Add support for selecting kvm and systemd labels #5690

rhatdan · 2020-03-31T21:56:18Z

In order to better support kata containers and systemd containers
container-selinux has added new types. Podman should execute the
container with an SELinux process label to match the container type.

Traditional Container process : container_t
KVM Container Process: containre_kvm_t
PID 1 Init process: container_init_t

Signed-off-by: Daniel J Walsh [email protected]

giuseppe · 2020-04-01T06:06:04Z

code LGTM

vrothberg · 2020-04-06T13:22:47Z

Gating is now yet happy:

[+0012s] libpod/container_internal.go:1934:17: undefined: selinux.KVMContainerLabels
[+0012s] libpod/container_internal.go:1944:18: undefined: selinux.InitContainerLabels

vrothberg

Just minor nits. Once they're fixed, LGTM.

vrothberg · 2020-04-06T13:24:43Z

libpod/container_internal.go

+	return swapTypes(initLabel, processLabel)
+}
+
+func swapTypes(source, dest string) (string, error) {


Can we rename it to swapSELinuxTypes? libpod is a really big package and swapTypes sounds very generic.

vrothberg · 2020-04-06T13:25:53Z

libpod/runtime.go

 	for _, r := range runtime.config.Engine.RuntimeSupportsJSON {
 		supportsJSON[r] = true
 	}
 	for _, r := range runtime.config.Engine.RuntimeSupportsNoCgroups {
 		supportsNoCgroups[r] = true
 	}
-
+	/*	for _, r := range runtime.config.Engine.RuntimeSupportsKVM {


What's going on here?

Oops had not implemented, it is now in containers/common.

haircommander · 2020-04-06T13:54:18Z

libpod/oci.go

@@ -102,6 +102,8 @@ type OCIRuntime interface {
 	// SupportsNoCgroups is whether the runtime supports running containers
 	// without cgroups.
 	SupportsNoCgroups() bool
+	// SupportsKVM indicates container will use  KVM separation


nit: extra space between use and KVM

haircommander · 2020-04-06T13:55:21Z

libpod/runtime.go

@@ -379,7 +383,7 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (err error) {
 		json := supportsJSON[name]
 		nocgroups := supportsNoCgroups[name]

-		ociRuntime, err := newConmonOCIRuntime(name, paths, runtime.conmonPath, runtime.config, json, nocgroups)
+		ociRuntime, err := newConmonOCIRuntime(name, paths, runtime.conmonPath, runtime.config, json, nocgroups, supportsKVM[name])


I think we should save the value of this like we do nocgroups and json above

Removed and figured it out inside of the function.

rh-atomic-bot · 2020-04-06T14:07:18Z

☔ The latest upstream changes (presumably #5727) made this pull request unmergeable. Please resolve the merge conflicts.

rh-atomic-bot · 2020-04-06T21:09:24Z

☔ The latest upstream changes (presumably #5478) made this pull request unmergeable. Please resolve the merge conflicts.

rhatdan · 2020-04-07T19:28:50Z

@haircommander @vrothberg @umohnani8 PTAL

vrothberg

LGTM

rh-atomic-bot · 2020-04-08T10:45:06Z

☔ The latest upstream changes (presumably #5756) made this pull request unmergeable. Please resolve the merge conflicts.

TomSweeneyRedHat · 2020-04-09T20:37:45Z

LGTM once the unhappy tests are happy

rh-atomic-bot · 2020-04-10T16:40:11Z

☔ The latest upstream changes (presumably #5785) made this pull request unmergeable. Please resolve the merge conflicts.

rhatdan · 2020-04-14T20:57:19Z

I just destroyed this PR> Will need to recreate it tomorrow.

rh-atomic-bot · 2020-04-15T18:42:17Z

☔ The latest upstream changes (presumably #5786) made this pull request unmergeable. Please resolve the merge conflicts.

In order to better support kata containers and systemd containers container-selinux has added new types. Podman should execute the container with an SELinux process label to match the container type. Traditional Container process : container_t KVM Container Process: containre_kvm_t PID 1 Init process: container_init_t Signed-off-by: Daniel J Walsh <[email protected]>

rhatdan · 2020-04-16T09:54:43Z

@baude @mheon @giuseppe @vrothberg @TomSweeneyRedHat @QiWang19 @jwhonce this one is ready to go in. PTAL

giuseppe

LGTM

openshift-ci-robot · 2020-04-16T10:45:38Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [giuseppe,rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

baude · 2020-04-16T12:25:47Z

/lgtm

openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 31, 2020

openshift-ci-robot requested review from giuseppe and mrunalp March 31, 2020 21:56

openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 31, 2020

rhatdan mentioned this pull request Mar 31, 2020

Add KVMProcessLabel to identify the SELinux label for container vms opencontainers/selinux#63

Merged

rhatdan force-pushed the selinux branch from 3422f85 to 229a467 Compare April 3, 2020 20:06

rhatdan changed the title ~~[wip] Add support for selecting kvm and systemd labels~~ Add support for selecting kvm and systemd labels Apr 4, 2020

openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 4, 2020

vrothberg reviewed Apr 6, 2020

View reviewed changes

haircommander reviewed Apr 6, 2020

View reviewed changes

rhatdan force-pushed the selinux branch from 229a467 to e017e11 Compare April 6, 2020 17:35

rhatdan force-pushed the selinux branch 2 times, most recently from d33b1ed to 7e922c6 Compare April 7, 2020 09:02

rhatdan changed the title ~~Add support for selecting kvm and systemd labels~~ [WIP] Add support for selecting kvm and systemd labels Apr 7, 2020

openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 7, 2020

rhatdan force-pushed the selinux branch 4 times, most recently from 11b1a95 to 79f34a5 Compare April 7, 2020 18:20

rhatdan changed the title ~~[WIP] Add support for selecting kvm and systemd labels~~ Add support for selecting kvm and systemd labels Apr 7, 2020

openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 7, 2020

vrothberg reviewed Apr 8, 2020

View reviewed changes

rhatdan force-pushed the selinux branch from 79f34a5 to 09e38c2 Compare April 8, 2020 11:13

openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 10, 2020

rhatdan force-pushed the selinux branch from 58c2ca8 to 87c6d87 Compare April 11, 2020 15:24

openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 11, 2020

umohnani8 removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 14, 2020

rhatdan force-pushed the selinux branch from 87c6d87 to 24116c1 Compare April 14, 2020 20:48

openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 14, 2020

rhatdan changed the title ~~Add support for selecting kvm and systemd labels~~ [WIP] Add support for selecting kvm and systemd labels Apr 14, 2020

openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 14, 2020

rhatdan force-pushed the selinux branch from 24116c1 to 1fab322 Compare April 15, 2020 10:56

rhatdan changed the title ~~[WIP] Add support for selecting kvm and systemd labels~~ Add support for selecting kvm and systemd labels Apr 15, 2020

openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 15, 2020

rhatdan force-pushed the selinux branch 4 times, most recently from c62bedb to da807e6 Compare April 15, 2020 20:36

rhatdan force-pushed the selinux branch from da807e6 to c4ca3c7 Compare April 15, 2020 20:52

giuseppe approved these changes Apr 16, 2020

View reviewed changes

openshift-ci-robot assigned baude Apr 16, 2020

openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 16, 2020

openshift-merge-robot merged commit 09e821a into containers:master Apr 16, 2020

github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 25, 2023

github-actions bot locked as resolved and limited conversation to collaborators Sep 25, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for selecting kvm and systemd labels #5690

Add support for selecting kvm and systemd labels #5690

rhatdan commented Mar 31, 2020

giuseppe commented Apr 1, 2020

vrothberg commented Apr 6, 2020

vrothberg left a comment

vrothberg Apr 6, 2020

rhatdan Apr 6, 2020

vrothberg Apr 6, 2020

rhatdan Apr 7, 2020

haircommander Apr 6, 2020

rhatdan Apr 7, 2020

haircommander Apr 6, 2020

rhatdan Apr 7, 2020

rh-atomic-bot commented Apr 6, 2020

rh-atomic-bot commented Apr 6, 2020

rhatdan commented Apr 7, 2020

vrothberg left a comment

rh-atomic-bot commented Apr 8, 2020

TomSweeneyRedHat commented Apr 9, 2020

rh-atomic-bot commented Apr 10, 2020

rhatdan commented Apr 14, 2020

rh-atomic-bot commented Apr 15, 2020

rhatdan commented Apr 16, 2020

giuseppe left a comment

openshift-ci-robot commented Apr 16, 2020

baude commented Apr 16, 2020

Add support for selecting kvm and systemd labels #5690

Add support for selecting kvm and systemd labels #5690

Conversation

rhatdan commented Mar 31, 2020

giuseppe commented Apr 1, 2020

vrothberg commented Apr 6, 2020

vrothberg left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

rh-atomic-bot commented Apr 6, 2020

rh-atomic-bot commented Apr 6, 2020

rhatdan commented Apr 7, 2020

vrothberg left a comment

Choose a reason for hiding this comment

rh-atomic-bot commented Apr 8, 2020

TomSweeneyRedHat commented Apr 9, 2020

rh-atomic-bot commented Apr 10, 2020

rhatdan commented Apr 14, 2020

rh-atomic-bot commented Apr 15, 2020

rhatdan commented Apr 16, 2020

giuseppe left a comment

Choose a reason for hiding this comment

openshift-ci-robot commented Apr 16, 2020

baude commented Apr 16, 2020