Detect SELinux and mount volumes appropriately
See original GitHub issueOn a recent Fedora host with SELinux, I can’t access the mounted volumes for the feedstock and recipe when running run_docker_build
.
Looks like recent dockers have fixed this.
Because SELinux is a Good Thing, I don’t feel like we should punish conscientious developers for running with it.
Haven’t gone down the whole rabbit hole, but I think the change would be something like this:
...
VOLUME_OPTIONS="rw"
if hash getenforce 2> /dev/null && getenforce | grep 'Enforcing' > /dev/null
then
VOLUME_OPTIONS="${VOLUME_OPTIONS},Z"
fi
cat << EOF | {{ docker.executable }} run -i \
-v "${RECIPE_ROOT}":/home/conda/recipe_root:$VOLUME_OPTIONS \
-v "${FEEDSTOCK_ROOT}":/home/conda/feedstock_root:$VOLUME_OPTIONS \
{{ matrix_env_vars(matrix) }}
-a stdin -a stdout -a stderr \
{{ docker.image }} \
{{ docker.command }} || exit 1
...
Barring that, just letting me do VOLUME_OPTIONS=Z ./scripts/run_docker_build.sh
would do the trick. Happy to PR, with whichever makes the most sense.
Issue Analytics
- State:
- Created 6 years ago
- Comments:17 (17 by maintainers)
Top Results From Across the Web
Chapter 5. Troubleshooting problems related to SELinux Red ...
If there are no matches, check if the Audit daemon is running. ... This enables changes, such as allowing services access to NFS...
Read more >SELinux Context not made correctly on volumes #2588 - GitHub
When SELinux is set to Permissive , the files become accessible. When SELinux is set to Enforcing and the SELinux context for the...
Read more >Podman volumes and SELinux - Just another Linux geek
Volumes you pass to podman will need to have appropriate labels, otherwise the container won't be able access the volume, no-matter what the ......
Read more >Lab 5.0 - SELinux container integration - Red Hat | Public Sector
Start by running a container that mounts /sys/fs/selinux as read-only then runs a command ( id -Z ) that requires an SELinux enabled...
Read more >Implementing SELinux | Android Open Source Project
Add your labels to the appropriate context files. Identify domains/processes that should have their own security domains. You will likely need ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Thanks @bollwyvl. I’ll leave it unscheduled for now, but would ideally like us to fix a few things and get it in 3.1.0. That all depends on how smoothly 3.0.0 goes. 🍀
This was ultimately resolved in PR ( https://github.com/conda-forge/conda-smithy/pull/888 ).