Skip to content

Commit

Permalink
Merge pull request containers#2575 from haircommander/hotfix_play_kube
Browse files Browse the repository at this point in the history
Default to SELinux private label for play kube mounts
  • Loading branch information
openshift-merge-robot authored Mar 29, 2019
2 parents 376a89c + 0d0ad59 commit 9b78935
Show file tree
Hide file tree
Showing 5 changed files with 37 additions and 11 deletions.
7 changes: 6 additions & 1 deletion cmd/podman/play_kube.go
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,13 @@ func playKubeYAMLCmd(c *cliconfig.KubePlayValues) error {
return errors.Errorf("Error creating HostPath %s at %s", volume.Name, hostPath.Path)
}
}
// unconditionally label a newly created volume as private
if err := libpod.LabelVolumePath(hostPath.Path, false); err != nil {
return errors.Wrapf(err, "Error giving %s a label", hostPath.Path)
}
break
case v1.HostPathDirectory:
case v1.HostPathUnset:
// do nothing here because we will verify the path exists in validateVolumeHostDir
break
default:
Expand All @@ -178,7 +184,6 @@ func playKubeYAMLCmd(c *cliconfig.KubePlayValues) error {
if err := shared.ValidateVolumeHostDir(hostPath.Path); err != nil {
return errors.Wrapf(err, "Error in parsing HostPath in YAML")
}
fmt.Println(volume.Name)
volumes[volume.Name] = hostPath.Path
}

Expand Down
2 changes: 2 additions & 0 deletions docs/podman-play-kube.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ the ID of the new Pod is output.

Ideally the input file would be one created by Podman (see podman-generate-kube(1)). This would guarantee a smooth import and expected results.

Note: HostPath volume types created by play kube will be given an SELinux private label (Z)

# OPTIONS:

**--authfile**
Expand Down
12 changes: 2 additions & 10 deletions libpod/runtime_volume_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ import (

"github.com/containers/libpod/libpod/events"
"github.com/containers/storage/pkg/stringid"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
Expand Down Expand Up @@ -56,15 +55,8 @@ func (r *Runtime) newVolume(ctx context.Context, options ...VolumeCreateOption)
if err := os.MkdirAll(fullVolPath, 0755); err != nil {
return nil, errors.Wrapf(err, "error creating volume directory %q", fullVolPath)
}
_, mountLabel, err := label.InitLabels([]string{})
if err != nil {
return nil, errors.Wrapf(err, "error getting default mountlabels")
}
if err := label.ReleaseLabel(mountLabel); err != nil {
return nil, errors.Wrapf(err, "error releasing label %q", mountLabel)
}
if err := label.Relabel(fullVolPath, mountLabel, true); err != nil {
return nil, errors.Wrapf(err, "error setting selinux label to %q", fullVolPath)
if err := LabelVolumePath(fullVolPath, true); err != nil {
return nil, err
}
volume.config.MountPoint = fullVolPath

Expand Down
21 changes: 21 additions & 0 deletions libpod/util_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"github.com/containerd/cgroups"
"github.com/containers/libpod/pkg/util"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
Expand Down Expand Up @@ -91,3 +92,23 @@ func GetV1CGroups(excludes []string) cgroups.Hierarchy {
return filtered, nil
}
}

// LabelVolumePath takes a mount path for a volume and gives it an
// selinux label of either shared or not
func LabelVolumePath(path string, shared bool) error {
_, mountLabel, err := label.InitLabels([]string{})
if err != nil {
return errors.Wrapf(err, "error getting default mountlabels")
}
if err := label.ReleaseLabel(mountLabel); err != nil {
return errors.Wrapf(err, "error releasing label %q", mountLabel)
}
if err := label.Relabel(path, mountLabel, shared); err != nil {
permString := "private"
if shared {
permString = "shared"
}
return errors.Wrapf(err, "error setting selinux label for %s to %q as %s", path, mountLabel, permString)
}
return nil
}
6 changes: 6 additions & 0 deletions libpod/util_unsupported.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,9 @@ func deleteSystemdCgroup(path string) error {
func assembleSystemdCgroupName(baseSlice, newSlice string) (string, error) {
return "", errors.Wrapf(ErrOSNotSupported, "cgroups are not supported on non-linux OSes")
}

// LabelVolumePath takes a mount path for a volume and gives it an
// selinux label of either shared or not
func LabelVolumePath(path string, shared bool) error {
return ErrNotImplemented
}

0 comments on commit 9b78935

Please sign in to comment.