support containerd/cri #98
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I remember getting those same errors when I tried to build the package. I think I resolved it by copying the file into the systems install, or it was different for each disto version. I can’t remember off the top of my head right now but maybe someone else has a quick suggestion on how to install. |
|
Hmm, @ibuildthecloud pointed me at https://github.com/containers/container-selinux/tree/RHEL7.5, will give this a try. |
|
BTW, thank you @crosbymichael for taking a look at this. I had another question with regards to your changes. Isn't something like the following also going to be necessary? |
rhatdan
approved these changes
Jul 10, 2020
|
Also add transition rule for containerd in container_filetrans_named_content in container.if |
|
@rhatdan I appreciate the feedback. To make this possible for me to test do you have guidance on how to install this policy from source on centos7? I see that you closed #97 saying I should use the RHEL7.5 branch but as per #97 (comment), it doesn't seem to work. |
|
Check out the repo and then checkout the RHEL7.5 branch. |
|
It would be best to test this policy on Fedora 32 or Centos 8 and then once we know it works backport fixes to the RHEL7.5 branch for centos7. |
Agreed. Working on it (still have some failures running critest against containerd/cri the 1.4.0-beta but I did switch to centos8): The |
|
The issue here is, if we want the container processes to open a shared fifo_file, it needs to be labeled correctly. In this case the fifo_file has a range of MCS labels associated with it, that is blocked by MCS Protections. |
Adapts changes suggested by @crosbymichael: - containerd/cri#1246 (comment) With some bits grafted from https://github.com/rancher/k3s-selinux by: - @erikwilson - @ibuildthecloud Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
|
@rhatdan I've added the transition(s) to |
|
LGTM |
This was referenced Aug 6, 2020
dweomer
added a commit
to dweomer/containerd
that referenced
this pull request
Aug 10, 2020
`vagrant up` will build and install containerd and all dependencies, setting up proper SELinux contexts on the runc and containerd binaries. The VM is configured to be SELinux Enforcing by default but this gets changed during various CI passes via a matrix param to Disabled and Permissive before running tests. I have an open PR to fix the container-selinux policy for containerd at containers/container-selinux#98 which once accepted we will want to update the CI matrix to use Enforcing mode instead of Permissive. All tests currently pass in SELinux permissive mode with containerd configured with `enable_selinux=true`. To see which tests are failing with SELinux enforcing and an already spun up VM: `SELINUX=Enforcing vagrant up --provision-with=selinux,test-cri` To test SELinux enforcing in a new VM: `vagrant destroy -force; SELINUX=Enforcing vagrant up --provision-with=shell,selinux,test-cri` The `selinux` shell provisioner, parameterized by the SELINUX envvar, will configure the system as you would expect, with the side effect that containerd is configured with `enable_selinux=true` via `/etc/containerd/config.toml` for Permissive or Enforcing modes and `enable_selinux=false` when SELINUX=Disabled. Provided that virtualization is suported, this Vagrantfile and provisioners make it easy to test containerd/cri for conformance under SELinux on non-SELinux systems. Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
tussennet
pushed a commit
to tussennet/containerd
that referenced
this pull request
Sep 11, 2020
`vagrant up` will build and install containerd and all dependencies, setting up proper SELinux contexts on the runc and containerd binaries. The VM is configured to be SELinux Enforcing by default but this gets changed during various CI passes via a matrix param to Disabled and Permissive before running tests. I have an open PR to fix the container-selinux policy for containerd at containers/container-selinux#98 which once accepted we will want to update the CI matrix to use Enforcing mode instead of Permissive. All tests currently pass in SELinux permissive mode with containerd configured with `enable_selinux=true`. To see which tests are failing with SELinux enforcing and an already spun up VM: `SELINUX=Enforcing vagrant up --provision-with=selinux,test-cri` To test SELinux enforcing in a new VM: `vagrant destroy -force; SELINUX=Enforcing vagrant up --provision-with=shell,selinux,test-cri` The `selinux` shell provisioner, parameterized by the SELINUX envvar, will configure the system as you would expect, with the side effect that containerd is configured with `enable_selinux=true` via `/etc/containerd/config.toml` for Permissive or Enforcing modes and `enable_selinux=false` when SELINUX=Disabled. Provided that virtualization is suported, this Vagrantfile and provisioners make it easy to test containerd/cri for conformance under SELinux on non-SELinux systems. Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adapts changes suggested by @crosbymichael:
Unsure if this works because #97. Any pointers to resolve the installation issue would be greatly appreciated.