New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rely on container-selinux for centos/fedora25/rhel #32437

Merged
merged 1 commit into from May 12, 2017

Conversation

Projects
None yet
10 participants
@cpuguy83
Contributor

cpuguy83 commented Apr 7, 2017

RH now provides container-selinux which provides everything we need
for docker's selinux policy. Rely on container-selinux where
available, and docker-engine-selinux when not.

This still builds the docker-engine-selinux package and presumably
makes it available, but is no longer a requirement in the
docker-engine package preferring container-selinux instead.

container-selinux is available on fedora24, however the version that
is available does not set the correct types on the dockerd binary. We
can use container-selinux and just supplement that with some of our
own policy, but for now just keep using docker-engine-selinux as is.

ping @andrewhsu @rhatdan

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Apr 10, 2017

Member

ping @runcom as well 👍

Member

thaJeztah commented Apr 10, 2017

ping @runcom as well 👍

@runcom

This comment has been minimized.

Show comment
Hide comment
@runcom

runcom Apr 10, 2017

Member

seems fine to me, I'll spin up a F25/F26 vm and test this out.

Member

runcom commented Apr 10, 2017

seems fine to me, I'll spin up a F25/F26 vm and test this out.

@rhatdan

This comment has been minimized.

Show comment
Hide comment
@rhatdan

rhatdan Apr 10, 2017

Contributor

👍

Contributor

rhatdan commented Apr 10, 2017

👍

@cpuguy83

This comment has been minimized.

Show comment
Hide comment
@cpuguy83

cpuguy83 Apr 26, 2017

Contributor

Ping

Contributor

cpuguy83 commented Apr 26, 2017

Ping

Rely on container-selinux for centos/fedora25/rhel
RH now provides `container-selinux` which provides everything we need
for docker's selinux policy. Rely on `container-selinux` where
available, and `docker-engine-selinux` when not.

This still builds the `docker-engine-selinux` package and presumably
makes it available, but is no longer a requirement in the
`docker-engine` package preferring `container-selinux` instead.

`container-selinux` is available on fedora24, however the version that
is available does not set the correct types on the `dockerd` binary. We
can use `container-selinux` and just supplement that with some of our
own policy, but for now just keep using `docker-engine-selinux` as is.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
@vdemeester

LGTM 🐢
/cc @runcom

@thaJeztah thaJeztah added this to the 17.06.0 milestone May 5, 2017

@andrewhsu

This comment has been minimized.

Show comment
Hide comment
@andrewhsu

andrewhsu May 10, 2017

Contributor

LGTM

stuff works:

$ make KEEP_BUNDLE=1 DOCKER_BUILD_PKGS='centos-7' rpm
$ docker run --rm -it -v `pwd`:/v -w /v centos:7 yum -y install bundles/latest/build-rpm/centos-7/RPMS/x86_64/docker-engine-17.06.0-*.rpm
...
Complete!
Contributor

andrewhsu commented May 10, 2017

LGTM

stuff works:

$ make KEEP_BUNDLE=1 DOCKER_BUILD_PKGS='centos-7' rpm
$ docker run --rm -it -v `pwd`:/v -w /v centos:7 yum -y install bundles/latest/build-rpm/centos-7/RPMS/x86_64/docker-engine-17.06.0-*.rpm
...
Complete!
@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah May 11, 2017

Member

Just chatted with @runcom and he may have some time tomorrow to give it a spin, so I suggest to wait until tomorrow (thanks Antonio!)

Member

thaJeztah commented May 11, 2017

Just chatted with @runcom and he may have some time tomorrow to give it a spin, so I suggest to wait until tomorrow (thanks Antonio!)

@runcom

This comment has been minimized.

Show comment
Hide comment
@runcom

runcom May 12, 2017

Member

LGTM!

Member

runcom commented May 12, 2017

LGTM!

@runcom

runcom approved these changes May 12, 2017

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah May 12, 2017

Member

Thank you @runcom 👍

Member

thaJeztah commented May 12, 2017

Thank you @runcom 👍

@cpuguy83

This comment has been minimized.

Show comment
Hide comment
@cpuguy83

cpuguy83 May 12, 2017

Contributor

All green.

Contributor

cpuguy83 commented May 12, 2017

All green.

@cpuguy83 cpuguy83 merged commit c307f45 into moby:master May 12, 2017

6 checks passed

dco-signed All commits are signed
experimental Jenkins build Docker-PRs-experimental 33471 has succeeded
Details
janky Jenkins build Docker-PRs 42074 has succeeded
Details
powerpc Jenkins build Docker-PRs-powerpc 2339 has succeeded
Details
windowsRS1 Jenkins build Docker-PRs-WoW-RS1 13873 has succeeded
Details
z Jenkins build Docker-PRs-s390x 2142 has succeeded
Details

@cpuguy83 cpuguy83 deleted the cpuguy83:container_selinux branch May 17, 2017

@cognitiaclaeves

This comment has been minimized.

Show comment
Hide comment
@cognitiaclaeves

cognitiaclaeves Jun 15, 2017

This looks like this has been built. Is the package released yet? I just hit this issue today, in Azure, with docker-ce-17.03.1.ce-1.el7.centos.x86_64.

cognitiaclaeves commented Jun 15, 2017

This looks like this has been built. Is the package released yet? I just hit this issue today, in Azure, with docker-ce-17.03.1.ce-1.el7.centos.x86_64.

@cpuguy83

This comment has been minimized.

Show comment
Hide comment
@cpuguy83

cpuguy83 Jun 15, 2017

Contributor

@cognitiaclaeves It'll be in the 17.06.

Contributor

cpuguy83 commented Jun 15, 2017

@cognitiaclaeves It'll be in the 17.06.

@cognitiaclaeves

This comment has been minimized.

Show comment
Hide comment
@cognitiaclaeves

cognitiaclaeves Jun 15, 2017

I see it now. Is there a work around until then?

cognitiaclaeves commented Jun 15, 2017

I see it now. Is there a work around until then?

@rhatdan

This comment has been minimized.

Show comment
Hide comment
@rhatdan

rhatdan Jun 15, 2017

Contributor

Container-selinux is continuously released. The latest package is in fedora-updates.

Contributor

rhatdan commented Jun 15, 2017

Container-selinux is continuously released. The latest package is in fedora-updates.

@cpuguy83

This comment has been minimized.

Show comment
Hide comment
@cpuguy83

cpuguy83 Jun 16, 2017

Contributor

@cognitiaclaeves Hit what issue, exactly?

Contributor

cpuguy83 commented Jun 16, 2017

@cognitiaclaeves Hit what issue, exactly?

@ericsysmin

This comment has been minimized.

Show comment
Hide comment
@ericsysmin

ericsysmin Jul 5, 2017

Please be aware this affects https://docs.docker.com/engine/installation/linux/docker-ce/centos/ where "Uninstall old version" causes previous up-to-date installations to be uninstalled due to changed dependency.

ericsysmin commented Jul 5, 2017

Please be aware this affects https://docs.docker.com/engine/installation/linux/docker-ce/centos/ where "Uninstall old version" causes previous up-to-date installations to be uninstalled due to changed dependency.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment