ci: make build work on systems with SELinux #13003
Conversation
| @@ -14,7 +14,7 @@ BUILD_DATE=$(shell date -u +'%Y-%m-%dT%H:%M:%SZ') | |||
| GIT_COMMIT=$(shell git rev-parse HEAD) | |||
| GIT_TAG=$(shell if [ -z "`git status --porcelain`" ]; then git describe --exact-match --tags HEAD 2>/dev/null; fi) | |||
| GIT_TREE_STATE=$(shell if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi) | |||
| VOLUME_MOUNT=$(shell if test "$(go env GOOS)" = "darwin"; then echo ":delegated"; elif test selinuxenabled; then echo ":delegated"; else echo ""; fi) | |||
| VOLUME_MOUNT=$(shell if test "$(go env GOOS)" = "darwin"; then echo ":delegated"; elif test selinuxenabled; then echo ":Z"; else echo ""; fi) | |||
There was a problem hiding this comment.
It used to be :Z when SELinux is enabled, but was later changed to :delegated. I’m not sure to understand why, maybe it was a mistake?
| @@ -94,7 +97,6 @@ define run-in-test-server | |||
| -v ${GOPATH}/pkg/mod:/go/pkg/mod${VOLUME_MOUNT} \ | |||
| -v ${GOCACHE}:/tmp/go-build-cache${VOLUME_MOUNT} \ | |||
| -v ${HOME}/.kube:/home/user/.kube${VOLUME_MOUNT} \ | |||
| -v /tmp:/tmp${VOLUME_MOUNT} \ | |||
There was a problem hiding this comment.
I’m not sure why /tmp was bind-mounted (for caching reasons maybe?), but one cannot relabel (change SELinux label, which happens when using :Z on a mount) /tmp.
| @@ -118,15 +120,18 @@ define run-in-test-client | |||
| -v ${GOPATH}/pkg/mod:/go/pkg/mod${VOLUME_MOUNT} \ | |||
| -v ${GOCACHE}:/tmp/go-build-cache${VOLUME_MOUNT} \ | |||
| -v ${HOME}/.kube:/home/user/.kube${VOLUME_MOUNT} \ | |||
| -v /tmp:/tmp${VOLUME_MOUNT} \ | |||
There was a problem hiding this comment.
Same as above.
yann-soubeyrand
force-pushed
the
build-with-selinux
branch
from
5dcb2b2 to
6d3e614
Compare
yann-soubeyrand
changed the title
Codecov ReportPatch coverage has no change and project coverage change:
Additional details and impacted files@@ Coverage Diff @@
## master #13003 +/- ##
==========================================
- Coverage 49.05% 49.04% -0.01%
==========================================
Files 246 246
Lines 42569 42569
==========================================
- Hits 20882 20879 -3
- Misses 19572 19574 +2
- Partials 2115 2116 +1 see 2 files with indirect coverage changes Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report in Codecov by Sentry. |
yann-soubeyrand
force-pushed
the
build-with-selinux
branch
from
6d3e614 to
1ac4801
Compare
| if test "$(id -u)" == "0" -a "${USER_ID}" != ""; then | ||
| useradd -u ${USER_ID} -d /home/user -s /bin/bash ${USER_NAME:-default} | ||
| chown -R "${USER_NAME:-default}" ${GOCACHE} | ||
| fi | ||
|
|
There was a problem hiding this comment.
I’m not sure to understand this: the user is already created in the Dockerfile and Docker is explicitly run with a user ID, so this condition evaluates to false. In addition, it breaks with Podman, because Podman, while running unprivileged, appears to run as root from the container point of view (root being in fact mapped to the host user ID).
It seems impossible to use BuildKit at the time on a system with SELinux: moby/buildkit#2320. In the meantime, one can use Podman on these systems. Signed-off-by: Yann Soubeyrand <yann.soubeyrand@camptocamp.com>
yann-soubeyrand
force-pushed
the
build-with-selinux
branch
from
1ac4801 to
7e7b7ff
Compare
I came across this issue #3683 and I saw the fix seemed to be easy. I took 10 minutes to do the modifications to the code, but then I had a hard time building an image using the Makefile.
My workstation runs on Fedora 38 with SELinux in enforcing mode (the default) and it seems impossible to use BuildKit at the time on a system with SELinux: moby/buildkit#2320. In the meantime, one can use Podman on these systems.
Note on DCO:
If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.
Checklist:
Please see Contribution FAQs if you have questions about your pull-request.