harbor
harbor copied to clipboard
goharbor
change to volume mount, add SELinux label
This PR supposed to fix issues on distributions with SELinux - like this one - by changing all bind mounts to volume mounts in thedocker-compose.yml.jinjafile and adding the SELinux labels to them. Labels and modes are ignored by Docker bind mounts. This way the generated docker-compose.yaml files not require modifications by the user.
Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 67.47%. Comparing base (
2196ba7) to head (521b32c). Report is 208 commits behind head on main.
:exclamation: Current head 521b32c differs from pull request most recent head 9172085. Consider uploading reports for the commit 9172085 to get more accurate results
Additional details and impacted files
@@ Coverage Diff @@
## main #16241 +/- ##
==========================================
+ Coverage 67.42% 67.47% +0.04%
==========================================
Files 993 971 -22
Lines 108990 106223 -2767
Branches 2752 2649 -103
==========================================
- Hits 73491 71670 -1821
+ Misses 31540 30715 -825
+ Partials 3959 3838 -121
| Flag | Coverage Δ | |
|---|---|---|
| unittests | 67.47% <ø> (+0.04%) |
:arrow_up: |
Flags with carried forward coverage won't be shown. Click here to find out more.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Just did an update from 2.4.1 to 2.5 and the process reminded me to check on this PR. Is there anything I can help you guys with? I know that relabeling this way is not advised, but considering that there are already methods like this used in the compose file I don't see why not. Also the directories are created fresh, and not using system related files or anything that would introduce risks to the system.
This PR is being marked stale due to a period of inactivty. If this PR is still relevant, please comment or remove the stale label. Otherwise, this PR will close in 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@goharbor/all-maintainers, I think it would make sense to have this feature in Harbor. what do you think?
This PR is being marked stale due to a period of inactivty. If this PR is still relevant, please comment or remove the stale label. Otherwise, this PR will close in 30 days.
Any news on this one? Would really make my life easier during updates if you could accept this change ^-^ Did not check yet, but will later if I need to update something.
Mark this as "help needed" because we would like to get some help (advice, concerns) from the experts who are working on SELinux.
@stonezdj - can you please provide info as we spoke on the call Thank you so much!
Previously we are using the mount volume, and found an issue which will create a folder if the directory doesn't exist, and cause subsequent issues in container. to avoid this issue, we changed it to bind type, if the directory is not found, it fails to start with docker-compose
https://github.com/goharbor/harbor/commit/1eeea6b88827d87d15997404e2eb83623de978d7
Thanks @stonezdj
@apinter can you please review the PRs mentioned above and provide a bit more what issues are you facing so we can work it out ! Thanks!
Thanks @stonezdj
@apinter can you please review the PRs mentioned above and provide a bit more what issues are you facing so we can work it out ! Thanks!
The problem with a bind mount on an SELinux enabled system is that SELinux will block this approach and the startup will fail as it triggers an SELinux AVC. The only way a bind mount will work - at least on Fedora/CoreOS, RHEL, openSUSE MicroOS since those are the ones I tested ^-^ - is if the user manually relabels the folders that are bind mounted with system_u:object_r:container_file_t:s0. On the other hand using the docker built-in volume :z option will achieve essentially the same thing like a bind does, but due to the :z flag it automatically relabel the source folder on the host.
Right now if I update our Harbor instance I have to edit out all the bind mounts, and replace them with the volume mount and relabel options. The :z flag causes no harm on systems running AppArmor such as Ubuntu or openSUSE Leap/Tumbleweed.
Anyhow the upstream Docker doc might cover this better.
@apinter thanks for the details, @stonezdj @YangJiao0817 can we validate this PR both on ubuntu and SELinux(Fedora/CoreOS or RHEL or openSUSE MicroOS)?
This PR is being marked stale due to a period of inactivty. If this PR is still relevant, please comment or remove the stale label. Otherwise, this PR will close in 30 days.
This PR is being marked stale due to a period of inactivty. If this PR is still relevant, please comment or remove the stale label. Otherwise, this PR will close in 30 days.
@apinter can you add option in the yaml bases on the @stonezdj's suggestion?
@apinter can you add option in the yaml bases on the @stonezdj's suggestion?
Hey, sorry for the delay. Will make time for it this week.
@apinter Is the work on this still in progress?
Wow it has been a hot minute... Totally forgot to keep track :/ If nothing changed on this front then I will try and take a look today and update the PR.
@OrlinVasilev rebased and updated. Also TIL: don't be lazy, do a proper rebase instead of using the sync button on GH :upside_down_face: