Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux with docker needs :Z volume mount option #1663

Closed
ehaupt opened this issue Oct 19, 2021 · 0 comments
Closed

SELinux with docker needs :Z volume mount option #1663

ehaupt opened this issue Oct 19, 2021 · 0 comments

Comments

@ehaupt
Copy link
Contributor

ehaupt commented Oct 19, 2021
edited
Loading

When using SELinux with docker, volumes should be mounted with the :Z mount option.

This is set here:

digdag/digdag-standards/src/main/java/io/digdag/standards/command/DockerCommandExecutor.java

Lines 115 to 116 in 07c1178

command.add("-v").add(String.format(ENGLISH,
"%s:%s:rw", projectPath, projectPath)); // use projectPath to keep pb.directory() valid

When using SELinux, this should be:

            command.add("-v").add(String.format(ENGLISH,
                        "%s:%s:rw,Z", projectPath, projectPath));  // use projectPath to keep pb.directory() valid

Maybe a config option could be introduced:

_export:
  docker:
    image: "python:3.8-slim"
    pull_always: true
    selinux: true
ehaupt added a commit to ehaupt/digdag that referenced this issue Dec 6, 2021
@ehaupt
Set selinux label when mounting docker volumes
126b444 
When using selinux, docker volumes need to be mounted with :Z in order
to work properly.

Bug: treasure-data#1663
@ehaupt ehaupt mentioned this issue Dec 6, 2021
Merged
szyn pushed a commit that referenced this issue Jan 13, 2022
@ehaupt
Set selinux label when mounting docker volumes (#1676)
011d848 
* Set selinux label when mounting docker volumes

When using selinux, docker volumes need to be mounted with :Z in order
to work properly.

Bug: #1663

* Implement a config option, adjust documentation

This version implements a `selinux` boolean config option in the
docker context to enable or disable SELinux support.

Also document new configuration option.
@ehaupt ehaupt closed this as completed Jan 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ehaupt