From 9c43c47b06d24f4d2e7363911ba9c87b135021a0 Mon Sep 17 00:00:00 2001 From: "Giacomo Mr. Wolf Furlan" Date: Thu, 7 May 2020 02:09:09 +0200 Subject: [PATCH] Podman: disable selinux labels when extracting the tarball to prevent permission errors --- pkg/drivers/kic/oci/volumes.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/pkg/drivers/kic/oci/volumes.go b/pkg/drivers/kic/oci/volumes.go index 8dd3887c589c..f3fb62d13a68 100644 --- a/pkg/drivers/kic/oci/volumes.go +++ b/pkg/drivers/kic/oci/volumes.go @@ -21,6 +21,7 @@ import ( "bytes" "fmt" "os/exec" + "runtime" "strings" "github.com/golang/glog" @@ -80,7 +81,16 @@ func allVolumesByLabel(ociBin string, label string) ([]string, error) { // ExtractTarballToVolume runs a docker image imageName which extracts the tarball at tarballPath // to the volume named volumeName func ExtractTarballToVolume(ociBin string, tarballPath, volumeName, imageName string) error { - cmd := exec.Command(ociBin, "run", "--rm", "--entrypoint", "/usr/bin/tar", "-v", fmt.Sprintf("%s:/preloaded.tar:ro", tarballPath), "-v", fmt.Sprintf("%s:/extractDir", volumeName), imageName, "-I", "lz4", "-xvf", "/preloaded.tar", "-C", "/extractDir") + cmdArgs := []string{"run", "--rm", "--entrypoint", "/usr/bin/tar"} + // Podman: + // when selinux setenforce is enforced, normal mount will lead to file permissions error (-?????????) + // - option 1: label the file as container private (mount option :Z), but will alter the file in the host machine + // - option 2*: keep the file untouched and set --security-opt label=disable (no changes to file) + if ociBin == Podman && runtime.GOOS == "linux" { + cmdArgs = append(cmdArgs, "--security-opt", "label=disable") + } + cmdArgs = append(cmdArgs, "-v", fmt.Sprintf("%s:/preloaded.tar:ro", tarballPath), "-v", fmt.Sprintf("%s:/extractDir", volumeName), imageName, "-I", "lz4", "-xvf", "/preloaded.tar", "-C", "/extractDir") + cmd := exec.Command(ociBin, cmdArgs...) if _, err := runCmd(cmd); err != nil { return err }