testcontainers-go icon indicating copy to clipboard operation
testcontainers-go copied to clipboard

Published 20 hours ago verified publisher icon testcontainers

add SELinux compatability

Open SoMuchForSubtlety opened this issue 4 years ago • 10 comments

SELinux prevents non privileged containers from accessing /var/run/docker.sock.

❯ getenforce
Enforcing
❯ docker run -v /var/run/docker.sock:/var/run/docker.sock quay.io/testcontainers/ryuk:0.2.3

2021/01/04 17:22:11 Starting on port 8080...
panic: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/_ping: dial unix /var/run/docker.sock: connect: permission denied

goroutine 1 [running]:
main.main()
        /go/src/github.com/testcontainers/moby-ryuk/main.go:31 +0xe2e

This PR adds a check for SELinux and starts the reaper container in privileged mode if it is set to enforcing.

SoMuchForSubtlety avatar Jan 04 '21 17:01 SoMuchForSubtlety

I just saw that https://github.com/testcontainers/testcontainers-go/pull/223 also wants to enable privileged for docker in docker. I could add that to this PR with this additional change.

	_, err := os.Stat("/.dockerenv")
	// run reaper in privileged mode if SELinux is active or if we are running inside docker
	if selinux.EnforceMode() == selinux.Enforcing || err != nil {
		req.Privileged = true
	}

SoMuchForSubtlety avatar Jan 04 '21 18:01 SoMuchForSubtlety

Any chance of getting a review?

SoMuchForSubtlety avatar Jan 12 '21 13:01 SoMuchForSubtlety

The code looks good to me! I am not sure how Java lib behaves in this scenario.

@rnorth @bsideup do you have something similar or is it demanded to the user to figure it out?

Thanks!

gianarb avatar Jan 12 '21 13:01 gianarb

@gianarb the implementation seems to be checking the selinux config on tests' host, while Docker may not be running on the same machine (think VMs or remote Docker)

We have have ryuk.container.privileged property for this as per https://www.testcontainers.org/features/configuration/#customizing-ryuk-resource-reaper

bsideup avatar Jan 12 '21 13:01 bsideup

Thanks @bsideup it is something left to the user if they want to run it privileged or not. it does not get checked runtime.

gianarb avatar Jan 12 '21 13:01 gianarb

Ah, I didn't think of running the containers on a remote host.

How do I tell ryuk to run in privileged mode in go?

SoMuchForSubtlety avatar Jan 16 '21 14:01 SoMuchForSubtlety

Apparently, we do not have a way to set that value yet. I remember me trying to figure out how we can properly handle configuration of suck kind a few weeks ago. let me lookup for that code again and publish it to see if we like it

gianarb avatar Jan 22 '21 08:01 gianarb

@gianarb is there any way we can help with this? I also need this feature to run integration tests that use testcontainer-go inside the container in which all my tests are running.

lukaszx0 avatar Feb 10 '21 11:02 lukaszx0

I think this PR is related to #223. @gianarb should we close this one in favor of the other? If so, we should also request rewriting that to resolve conflicts

@SoMuchForSubtlety we would appreciate your collaboration here, thanking you for your interest in the project

mdelapenya avatar Oct 02 '21 06:10 mdelapenya

@SoMuchForSubtlety there is a new way to set the privileged mode for Ryuk, added in https://github.com/testcontainers/testcontainers-go/pull/475.

Could you double check it and update your PR in consequence? Thanks in advance

mdelapenya avatar Jul 05 '22 06:07 mdelapenya

I think we can close this one, as there is a way to define Ryuk in privilege mode. Please feel free to reopen it if you consider this PR is still needed.

Thanks for your time here!

mdelapenya avatar Jan 24 '23 18:01 mdelapenya