asreimer
commented
3 years ago After group discussion offline, option 3 seems best, but we need to investigate the security implications more fully.
Open asreimer opened 3 years ago
asreimer
commented
3 years ago After group discussion offline, option 3 seems best, but we need to investigate the security implications more fully.
SELinux poses some interesting challenges when bind mounting in Docker. To date, we have relied on detecting SELinux and, if found, appending a "Z" to the mounting permissions like so.
When using the "Z" option, docker modifies the SELinux context for a file (you can see context with the
-Zoption forls, e.g.ls -Z some_file). So, if a hypothetical user were to mount their/home/usernamedirectory into a container, we change the entire home directory's SELinux context, which has side effects for things like SSH. For example, we encountered an error:SELinux is preventing sshd from read access on the file authorized_keys.because the.ssh/authorized_keyscontext was changed fromunconfined_u:object_r:ssh_home_t:s0tosystem_u:object_r:container_file_t:s0:c283,c630.Possible solutions are:
podmanin Linux instead ofDocker. It has a python SDK that we can use. Here's a nice workflow example. a. Does this solve the SELinux issue or only the UID/GID issue #13?--security-opt label=disablea. Create adocker_testingdirectory b. Run a container and mount the docker_testing directory in: For example,docker run -it --rm --security-opt label=disable -v /path_to/docker_test:/testing alpine shc. Do with both with and without the--security-opt label=disableargument and see if you can access the contents of/testingwithin the container. With thelabel=disable, you should be able to access it and only the UID/GID of the user in the container will mismatch.Feel free to edit this post to add more items to the list.