Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[0.10 backport] Make SELinux labels opt-in (--oci-worker-selinux=<BOOL>) #3255

Merged
merged 2 commits into from
Nov 10, 2022
Merged

[0.10 backport] Make SELinux labels opt-in (--oci-worker-selinux=<BOOL>) #3255

merged 2 commits into from
Nov 10, 2022

Conversation

AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Nov 3, 2022
edited
Loading

Cherry-pick

Cherry-picking #3203 was not clean, and resolved by removing NetworkProviders: np

$ git cherry-pick -xsS bd57e5f6b8d0f9583c1f20cbe4867b0138848920
Auto-merging cmd/buildkitd/config/config.go
Auto-merging cmd/buildkitd/main_containerd_worker.go
Auto-merging cmd/buildkitd/main_oci_worker.go
Auto-merging executor/containerdexecutor/executor.go
Auto-merging executor/runcexecutor/executor.go
Auto-merging worker/containerd/containerd.go
CONFLICT (content): Merge conflict in worker/containerd/containerd.go
Auto-merging worker/containerd/containerd_test.go
Auto-merging worker/runc/runc.go
Auto-merging worker/runc/runc_test.go
error: could not apply bd57e5f6... Make SELinux labels opt-in (`--oci-worker-selinux=<BOOL>`)
hint: After resolving the conflicts, mark them with
hint: "git add/rm <pathspec>", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".

$ git diff
diff --cc worker/containerd/containerd.go
index 7ccb8174,a829d457..00000000
--- a/worker/containerd/containerd.go
+++ b/worker/containerd/containerd.go
@@@ -131,20 -133,21 +133,38 @@@ func newContainerd(root string, client 
        }
  
        opt := base.WorkerOpt{
++<<<<<<< HEAD
 +              ID:             id,
 +              Labels:         xlabels,
 +              MetadataStore:  md,
 +              Executor:       containerdexecutor.New(client, root, "", np, dns, apparmorProfile, traceSocket, rootless),
 +              Snapshotter:    snap,
 +              ContentStore:   cs,
 +              Applier:        winlayers.NewFileSystemApplierWithWindows(cs, df),
 +              Differ:         winlayers.NewWalkingDiffWithWindows(cs, df),
 +              ImageStore:     client.ImageService(),
 +              Platforms:      platforms,
 +              LeaseManager:   lm,
 +              GarbageCollect: gc,
 +              ParallelismSem: parallelismSem,
 +              MountPoolRoot:  filepath.Join(root, "cachemounts"),
++=======
+               ID:               id,
+               Labels:           xlabels,
+               MetadataStore:    md,
+               NetworkProviders: np,
+               Executor:         containerdexecutor.New(client, root, "", np, dns, apparmorProfile, selinux, traceSocket, rootless),
+               Snapshotter:      snap,
+               ContentStore:     cs,
+               Applier:          winlayers.NewFileSystemApplierWithWindows(cs, df),
+               Differ:           winlayers.NewWalkingDiffWithWindows(cs, df),
+               ImageStore:       client.ImageService(),
+               Platforms:        platforms,
+               LeaseManager:     lm,
+               GarbageCollect:   gc,
+               ParallelismSem:   parallelismSem,
+               MountPoolRoot:    filepath.Join(root, "cachemounts"),
++>>>>>>> bd57e5f6 (Make SELinux labels opt-in (`--oci-worker-selinux=<BOOL>`))
        }
        return opt, nil
  }

crazy-max and others added 2 commits November 3, 2022 08:59
@crazy-max @AkihiroSuda
worker: move labels const to its own package
f6c40a4 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit de2d60c)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
Make SELinux labels opt-in (--oci-worker-selinux=<BOOL>)
1e5948b 
Fix issue 3202

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit bd57e5f)
(cherry-pick was not clean)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda AkihiroSuda changed the title [v0.10] Make SELinux labels opt-in (--oci-worker-selinux=<BOOL>) [0.10 backport] Make SELinux labels opt-in (--oci-worker-selinux=<BOOL>) Nov 3, 2022
@tonistiigi
Copy link
Member

I don't think this qualifies for backport. Doesn't look like a regression fix or critical bugfix.

Also, there are no more v0.10 releases planned atm.

@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented Nov 3, 2022
edited
Loading

I don't think this qualifies for backport. Doesn't look like a regression fix or critical bugfix.

This PR is critical for running BuildKit on SELinux-enabled hosts such as Fedora and EL:

(Regression since d9834f8)

Some workarounds are added in containers/container-selinux#193, but the container-selinux side workarounds still do not work with RUN --mount=type=secret, etc. ( see containers/container-selinux#193 (comment) )

(Also it will take long until the container-selinux update gets delivered into EL users)

Also, there are no more v0.10 releases planned atm.

Any chance to reconsider this ? 🙏

@tonistiigi
Copy link
Member

(Regression since d9834f8)

That means it was already in v0.9 . If this affects dockerd vendor then it could be a regression as that is an update from v0.8, but I don't think it does.

Any chance to reconsider this ?

I think we should push for a new feature release instead

@AkihiroSuda
Copy link
Member Author

This is a regression in v0.9 for non-Docker standalone buildkitd

I think we should push for a new feature release instead

Is there an ETA?

@tonistiigi
Copy link
Member

Is there an ETA?

Hopefully rc in ~2 weeks. From our side, we are ready when sbom/provenance PRs get in. Still hoping for that Dockerfile.pin PR though.

@AkihiroSuda
Copy link
Member Author

The pin PR is not for v0.11 sorry

@tonistiigi tonistiigi merged commit 9cf3b35 into moby:v0.10 Nov 10, 2022
@AkihiroSuda AkihiroSuda mentioned this pull request Nov 10, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AkihiroSuda @tonistiigi @crazy-max