Fix one (of two) SELinux denials during checkpointing #2382
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mheon
reviewed
Feb 21, 2019
mheon
reviewed
Feb 21, 2019
|
@rhatdan PTAL |
adrianreber
changed the title
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
I have to remove one of the patches as the second commit telling runc which SELinux label to use is wrong. |
adrianreber
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
This PR is now only about the SELinux labelling of the CRIU logfile. It has no dependency on runc or anything else. This includes all changes from the reviews. |
rhatdan
reviewed
Feb 22, 2019
adrianreber
changed the title
|
LGTM |
| @@ -482,6 +482,19 @@ func (c *Container) checkpoint(ctx context.Context, options ContainerCheckpointO | |||
| if c.state.State != ContainerStateRunning { | |||
| return errors.Wrapf(ErrCtrStateInvalid, "%q is not running, cannot checkpoint", c.state.State) | |||
| } | |||
|
|
|||
| // Create the CRIU log file and label it | |||
| dumpLog := filepath.Join(c.bundlePath(), "dump.log") | |||
|
/lgtm |
giuseppe
reviewed
Feb 26, 2019
CRIU creates a log file during checkpointing in .../userdata/dump.log. The problem with this file is, is that CRIU injects a parasite code into the container processes and this parasite code also writes to the same log file. At this point a process from the inside of the container is trying to access the log file on the outside of the container and SELinux prohibits this. To enable writing to the log file from the injected parasite code, this commit creates an empty log file and labels the log file with c.MountLabel(). CRIU uses existing files when writing it logs so the log file label persists and now, with the correct label, SELinux no longer blocks access to the log file. Signed-off-by: Adrian Reber <[email protected]>
|
Thanks. /lgtm |
|
/retest |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adrianreber, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
github-actions
bot
added
the
locked - please file new issue/PR
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the fix as discussed in #2334 and it depends on runc changes from opencontainers/runc#1992