Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add granular control of SELinux labels for host mounts #19839

Merged
merged 14 commits into from
Feb 5, 2024

Conversation

Juanadelacuesta
Copy link
Member

@Juanadelacuesta Juanadelacuesta commented Jan 29, 2024

Currently when using the podman task driver plugin if the selinuxlabel = "z" option is present in the volume configuration, all the host volume mounts will be forced to use SELinux shared volume context.

There is no way for operators to use the csi-hostpath plugin or any type of mount that is not compliant with the SELinux security, or mount a private volume. This PR introduces a new configuration option that can be set per volume mount, allowing to set different SELinux context to different volumes.

There will also be a PR on the nomad-driver-podman to read and apply the new configuration.

Closes:

@hashicorp-cla
Copy link

hashicorp-cla commented Jan 29, 2024

CLA assistant check
All committers have signed the CLA.

Copy link
Member

@tgross tgross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for the jobspec addition. But I think we want to add support for this flag with the docker driver (and maybe exec/java drivers too?) by making sure it's provided to the mounts the driver sets up (ex. driver.go#L1181-L1186)

Also, I think this might close out #9123 too. Probably a good idea to do a quick search thru open issues to see if there are others.

@@ -42,4 +42,4 @@ job "example" {
}
}
}
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Little bit of debris to cleanup here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I cant remove it :s

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can remove it if you flatten the commits. Or you can update your editor config so that you make sure it's always adding the newline EOF (you want that for posix-compliance... run wc -l on this file and you'll see it's one line short!)

nomad/structs/volumes.go Outdated Show resolved Hide resolved
nomad/structs/volumes.go Outdated Show resolved Hide resolved
Comment on lines +225 to +228
err := tc.volMount.Validate()
if !errors.Is(err, tc.expectedErr) {
t.Fatalf("expected error %v, got %v", tc.expectedErr, err)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can be shortened to something like must.ErrorIs(t, tc.expectedErr, err)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

must.ErrorIs doesn't work here, probably something with the unwarpping of the errors

Copy link
Member

@shoenig shoenig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

mErr.Errors = append(mErr.Errors, fmt.Errorf("Volume Mount (%d) references undefined volume %s", idx, vm.Volume))
} else if err := vm.Validate(); err != nil {
mErr.Errors = append(mErr.Errors, fmt.Errorf("Volume Mount (%d) is invalid: \"%w\"", idx, err))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have an example of how this error looks like? I'm not sure why we do it in some many parts of the code, but appending directly to mErr.Errors usually results in a bad error hierarchy.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is actually called in the task group validation test, it should not be a problem

Comment on lines 289 to 297
mErr.Errors = append(mErr.Errors, errVolMountEmptyVol)
}

if !v.MountPropagationModeIsValid() {
mErr.Errors = append(mErr.Errors, fmt.Errorf("%w: %q", errVolMountInvalidPropagationMode, v.PropagationMode))
}

if !v.SELinuxLabelIsValid() {
mErr.Errors = append(mErr.Errors, fmt.Errorf("%w: \"%s\"", errVolMountInvalidSELinuxLabel, v.SELinuxLabel))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
mErr.Errors = append(mErr.Errors, errVolMountEmptyVol)
}
if !v.MountPropagationModeIsValid() {
mErr.Errors = append(mErr.Errors, fmt.Errorf("%w: %q", errVolMountInvalidPropagationMode, v.PropagationMode))
}
if !v.SELinuxLabelIsValid() {
mErr.Errors = append(mErr.Errors, fmt.Errorf("%w: \"%s\"", errVolMountInvalidSELinuxLabel, v.SELinuxLabel))
mErr= multierror.Append(mErr, errVolMountEmptyVol)
}
if !v.MountPropagationModeIsValid() {
mErr = multierror.Append(mErr, fmt.Errorf("%w: %q", errVolMountInvalidPropagationMode, v.PropagationMode))
}
if !v.SELinuxLabelIsValid() {
mErr= multierror.Append(mErr, fmt.Errorf("%w: \"%s\"", errVolMountInvalidSELinuxLabel, v.SELinuxLabel))

Since this is new code, we may as well use the nicer method 😄

website/content/docs/job-specification/volume_mount.mdx Outdated Show resolved Hide resolved
Juanadelacuesta and others added 3 commits January 31, 2024 10:04
Co-authored-by: Tim Gross <tgross@hashicorp.com>
Co-authored-by: Tim Gross <tgross@hashicorp.com>
@Juanadelacuesta Juanadelacuesta merged commit 120c3ca into main Feb 5, 2024
21 checks passed
@Juanadelacuesta Juanadelacuesta deleted the f-volume-mount-label branch February 5, 2024 09:05
nvanthao pushed a commit to nvanthao/nomad that referenced this pull request Mar 1, 2024
Add new configuration option on task's volume_mounts, to give a fine grained control over SELinux "z" label

* Update website/content/docs/job-specification/volume_mount.mdx

Co-authored-by: Luiz Aoqui <luiz@hashicorp.com>

* fix: typo

* func: make volume mount verification happen even on  mounts with no volume

---------

Co-authored-by: Luiz Aoqui <luiz@hashicorp.com>
Co-authored-by: Tim Gross <tgross@hashicorp.com>
nvanthao pushed a commit to nvanthao/nomad that referenced this pull request Mar 1, 2024
Add new configuration option on task's volume_mounts, to give a fine grained control over SELinux "z" label

* Update website/content/docs/job-specification/volume_mount.mdx

Co-authored-by: Luiz Aoqui <luiz@hashicorp.com>

* fix: typo

* func: make volume mount verification happen even on  mounts with no volume

---------

Co-authored-by: Luiz Aoqui <luiz@hashicorp.com>
Co-authored-by: Tim Gross <tgross@hashicorp.com>
@Juanadelacuesta Juanadelacuesta added the backport/1.7.x backport to 1.7.x release line label Apr 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport/1.7.x backport to 1.7.x release line
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants