Skip to content

mount: make seclabel optional in tests#36740

Closed
tonistiigi wants to merge 1 commit intomoby:masterfrom
tonistiigi:seclabel
Closed

mount: make seclabel optional in tests#36740
tonistiigi wants to merge 1 commit intomoby:masterfrom
tonistiigi:seclabel

Conversation

@tonistiigi
Copy link
Copy Markdown
Member

@tonistiigi tonistiigi commented Mar 29, 2018

The current test always assumes that seclabel appears on mounts if and only if selinux is enabled. The selinux.IsEnabled() checks if selinuxfs is enabled, so in systems that support selinux but don't have this mount (for example dind) this test would fail. The exception is added so that extra seclabel option is allowed but if selinuxfs is present it is still required.

Signed-off-by: Tonis Tiigi [email protected]

@tonistiigi tonistiigi mentioned this pull request Mar 30, 2018
Merged
@tonistiigi
Copy link
Copy Markdown
Member Author

tonistiigi commented Mar 30, 2018

confirmed this passes in rhel ci: https://jenkins.dockerproject.org/job/Tonis%20Docker%20debugginig/145/

@kolyshkin
Copy link
Copy Markdown
Contributor

kolyshkin commented Mar 30, 2018

LGTM

@kolyshkin
Copy link
Copy Markdown
Contributor

kolyshkin commented Mar 30, 2018

but if selinuxfs is present it is still required

As a second thought, I don't think this test case should check the presence of selabel vfs option. It is just some artefact from selinux which might or might not be added by the kernel.

@tonistiigi
Copy link
Copy Markdown
Member Author

tonistiigi commented Mar 30, 2018

@kolyshkin Is there a case when it is not added when selinux is enabled and mounted? If not, it could help us catch cases where we break the selinux detection code.

@kolyshkin
Copy link
Copy Markdown
Contributor

kolyshkin commented Mar 30, 2018

If not, it could help us catch cases where we break the selinux detection code.

Well, adding the seclabel option is kernel job, and selinux detection code is opencontainers/selinux and this is a unit test for pkg/mount, testing that its methods Mount() and GetMountInfo() work, this is why I prefer to keep it simple and focused.

@kolyshkin
Copy link
Copy Markdown
Contributor

kolyshkin commented Mar 30, 2018

Having said that, the above is not a very strong opinion so I'm fine with either approach.

@tonistiigi
Copy link
Copy Markdown
Member Author

tonistiigi commented Mar 30, 2018

@kolyshkin Going for contrived examples, it is also possible the GetMounts (that is a public method in this pkg) has a bug that skips parsing seclabel. That doesn't have any effect on systems without selinux. But on systems with selinux this would start to break things and with current logic would break the test as well.

@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Jun 8, 2018

ping @kolyshkin PTAL

@kolyshkin
Copy link
Copy Markdown
Contributor

kolyshkin commented Aug 25, 2018

This one can be closed as #36750 is merged

@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Aug 25, 2018

Thanks! Closing

@thaJeztah thaJeztah closed this Aug 25, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justincormack justincormack Awaiting requested review from justincormack

Assignees

@vieux vieux

Labels

status/2-code-review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@tonistiigi @kolyshkin @thaJeztah @vdemeester @vieux @GordonTheTurtle