-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SELinux prevents volume mount on Fedora #2360
Comments
I tried out the below change to
I tested this out and it works to mount the volume when SELinux is enabled. I realize this may not be the full and complete fix, and that it might require some verification to see if SELinux is indeed enabled on the system before the If there are any suggestions from maintainers as to whether you'd prefer to test SELinux is enabled and whether this volume mount argument is in the right location, I can provide a PR. |
I am dead in the water until this gets resolved. |
Still broken on Fedora 33. |
I think it's best to use
There's more at play in Fedora because it upgraded to cgroups v2 which is incompatible with Docker/Moby. To reproduce this issue:
|
This is still a problem with sam cli version 1.52.0 Running aws-sam-cli/samcli/local/docker/container.py Line 146 in 06d31fc
|
I gave up, installed moby-engine (instead of podman) and disabled selinux for docker in |
Description:
Rather than reopening #676, I'm opening a new issue for the most recent version of aws-sam-cli and docker. Issue #676 was prematurely closed in my opinion with the explanation that the user wasn't using the "current version of sam cli".
On Fedora 32,
sam local invoke
fails to mount a volume due to the fact that selinux prevents access to the host directory from within the docker container unless the:z
or:Z
mount option is added to add the selinux label to the directory.If I run the following
sam local invoke
command using SAM to locally execute the Lambda function in my test repository here which uses a volume mount I get the error[ERROR] Runtime.ImportModuleError: Unable to import module 'app': No module named 'app'
:As discussed in #676, if I try to run Docker without the
:z
mount option I cannot read the contents of the directory:But it can be verified that the mount works by running Docker with the
:z
option. If I run the following command I am able to see the contents of the mounted volume within the docker container:Finally, if I use the command also discussed in #676, to change the label on the directory, it allows me to run the
sam local invoke
command:This appears to still be an open issue with aws-sam-cli related to the most recent version. It should be addressed by mounting with the
:z
or:Z
mount option on Fedora or other Linuxes using SELinux.Steps to reproduce:
sam build
sam local invoke LambdaEnvVarsFunction --event events/event.json
Observed result:
The volume mount is prevented by SELinux and the error
[ERROR] Runtime.ImportModuleError: Unable to import module 'app': No module named 'app'
is received.Expected result:
The volume is mounted in the docker container and the
sam local invoke
command succeeds.Additional environment details (Ex: Windows, Mac, Amazon Linux etc)
sam --version
:SAM CLI, version 1.7.0
aws-cli/1.18.118 Python/3.8.6 Linux/5.8.16-200.fc32.x86_64 botocore/1.17.63
Docker version 19.03.11, build 42e35e6
Add --debug flag to command you are running
The text was updated successfully, but these errors were encountered: