search

containerd / cri

Moved to https://github.com/containerd/containerd/tree/master/pkg/cri . If you wish to submit issues/PRs, please submit to https://github.com/containerd/containerd
https://github.com/containerd/containerd/tree/master/pkg/cri
Apache License 2.0
900 stars 348 forks source link

[release/1.4 backport] selinux: relabel /dev/shm #1605

Closed dweomer closed 4 years ago

dweomer commented 4 years ago

Address an issue originally seen in the k3s 1.3 and 1.4 forks of containerd/cri, https://github.com/rancher/k3s/issues/2240.

This is a backport of containerd/containerd#4699

Even with updated container-selinux policy, container-local /dev/shm will get mounted with container_runtime_tmpfs_t because it is a tmpfs created by the runtime and not the container (thus, container_runtime_t transition rules apply). The relabel mitigates such, allowing envoy proxy to work correctly (and other programs that wish to write to their /dev/shm) under selinux.

k8s-ci-robot commented 4 years ago

Hi @dweomer. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
crosbymichael commented 4 years ago

LGTM

dweomer commented 4 years ago

Verified that this fixes an actual problem in our 1.3 and 1.4 forks for k3s.

mikebrow commented 4 years ago

/ok-to-test

dmcgowan commented 4 years ago

/retest

k8s-ci-robot commented 4 years ago

@dweomer: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
pull-cri-containerd-node-e2e 1ec7ede44fc75ce0db01604f5951635b353f1767 link /test pull-cri-containerd-node-e2e

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).
dweomer commented 4 years ago

@mikebrow, @dmcgowan these failures seem unrelated to my changes, unless the pull-cri-containerd-node-e2e hook is running on an selinux system?