "release-4.21": exit status 1 error: pathspec 'release-4.21' did not match any file(s) known to git

Details

In response to this:

@bitoku: The following backport issues have been created:

Queuing cherrypicks to the requested branches to be created after this PR merges:
/cherrypick release-4.21

In response to this:

/jira backport release-4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@bitoku
Copy link
Contributor Author

bitoku commented Dec 17, 2025

/cherry-pick release-1.34

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Dec 17, 2025

@bitoku: #9666 failed to apply on top of branch "release-1.34":

Applying: Ensure `InitLabel` only sets process label when unset
Using index info to reconstruct a base tree...
M	server/container_create.go
Falling back to patching base and 3-way merge...
Auto-merging server/container_create.go
CONFLICT (content): Merge conflict in server/container_create.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 Ensure `InitLabel` only sets process label when unset
Details

In response to this:

/cherry-pick release-1.34

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@bitoku bitoku mentioned this pull request Dec 17, 2025
Merged
@bitoku
Copy link
Contributor Author

bitoku commented Dec 17, 2025

/jira backport release-4.20,release-4.19,release-4.18,release-4.17

@openshift-ci-robot
Copy link

openshift-ci-robot commented Dec 17, 2025

@bitoku: Missing required branches for backport chain:

  • openshift-4.21 OR release-4.21,
Details

In response to this:

/jira backport release-4.20,release-4.19,release-4.18,release-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@bitoku
Copy link
Contributor Author

bitoku commented Dec 17, 2025

/jira backport release-4.21,release-4.20,release-4.19,release-4.18,release-4.17

@openshift-ci-robot
Copy link

openshift-ci-robot commented Dec 17, 2025

@bitoku: The following backport issues have been created:

Queuing cherrypicks to the requested branches to be created after this PR merges:
/cherrypick release-4.21
/cherrypick release-4.20
/cherrypick release-4.19
/cherrypick release-4.18
/cherrypick release-4.17

Details

In response to this:

/jira backport release-4.21,release-4.20,release-4.19,release-4.18,release-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Dec 17, 2025

@openshift-ci-robot: cannot checkout release-4.17: error checking out "release-4.17": exit status 1 error: pathspec 'release-4.17' did not match any file(s) known to git

Details

In response to this:

@bitoku: The following backport issues have been created:

Queuing cherrypicks to the requested branches to be created after this PR merges:
/cherrypick release-4.21
/cherrypick release-4.20
/cherrypick release-4.19
/cherrypick release-4.18
/cherrypick release-4.17

In response to this:

/jira backport release-4.21,release-4.20,release-4.19,release-4.18,release-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Dec 17, 2025

@openshift-ci-robot: cannot checkout release-4.18: error checking out "release-4.18": exit status 1 error: pathspec 'release-4.18' did not match any file(s) known to git

Details

In response to this:

@bitoku: The following backport issues have been created:

Queuing cherrypicks to the requested branches to be created after this PR merges:
/cherrypick release-4.21
/cherrypick release-4.20
/cherrypick release-4.19
/cherrypick release-4.18
/cherrypick release-4.17

In response to this:

/jira backport release-4.21,release-4.20,release-4.19,release-4.18,release-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Dec 17, 2025

@openshift-ci-robot: cannot checkout release-4.19: error checking out "release-4.19": exit status 1 error: pathspec 'release-4.19' did not match any file(s) known to git

Details

In response to this:

@bitoku: The following backport issues have been created:

Queuing cherrypicks to the requested branches to be created after this PR merges:
/cherrypick release-4.21
/cherrypick release-4.20
/cherrypick release-4.19
/cherrypick release-4.18
/cherrypick release-4.17

In response to this:

/jira backport release-4.21,release-4.20,release-4.19,release-4.18,release-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Dec 17, 2025

@openshift-ci-robot: cannot checkout release-4.20: error checking out "release-4.20": exit status 1 error: pathspec 'release-4.20' did not match any file(s) known to git

Details

In response to this:

@bitoku: The following backport issues have been created:

Queuing cherrypicks to the requested branches to be created after this PR merges:
/cherrypick release-4.21
/cherrypick release-4.20
/cherrypick release-4.19
/cherrypick release-4.18
/cherrypick release-4.17

In response to this:

/jira backport release-4.21,release-4.20,release-4.19,release-4.18,release-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Dec 17, 2025

@openshift-ci-robot: cannot checkout release-4.21: error checking out "release-4.21": exit status 1 error: pathspec 'release-4.21' did not match any file(s) known to git

Details

In response to this:

@bitoku: The following backport issues have been created:

Queuing cherrypicks to the requested branches to be created after this PR merges:
/cherrypick release-4.21
/cherrypick release-4.20
/cherrypick release-4.19
/cherrypick release-4.18
/cherrypick release-4.17

In response to this:

/jira backport release-4.21,release-4.20,release-4.19,release-4.18,release-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai coderabbitai bot mentioned this pull request Dec 17, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@hasan4791 hasan4791 Awaiting requested review from hasan4791

@littlejawa littlejawa Awaiting requested review from littlejawa

Assignees

@haircommander haircommander

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bitoku @openshift-ci-robot @haircommander @openshift-cherrypick-robot