Use shared selinux context for mounts #6294

monosoul · 2022-12-04T19:11:30Z

On systems with SElinux enforcing trying to bind a path without a context will result in an error. Using shared context by default will make withFileSystemBind(String hostPath, String containerPath) method work for all systems. On Windows, Mac OS and Linux systems without SElinux it will have no effect. On systems with SElinux enforcing it will make the path accessible to the container.

On systems with SElinux enforcing trying to bind a filesystem path without a context will result in an error. Using shared context by default will make `withFileSystemBind(String hostPath, String containerPath)` method work for all systems. On Windows, Mac OS and Linux systems without SElinux it will have no effect. On systems with SElinux enforcing it will make the path accessible to the container. Signed-off-by: monosoul <Kloz.Klaud@gmail.com>

Flurb · 2023-02-07T10:21:26Z

As an SELinux user, I definitely upvote! Thanks for creating this PR!

eddumelendez · 2023-03-01T23:42:11Z

Hi, @monosoul, thanks for the PR! Unfortunately, this is a breaking change due to introducing the change will, by default, bind the filesystem instead of copying the file. This will break for those using a remote Docker. Below, you can see the logic described

testcontainers-java/core/src/main/java/org/testcontainers/containers/GenericContainer.java

Lines 1268 to 1284 in 6fe954a

    
           @Override 
        
           public SELF withClasspathResourceMapping( 
        
               final String resourcePath, 
        
               final String containerPath, 
        
               final BindMode mode, 
        
               final SelinuxContext selinuxContext 
        
           ) { 
        
               final MountableFile mountableFile = MountableFile.forClasspathResource(resourcePath); 
        
               if (mode == BindMode.READ_ONLY && selinuxContext == SelinuxContext.NONE) { 
        
                   withCopyFileToContainer(mountableFile, containerPath); 
        
               } else { 
        
                   addFileSystemBind(mountableFile.getResolvedPath(), containerPath, mode, selinuxContext); 
        
               } 
        
               return self(); 
        
           }

However, you still can use the method directly. I understand the PR aim to make this easier. Although, I think we can document this if it is not clear.

monosoul · 2023-03-02T00:49:06Z

@eddumelendez if shared context will be the default one, I could've just changed the condition there to selinuxContext == SelinuxContext.SHARED. Or am I missing something?

eddumelendez · 2023-03-02T01:08:27Z

Yes, that's right! 🤦🏽‍♂️ Sorry about that. I just tested locally and with my remote environment and all good.

eddumelendez · 2023-03-02T04:16:06Z

core/src/main/java/org/testcontainers/containers/GenericContainer.java

@@ -1274,7 +1274,7 @@ public SELF withClasspathResourceMapping(
    ) {
        final MountableFile mountableFile = MountableFile.forClasspathResource(resourcePath);

-        if (mode == BindMode.READ_ONLY && selinuxContext == SelinuxContext.NONE) {
+        if (mode == BindMode.READ_ONLY && selinuxContext == SelinuxContext.SHARED) {


I'm fine updating addFileSystemBind but with withClasspathResourceMapping, I'm still thinking about it... This will promote copying resources instead of binding filesystem and current source code with those condition will do so. The only scenario to bind filesystem would be with BindMode.READ_WRITE. Ping to @kiview and @bsideup in case I'm missing something.

eddumelendez · 2023-06-20T17:56:11Z

Superseded by #7187

monosoul requested a review from a team as a code owner December 4, 2022 19:11

monosoul changed the title ~~Use shared selinux context for filesystem binds~~ Use shared selinux context for mounts Dec 5, 2022

monosoul force-pushed the patch-2 branch from 49d2d66 to cd46429 Compare December 6, 2022 21:06

monosoul force-pushed the patch-2 branch from cd46429 to eb6a1d0 Compare December 6, 2022 21:12

monosoul added 3 commits December 9, 2022 17:22

Merge branch 'main' into patch-2

0ff9de1

Merge branch 'main' into patch-2

9e21007

Merge branch 'main' into patch-2

66e47b9

Merge branch 'main' into patch-2

04f3ccc

eddumelendez closed this Mar 1, 2023

eddumelendez reopened this Mar 2, 2023

eddumelendez added this to the next milestone Mar 2, 2023

eddumelendez added the type/enhancement label Mar 2, 2023

eddumelendez added 3 commits March 1, 2023 19:11

Update condition

1c17297

Fix test

caf655d

Fix format

c49d830

eddumelendez reviewed Mar 2, 2023

View reviewed changes

eddumelendez removed this from the next milestone Mar 8, 2023

jeroen-vd-nl mentioned this pull request Jun 12, 2023

Use SelinuxContext.SHARED by default #7187

Merged

eddumelendez closed this Jun 20, 2023

chucheng92 mentioned this pull request Nov 15, 2023

[CALCITE-6119] Upgrade testcontainers to 1.19.3 apache/calcite#3525

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use shared selinux context for mounts #6294

Use shared selinux context for mounts #6294

monosoul commented Dec 4, 2022 •

edited

Flurb commented Feb 7, 2023 •

edited

eddumelendez commented Mar 1, 2023

monosoul commented Mar 2, 2023

eddumelendez commented Mar 2, 2023

eddumelendez Mar 2, 2023

eddumelendez commented Jun 20, 2023

Use shared selinux context for mounts #6294

Use shared selinux context for mounts #6294

Conversation

monosoul commented Dec 4, 2022 • edited

Flurb commented Feb 7, 2023 • edited

eddumelendez commented Mar 1, 2023

monosoul commented Mar 2, 2023

eddumelendez commented Mar 2, 2023

eddumelendez Mar 2, 2023

Choose a reason for hiding this comment

eddumelendez commented Jun 20, 2023

monosoul commented Dec 4, 2022 •

edited

Flurb commented Feb 7, 2023 •

edited