Update vendor of containers/common #5367
Conversation
rhatdan
changed the title
|
@Luap99 are the errors about ipv6 being caused by pasta? |
|
Ipv6 is not an error, the problem is If you add |
|
Strange this would not happen before. Will update the Makefile to see if this fixes it. |
|
We never had running pasta tests on this repo enabled, ops. I actually added tests for but it required a new pasta version that was not in CI at that time so it got skipped. Given nobody reported this in now over 6 months that seems to indicate nobody used buildah with pasta on a selinux enabled system. Or at least nobody reported it. I guess the vast majority just uses the default which is understandable. |
Makefile
Outdated
| @@ -161,6 +161,7 @@ install.cni.sudo: gopath | |||
| .PHONY: install | |||
| install: | |||
| install -d -m 755 $(DESTDIR)/$(BINDIR) | |||
| test -z "${SELINUXOPT}" || chcon --verbose --reference=$(DESTDIR)$(BINDIR)/podman bin/buildah | |||
There was a problem hiding this comment.
SELINUXOPT is not defined in the buildah makefile so you also have to copy over
SELINUXOPT ?= $(shell test -x /usr/sbin/selinuxenabled && selinuxenabled && echo -Z)
|
No, the problem again is transition rules differing from testing and actual use. In ordinary use people run buildah directly, which means they run as unconfined_t, which is able do to what it wants. When run in tests, it is being launched as init_t which is confined. So Buildah + Pasta run within a systemd unit file would be broken by default. |
rhatdan
force-pushed
the
VENDOR
branch
2 times, most recently
from
ad46aba
to
3121a9b
Compare
Well it is broken when you run from your shell as unconfined_t, the issue is that if it is started from unconfined pasta then transitions to pasta_t and pasta_t policy seems to broken I guess? Again I need to check with pasta maintainers to see what is up with that. |
Makefile
Outdated
| @@ -162,6 +164,7 @@ install.cni.sudo: gopath | |||
| install: | |||
| install -d -m 755 $(DESTDIR)/$(BINDIR) | |||
| install -m 755 bin/buildah $(DESTDIR)/$(BINDIR)/buildah | |||
| test -z "${SELINUXOPT}" || chcon --verbose -t $(SELINUXTYPE) $(DESTDIR)/$(BINDIR)/buildah | |||
There was a problem hiding this comment.
you are only labelling the /usr/bin/buildah binary but the test run ./bin/buildah
The chcon should also be made on bin/buildah
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
[NO NEW TESTS NEEDED] Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
Oh wow, it actually passed, lots of registry flakes though. Also I find it rather concerning that a rootless buildah integration tests take over 80+ minutes. But seems like that is already the case on main so not something pasta would have caused. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Luap99, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/unhold |
What type of PR is this?
What this PR does / why we need it:
How to verify it
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?