cri: filter selinux xattr for image volumes

dweomer · dweomer · commit c3609ff4ca0c · 2021-08-20T23:47:24.000-07:00
Exclude the `security.selinux` xattr when copying content from layer storage for image volumes. This allows for the already correct label at the target location to be applied to the copied content, thus enabling containers to write to volumes that they implicitly expect to be able to write to. - Fixes containerd#5090 - See rancher/rke2#690 Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
diff --git a/pkg/cri/opts/container.go b/pkg/cri/opts/container.go
@@ -115,5 +115,5 @@ func copyExistingContents(source, destination string) error {
 	if len(dstList) != 0 {
 		return errors.Errorf("volume at %q is not initially empty", destination)
 	}
-	return fs.CopyDir(destination, source)
+	return fs.CopyDir(destination, source, fs.WithXAttrExclude("security.selinux"))
 }

Original file line number	Diff line number	Diff line change
`@@ -115,5 +115,5 @@ func copyExistingContents(source, destination string) error {`
`115`	`115`	`if len(dstList) != 0 {`
`116`	`116`	`return errors.Errorf("volume at %q is not initially empty", destination)`
`117`	`117`	`}`
`118`		`- return fs.CopyDir(destination, source)`
	`118`	`+ return fs.CopyDir(destination, source, fs.WithXAttrExclude("security.selinux"))`
`119`	`119`	`}`