Build fails with Podman Desktop on macOS (selinux feature)

[fwilhe]

What happened:

I'm trying to build gl on macOS using Podman Desktop.

I've freshly installed Podman Desktop and have a working setup where I have a default Podman machine and I can run Podman containers from my macOS shell.

I have a clone of the gardenlinux repo with the latest commit on main.

I'm running the build script with either the metal_dev or the vmware_dev target.

The build fails in the selinux feature with 'Invalid argument'.

Log excerpt:

[.build/vmware_dev-arm64-today-95d16344.tar 2023-06-21 08:33:22] exec: /builder/features/_selinux/exec.post
[.build/vmware_dev-arm64-today-95d16344.tar 2023-06-21 08:33:22]   setfiles: Could not set context for /loop/var/log/journal:  Invalid argument
[.build/vmware_dev-arm64-today-95d16344.tar 2023-06-21 08:33:22]   setfiles: Could not set context for /loop/var/log/apt:  Invalid argument
[.build/vmware_dev-arm64-today-95d16344.tar 2023-06-21 08:33:22]   setfiles: Could not set context for /loop/var/log/apt/history.log:  Invalid argument
... (many many similar lines)
[.build/vmware_dev-arm64-today-95d16344.tar 2023-06-21 08:33:28]   setfiles: Could not set context for /loop/etc/.pwd.lock:  Invalid argument
completed in 59 seconds

make: *** [Makefile:55: .build/vmware_dev-arm64-today-95d16344.tar] Error 255

What you expected to happen:

The build should succeed.

How to reproduce it (as minimally and precisely as possible):

Get a fresh install of Podman Desktop on macOS, create a VM with the default image (Fedora CoreOS) and try to run ./build vmware_dev or ./build metal_dev.

Anything else we need to know:

I don't yet understand how to disable individual features with the new builder.
Of course this would not fix the issue, but it would be nice to have the option to build without selinux for the time being.

Environment:

I'm running on a M1 macbook and try to build for arm64 architecture.

output of podman info:

podman_info.txt

output of podman machine info:

podman_machine_info.txt

output of podman machine list:

podman_machine_list.txt

output of the failed build:

gl-build-log.txt

[fwilhe]

Updates:

I've tried the same build using ssh on the podman machine vm to see if there might be any issues with mounting the directory from macos

The build fails there with the same error. I've even tried to run the build using sudo to see if there are any issues with permission in rootless mode, but that also failed with the same error.

I've also run the build again on an unrelated ubuntu VM (x86 arch, running not on my mac) with podman installed (rootless podman does not work there, so I've built using sudo), there the build works.

[Vincinator]

I can reproduce it on my MacBook (arm)

[Vincinator]

looks related gardenlinux/gardenlinux#1014

[nkraetzschmar]

The builder unfortunately does not work on build machines with SELinux enabled (which is the default for podman desktop). It might work on build machines running in permissive mode, but this depends on the policy loaded. So your best bet is to build with SELinux disabled.

To do this on podman desktop:

• ssh into the podman vm (podman machine ssh)
• run echo SELINUX=disabled | sudo tee /etc/selinux/config and exit the ssh connection
• restart the podman vm (podman machine stop && podman machine start)

[fwilhe]

Oh, that explained why it worked on the ubuntu vm. I was assuming it was an issue inside the build container, not on the host. Thanks.

Okay, as a workaround this seems good enough for me. On the long term this might be an issue as 'disable selinux' is not the best recommendation, is there any possibility that this can be fixed so it works with selinux in enforcing mode in the future?