Florian Apolloner

@Ilgmi Nice, if you use my existing new roles it should be relatively straight-forward. if you get stuck somewhere don't hesitate to ask.

https://github.com/apollo13/netbird/commit/7c32d2d4baa94f87e96565c299f316e0aa1963d3 fixes this for android. `net.Interfaces()` doesn't work on android anymore and you cannot get access to the MAC. But aside from that it should work fine. As for @MichaelUray's...

> I'm not _entirely_ convinced that K8s is really doing the right thing here in allowing the job operator to recursively change ownership on the volume by default, but we'd...

True, namespace remapping is becoming more & more common and there is no easy solution to that. Sure recursive `chmod/chown` is an option, but if at all it should be...

More information on what k8s does: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods as well as their support for pushing that down into the CSI layer: https://kubernetes-csi.github.io/docs/support-fsgroup.html

This got away by setting: ``` plugin "docker" { config { volumes { enabled = true selinuxlabel = "z" } } } ``` in the nomad config. There still seems...

The blogpost https://danwalsh.livejournal.com/81143.html has a good explanation of why this is not working. The best thing to do here is probably `--security-opt label=disable` for the envoy container. Would this be...

I was able to manually fix the sidecars via: ``` sidecar_task { config { security_opt = ["label=disable"] } } ``` in the `connect` stanza :)

@tgross For what it's worth, even a simple "beware does not work well with default selinux rules" would probably go far. I guess the main question is: Is active selinux...

*bump*