[Enhancement]: Make ryuk.container.privileged default to true

[9034725985]

Problem

Test Containers Dot Net does not work on Fedora out of the box.

SELinux is preventing /bin/ryuk from write access on the sock_file docker.sock.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ryuk should be allowed write access on the docker.sock sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ryuk' --raw | audit2allow -M my-ryuk
# semodule -X 300 -i my-ryuk.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c314,c786
Target Context                system_u:object_r:container_var_run_t:s0
Target Objects                docker.sock [ sock_file ]
Source                        ryuk
Source Path                   /bin/ryuk
Port                          <Unknown>
Host                          kusfedora2024
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.26-1.fc41.noarch
Local Policy RPM              selinux-policy-targeted-41.26-1.fc41.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     kusfedora2024
Platform                      Linux kusfedora2024 6.11.10-300.fc41.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sat Nov 23 00:51:20 UTC 2024
                              x86_64
Alert Count                   2
First Seen                    2024-12-05 18:14:14 EST
Last Seen                     2024-12-05 18:14:14 EST
Local ID                      902f6f95-17c5-4010-846e-af0c224d46e9

Raw Audit Messages
type=AVC msg=audit(1733440454.225:379): avc:  denied  { write } for  pid=4979 comm="ryuk" name="docker.sock" dev="tmpfs" ino=3161 scontext=system_u:system_r:container_t:s0:c314,c786 tcontext=system_u:object_r:container_var_run_t:s0 tclass=sock_file permissive=0


type=SYSCALL msg=audit(1733440454.225:379): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=c00002b090 a2=17 a3=0 items=0 ppid=4957 pid=4979 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ryuk exe=/bin/ryuk subj=system_u:system_r:container_t:s0:c314,c786 key=(null)

Hash: ryuk,container_t,container_var_run_t,sock_file,write

Solution

From what I can tell from !7177 testcontainers-java defaults to true. We should as well.

Benefit

This will help making onboarding easier and smoother.

Alternatives

Alternative is to not do anything and keep the gotcha or have people dig through documentation to find something like

export TESTCONTAINERS_RYUK_CONTAINER_PRIVILEGED=true; 

or litter their $HOME with yet another dot properties file

Would you like to help contributing this enhancement?

Yes

[HofmeisterAn]

Thanks! I did not know the default value had changed. @eddumelendez is it true by default now (if it is not set)? Does it make sense to change it in .NET too?

[eddumelendez]

Hi 👋🏽 yes, it is true by default now. The change was introduced in July last year.

Does it make sense to change it in .NET too?
Yes, it will also help with podman users who need this enabled to work on rootless mode.