Set secontext for bind volumes in selinux enabled distros #1942
Conversation
hasan4791
force-pushed
the
issue-1882
branch
2 times, most recently
from
8e4c047
to
bbcf83f
Compare
hasan4791
changed the title
hasan4791
force-pushed
the
issue-1882
branch
3 times, most recently
from
db6121a
to
83ca1f3
Compare
|
@AkihiroSuda Could you please help me with the tests. |
This one seems flaky.
macos-13 runner for vz is known to be flaky and does not produce error logs 😞 |
.github/workflows/test.yml
Outdated
| matrix: | ||
| template: | ||
| - templates/experimental/vz.yaml | ||
| - hack/test-templates/test-vz-fedora.yaml |
There was a problem hiding this comment.
Can we just use templates/fedora.yaml ?
test-templates.sh can be modified to receive --vm-type=vz via arg or env
There was a problem hiding this comment.
Didn't know we can use like this. I'll update.
hack/test-mount-home.sh
Outdated
| @@ -24,3 +24,42 @@ if [ "$got" != "$expected" ]; then | |||
| ERROR "Home directory is not shared?" | |||
| exit 1 | |||
| fi | |||
|
|
|||
| if [ "${NAME}" == "test-vz-fedora" ]; then | |||
There was a problem hiding this comment.
Probably this should be split to hack/test-selinux.sh
hasan4791
force-pushed
the
issue-1882
branch
3 times, most recently
from
0ab4aef
to
f10c3aa
Compare
hasan4791
changed the title
|
@AkihiroSuda PTAL |
|
vz (Fedora) CI seems failing in |
hack/test-templates.sh
Outdated
| WARNING "Relaxing systemd tests for vz-fedora (For avoiding CI failure)" | ||
| CHECKS["systemd-strict"]= | ||
| CHECKS["vz-selinux"]=1 | ||
| LIMACTL_SUBCMDS=(--vm-type vz --mount-type virtiofs --rosetta --network vzNAT) |
There was a problem hiding this comment.
Can we provide this via env var?
hasan4791
force-pushed
the
issue-1882
branch
3 times, most recently
from
92e3c21
to
3936c02
Compare
|
Uff, vz ci jobs are too much flaky. |
|
Finally 🥳 |
.github/workflows/test.yml
Outdated
| - name: Make | ||
| run: make | ||
| - name: Install | ||
| run: make install | ||
| - name: Install test dependencies | ||
| run: brew install qemu bash coreutils | ||
| - name: Test | ||
| run: ./hack/test-templates.sh templates/experimental/vz.yaml | ||
| env: | ||
| ARGS: "--vm-type vz --mount-type virtiofs --rosetta --network vzNAT" |
There was a problem hiding this comment.
| ARGS: "--vm-type vz --mount-type virtiofs --rosetta --network vzNAT" | |
| LIMACTL_CREATE_ARGS: "--vm-type vz --mount-type virtiofs --rosetta --network vzNAT" |
There was a problem hiding this comment.
(These args will no longer be needed after merging:
.github/workflows/test.yml
Outdated
| - template: experimental/vz.yaml | ||
| name: default | ||
| - template: fedora.yaml | ||
| name: vz-fedora |
hack/test-templates.sh
Outdated
| @@ -389,6 +407,10 @@ if [[ -n ${CHECKS["snapshot-offline"]} ]]; then | |||
| limactl start "$NAME" | |||
| fi | |||
|
|
|||
| if [[ -n ${CHECKS["vz-selinux"]} ]]; then | |||
There was a problem hiding this comment.
This should check limactl shell "$NAME" getenforce
There was a problem hiding this comment.
We need to run this only for vz based VMs and so we filter the check based on the vm name.
There was a problem hiding this comment.
Can we just check limactl ls --json "$NAME" | jq -r .vmType ?
AkihiroSuda
added
guest/el8
hasan4791
force-pushed
the
issue-1882
branch
2 times, most recently
from
d878580
to
f8ff938
Compare
hack/test-selinux.sh
Outdated
| NAME="$1" | ||
| expected="context=system_u:object_r:container_file_t:s0" | ||
| #Skip Rosetta checks for x86 GHA mac runners | ||
| if [ "$(arch)" == "arm64" ]; then |
There was a problem hiding this comment.
| if [ "$(arch)" == "arm64" ]; then | |
| if [ "$(uname)" == "Darwin" ] && [ "$(arch)" == "arm64" ]; then |
hack/test-templates.sh
Outdated
| @@ -223,7 +230,7 @@ if [[ -n ${CHECKS["port-forwards"]} ]]; then | |||
| if [ "${NAME}" = "debian" ]; then | |||
| limactl shell "$NAME" sudo apt-get install -y netcat-openbsd | |||
| fi | |||
| if [ "${NAME}" = "fedora" ]; then | |||
| if [[ ${NAME} == *"fedora"* ]]; then | |||
| @@ -389,6 +396,10 @@ if [[ -n ${CHECKS["snapshot-offline"]} ]]; then | |||
| limactl start "$NAME" | |||
| fi | |||
|
|
|||
| if [[ $NAME == "fedora" && "$(limactl ls --json "$NAME" | jq -r .vmType)" == "vz" ]]; then | |||
There was a problem hiding this comment.
This should check limactl shell "$NAME" getenforce, not the name
There was a problem hiding this comment.
getenforce would be available on fedro based distros, hence the name is used. For other distros, we need to handle the command being not found error.
hasan4791
force-pushed
the
issue-1882
branch
3 times, most recently
from
bbe1351
to
2d73dcc
Compare
Fixes lima-vm#1882 Signed-off-by: T K Chandra Hasan <[email protected]>
Fixes #1882
Signed-off-by: T K Chandra Hasan [email protected]
The approach taken here is, once the mounts are created using the parameters in user-data, we would be unmounting the existing mounts and remounting with secontext options for selinux enabled distros. It would update the /etc/fstab file also. The context type we have taken here is container_file_t, as it would be easier to mount those directories inside the container.