Skip to content

Commit

Permalink
cri: filter selinux xattr for image volumes
Browse files Browse the repository at this point in the history 
Exclude the `security.selinux` xattr when copying content from layer
storage for image volumes. This allows for the already correct label
at the target location to be applied to the copied content, thus
enabling containers to write to volumes that they implicitly expect to be
able to write to.

- Fixes containerd#5090
- See rancher/rke2#690

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
  • Loading branch information
@dweomer
dweomer committed Aug 21, 2021
1 parent ff2e58d commit c3609ff
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion pkg/cri/opts/container.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,5 +115,5 @@ func copyExistingContents(source, destination string) error {
if len(dstList) != 0 {
return errors.Errorf("volume at %q is not initially empty", destination)
}
return fs.CopyDir(destination, source)
return fs.CopyDir(destination, source, fs.WithXAttrExclude("security.selinux"))
}

0 comments on commit c3609ff

Please sign in to comment.