Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: do not force :Z flag in Docker volume mount #1055

Merged
merged 1 commit into from
Nov 28, 2023
Merged

chore: do not force :Z flag in Docker volume mount #1055

merged 1 commit into from
Nov 28, 2023

Conversation

hhromic
Copy link
Contributor

@hhromic hhromic commented Nov 27, 2023
edited
Loading

Follow up on #1054
This PR adopts the approach seen in etcd for compatibilty with SELinux:
https://github.com/kubernetes/kubernetes/blob/ad9b60e2c9ddb21e8b00cabbe27e639638a0ea88/cluster/images/etcd/Makefile#L76-L81

Instead of forcing :Z, detect if SElinux is enabled and add :z on demand.
According to the documentation and multiple examples I could find, using :z seems to be less dangerous than :Z.

I tested this on my non-SELinux enabled system and the volume mount does not use :z.
I also tested by running make docker-generate SELINUX_ENABLED=1 and :z is correctly added to volume mount.

@jvillal-amp what is your opinion on using :z vs :Z?
Can you confirm if this PR still allows you to use make docker-generate in your SELinux environmnet?

EDIT: I removed the trailing slash in the volume mount source in purpose, as that is not necessary.

@hhromic
chore: do not force :Z flag in Docker volume mount
98c0a15 
* instead, detect if SElinux is enabled and add `:z` on demand

Signed-off-by: Hugo Hromic <[email protected]>
SuperQ
SuperQ approved these changes Nov 27, 2023
View reviewed changes
Copy link
Member

@SuperQ SuperQ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@SuperQ
Copy link
Member

SuperQ commented Nov 27, 2023

@jvillal-amp, how does this look to you?

@jvillal-amp
Copy link
Contributor

@jvillal-amp, how does this look to you?

Looks good to me. Thanks.

@SuperQ SuperQ merged commit 425462a into prometheus:main Nov 28, 2023
2 checks passed
@hhromic hhromic deleted the gen-docker-selinux branch November 28, 2023 10:15
@jvillal-amp
Copy link
Contributor

As a note I tested this today and works fine for me on my Fedora system with SELINUX enabled. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SuperQ SuperQ SuperQ approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hhromic @SuperQ @jvillal-amp