nomad-driver-podman icon indicating copy to clipboard operation
nomad-driver-podman copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Add support for container creation's selinux_opts attribute

Open gjpin opened this issue 3 years ago • 4 comments

Solves #135

Hi!

This PR adds support for the selinux_opts attribute, as per https://docs.podman.io/en/latest/_static/api.html#operation/ContainerCreateLibpod .

I've also updated the README file and the tests to support the new attribute.

Thank you!

gjpin avatar Oct 25 '21 11:10 gjpin

Hum...actually I just noticed that the tests are failing? Do they require SELinux to be enabled in the environment?

lgfa29 avatar Feb 15 '22 23:02 lgfa29

CLA assistant check
All committers have signed the CLA.

hashicorp-cla avatar Mar 12 '22 18:03 hashicorp-cla

@lgfa29 It looks like the log with the test failures has aged out. Can you rerun them. Looking at the test, is trying to add a SELinux label and then check for it. If SELinux is not enabled, that is going to fail.

jdoss avatar Jul 22 '22 20:07 jdoss

Lookin a bit more. It looks like you can't run the GitHub hosted actions with SELinux enabled. The SELinux team runs a MacOS GH Action with a Fedora Linux VM to run their test suite 🤢

https://github.com/SELinuxProject/selinux/blob/master/.github/workflows/vm_testsuite.yml

jdoss avatar Jul 22 '22 20:07 jdoss

Hi

Any plan to merge this feature on the master branch ? I saw that all tests are greens. Do you need something else to merge ?

quentin9696 avatar Nov 12 '22 23:11 quentin9696

@lgfa29 thank you for the merge. I'll test is as soon as it's released !

quentin9696 avatar Nov 14 '22 21:11 quentin9696

Lookin a bit more. It looks like you can't run the GitHub hosted actions with SELinux enabled. The SELinux team runs a MacOS GH Action with a Fedora Linux VM to run their test suite 🤢

https://github.com/SELinuxProject/selinux/blob/master/.github/workflows/vm_testsuite.yml

Ops, the ✅ was a red herring 😅

Since the commit was just CHANGELOG update, the test suite didn't actually run. I tried this Vagrant approach since we also have a dev Vagrantfile, but I couldn't get it to work and it would take quite a bit of time to investigate, so I will just skip these tests in CI for now.

lgfa29 avatar Nov 14 '22 23:11 lgfa29

@lgfa29 oh, I thought that was solved :/.

I made a test on my cluster and it works well on my side.

I create a task with selinux_opts = ["disable"]and podman run it with my flag correctly, I'm allow to talk with my socket. When I run the same job without the selinux_opts and got my expected access denied.

I hope you'll find the solution with the macos and vagran hack to enable selinux on a machine. That's sad to see github action disable selinux on their linux machines :-1:

quentin9696 avatar Nov 15 '22 15:11 quentin9696

No worries, I thought it was good too 😅

I'm skipping these two tests for now until we figure out a better way. Hopefuly GitHub will provide something better soon 🤞

lgfa29 avatar Nov 15 '22 22:11 lgfa29