Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

label option, from libpod.conf, is not being respected. #5087

Closed
fidencio opened this issue Feb 4, 2020 · 3 comments · Fixed by #5225
Closed

label option, from libpod.conf, is not being respected. #5087

fidencio opened this issue Feb 4, 2020 · 3 comments · Fixed by #5225
Assignees
@vrothberg
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@fidencio
Copy link

fidencio commented Feb 4, 2020

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

When playing with podman + kata, there's the need to always pass --security-opt label=disable to podman-run. A similar way to achieve that, but for all the containers, would be setting label = false in the libpod.conf. However, it doesn't seem to work.

Steps to reproduce the issue:

On a Fedora 31 machine, using cgroups v1. do:

  1. dnf install kata-runtime
  2. set label=false in the libpod.conf file
  3. podman --runtime /usr/bin/kata-runtime run -it fedora /bin/bash

Describe the results you received:
Error: rpc error: code = Unknown desc = selinux label is specified in config, but selinux is disabled or not supported: OCI runtime error

Describe the results you expected:
Container would be started in the same way as if started using the following command-line: podman --runtime /usr/bin/kata-runtime run --security-opt label=disable fedora /bin/bash

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

podman version 1.7.0

Output of podman info --debug:

debug:
  compiler: gc
  git commit: ""
  go version: go1.13.5
  podman version: 1.7.0
host:
  BuildahVersion: 1.12.0
  CgroupVersion: v1
  Conmon:
    package: conmon-2.0.9-2.fc31.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.9, commit: 7d46f3e7711aa3578488284ae2f98b447658f086'
  Distribution:
    distribution: fedora
    version: "31"
  MemFree: 5537505280
  MemTotal: 33534525440
  OCIRuntime:
    name: crun
    package: crun-0.10.6-1.fc31.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.10.6
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  SwapFree: 0
  SwapTotal: 0
  arch: amd64
  cpus: 12
  eventlogger: journald
  hostname: laerte
  kernel: 5.4.13-201.fc31.x86_64
  os: linux
  rootless: false
  uptime: 149h 40m 23.83s (Approximately 6.21 days)
registries:
  search:
  - docker.io
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - quay.io
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 3
  GraphDriverName: overlay
  GraphOptions:
    overlay.mountopt: nodev,metacopy=on
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  ImageStore:
    number: 7
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

Package info (e.g. output of rpm -q podman or apt list podman):

podman-1.7.0-2.fc31.x86_64

Additional environment details (AWS, VirtualBox, physical, etc.):
Physical machine.
@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Feb 4, 2020
@mheon
Copy link
Member

mheon commented Feb 4, 2020

@rhatdan PTAL. I doubt containers.conf is going to fix this, that's just moving around where we source the config value from.

@rhatdan
Copy link
Member

rhatdan commented Feb 4, 2020

Well we have an SELinux test right now, and it should be fixed in containers.conf.

@vrothberg
Copy link
Member

It's still a regression that should be fixed in libpod.conf.

@vrothberg vrothberg self-assigned this Feb 17, 2020
@vrothberg vrothberg mentioned this issue Feb 17, 2020
Merged
vrothberg added a commit to vrothberg/libpod that referenced this issue Feb 19, 2020
@vrothberg
set process labels in pkg/spec
58cbbbc 
Set the (default) process labels in `pkg/spec`. This way, we can also
query libpod.conf and disable labeling if needed.

Fixes: containers#5087
Signed-off-by: Valentin Rothberg <[email protected]>
snj33v pushed a commit to snj33v/libpod that referenced this issue May 31, 2020
@vrothberg @snj33v
set process labels in pkg/spec
1f28ea6 
Set the (default) process labels in `pkg/spec`. This way, we can also
query libpod.conf and disable labeling if needed.

Fixes: containers#5087
Signed-off-by: Valentin Rothberg <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 23, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@vrothberg vrothberg

Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

config: use built-in TOML merge and adhere to label setting vrothberg/libpod
5 participants
@fidencio @rhatdan @mheon @vrothberg @openshift-ci-robot