Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux? #186

Open
aubreybailey opened this issue Jun 16, 2021 · 1 comment
Open

SELinux? #186

aubreybailey opened this issue Jun 16, 2021 · 1 comment

Comments

@aubreybailey
Copy link

I notice that this is formatting all of the
"docker run -v"
commands as $(PWD):/data
however in an SELinux enforcing environment docker needs
docker run -v $(PWD):/data:Z

I realize this is probably used mostly in cloud contexts and mostly on ubuntu, but I suspect you have some fans in HPC/edge for whom this is probably a show stopper.

Any idea how much a :Z addition breaks the normal usage, or at the very least, where I can find the -v flag to change it for my deployment?

thanks,
Aubrey
@jvivian
Copy link
Collaborator

jvivian commented Jun 16, 2021

Hi @aubreybailey ,

That's a great question — I also wasn't aware of that issue with SELinux / Docker, so thank you for sharing that.

I realize this is probably used mostly in cloud contexts and mostly on ubuntu, but I suspect you have some fans in HPC/edge for whom this is probably a show stopper.

Although I don't typically recommend it for a variety of reasons, this might be on instance where the dockerized version of toil-rnaseq could be useful as the docker run calls happen within the container, but will spawn them as sibling containers to the parent if you forward the socket. Unfortunately, it hasn't been updated in quite a while so I assume trying to run it will lead to its own set of problems as the host system requires a docker version similar to what's installed in the container and its been a few years.

Any idea how much a :Z addition breaks the normal usage, or at the very least, where I can find the -v flag to change it for my deployment?

This would be an easier issue to patch if toil-rnaseq didn't rely on such an old version of Toil. Newer versions of Toil modified dockerCall to act as a wrapper around the official Docker python API which would give you the flexibility of specifying the mount volumes, but it broke backwards compatibility.

At the moment, I do not have the bandwidth to update the existing codebase to use a newer version of Toil and Toil's updated Docker methods, but in theory it would not be too difficult:

  1. Update the version of Toil (ideally newest version)
  2. Update dockerCall to match the new API and provide an option to customize the mount directory.

I do not know what other backwards-breaking changes have been made since the version I pinned though, so it may not be so trivial depending on that. I would be happy to review a PR that makes these changes if you submit one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aubreybailey @jvivian