cri: selinux relabel /dev/shm#4699
Conversation
Address an issue originally seen in the k3s 1.3 and 1.4 forks of containerd/cri, k3s-io/k3s#2240 Even with updated container-selinux policy, container-local /dev/shm will get mounted with container_runtime_tmpfs_t because it is a tmpfs created by the runtime and not the container (thus, container_runtime_t transition rules apply). The relabel mitigates such, allowing envoy proxy to work correctly (and other programs that wish to write to their /dev/shm) under selinux. Tested locally with: - SELINUX=Enforcing vagrant up --provision-with=shell,selinux,test-integration - SELINUX=Enforcing CRITEST_ARGS=--ginkgo.skip='HostIpc is true' vagrant up --provision-with=shell,selinux,test-cri - SELINUX=Permissive CRITEST_ARGS=--ginkgo.focus='HostIpc is true' vagrant up --provision-with=shell,selinux,test-cri Signed-off-by: Jacob Blain Christen <[email protected]>
|
Hi @dweomer. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Build succeeded.
|
Address an issue originally seen in the k3s 1.3 and 1.4 forks of containerd/cri, k3s-io/k3s#2240. This is a backport of containerd/containerd#4699 Even with updated container-selinux policy, container-local /dev/shm will get mounted with container_runtime_tmpfs_t because it is a tmpfs created by the runtime and not the container (thus, container_runtime_t transition rules apply). The relabel mitigates such, allowing envoy proxy to work correctly (and other programs that wish to write to their /dev/shm) under selinux.
|
LGTM |
|
/ok-to-test |
|
Should we also reliable resolvconf and the other shared files? |
@crosbymichael good question. I have no reports of folks needing to write to |
|
ok, i think its fine as these are not in |
Address an issue originally seen in the k3s 1.3 and 1.4 forks of containerd/cri, k3s-io/k3s#2240. This is a backport of containerd/containerd#4699 Even with updated container-selinux policy, container-local /dev/shm will get mounted with container_runtime_tmpfs_t because it is a tmpfs created by the runtime and not the container (thus, container_runtime_t transition rules apply). The relabel mitigates such, allowing envoy proxy to work correctly (and other programs that wish to write to their /dev/shm) under selinux.
Address an issue originally seen in the k3s 1.3 and 1.4 forks of containerd/cri, k3s-io/k3s#2240. This is a backport of containerd/containerd#4699 Even with updated container-selinux policy, container-local /dev/shm will get mounted with container_runtime_tmpfs_t because it is a tmpfs created by the runtime and not the container (thus, container_runtime_t transition rules apply). The relabel mitigates such, allowing envoy proxy to work correctly (and other programs that wish to write to their /dev/shm) under selinux. Signed-off-by: Jacob Blain Christen <[email protected]>
|
@crosbymichael it looks like the containerd/cri unit tests caught something that I missed: https://github.com/containerd/cri/pull/1605/files#diff-17a83af23eb8f578286e12d2b7537efb119bbb6a046235b59fc10b3f0ac04fa5 I am looking into why the refactored, containerd/cri -> containerd/containerd/pkg/cri, unit tests didnt catch it and will be submitting a followup fix (if necessary). |
This is a followup to containerd#4699 that addresses an oversight that could cause the CRI to relabel the host /dev/shm, which should be a no-op in most cases. Additionally, fixes unit tests to make correct assertions for /dev/shm relabeling. Discovered while applying the changes for containerd#4699 to containerd/cri 1.4: containerd/cri#1605 Signed-off-by: Jacob Blain Christen <[email protected]>
Address an issue originally seen in the k3s 1.3 and 1.4 forks of containerd/cri, k3s-io/k3s#2240. This is a backport of containerd/containerd#4699 Even with updated container-selinux policy, container-local /dev/shm will get mounted with container_runtime_tmpfs_t because it is a tmpfs created by the runtime and not the container (thus, container_runtime_t transition rules apply). The relabel mitigates such, allowing envoy proxy to work correctly (and other programs that wish to write to their /dev/shm) under selinux. Signed-off-by: Jacob Blain Christen <[email protected]>
4 participants
Address an issue originally seen in the k3s 1.3 and 1.4 forks of containerd/cri, k3s-io/k3s#2240
Even with updated container-selinux policy, container-local /dev/shm
will get mounted with container_runtime_tmpfs_t because it is a tmpfs
created by the runtime and not the container (thus, container_runtime_t
transition rules apply). The relabel mitigates such, allowing envoy
proxy to work correctly (and other programs that wish to write to their
/dev/shm) under selinux.
Tested locally with:
Signed-off-by: Jacob Blain Christen [email protected]