Skip to content
This repository has been archived by the owner on Jun 28, 2024. It is now read-only.

Commit

Permalink
SQUASH: Things under review
Browse files Browse the repository at this point in the history 
Fixes: #5802

Signed-off-by: Lukáš Doktor <[email protected]>
  • Loading branch information
@ldoktor
ldoktor committed Dec 12, 2023
1 parent b496368 commit dbdd53a
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 4 deletions.
6 changes: 3 additions & 3 deletions .../cluster/deployments/relable_selinux.yaml → .../cluster/deployments/relabel_selinux.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: restorecon-daemonset
name: relabel-selinux-daemonset
namespace: kube-system
spec:
selector:
Expand All @@ -15,8 +15,8 @@ spec:
serviceAccountName: kata-deploy-sa
hostPID: true
containers:
- name: restorecon-container
- name: relabel-selinux-container
image: alpine
securityContext:
privileged: true
command: ["/bin/sh", "-c", "nsenter --target 1 --mount bash -c \"semanage fcontext -a -t qemu_exec_t '/(.*/)?opt/kata/share/kata-.*(/.*)?(/.*)?'; semanage fcontext -a -t qemu_exec_t '/(.*/)?opt/kata/share/ovmf(/.*)?'; semanage fcontext -a -t qemu_exec_t '/(.*/)?opt/kata/share/tdvf(/.*)?'; semanage fcontext -a -t qemu_exec_t '/(.*/)?opt/kata/libexec(/.*)?; restorecon -v -R /opt/kata\"; sleep infinity"]
command: ["/bin/sh", "-c", "nsenter --target 1 --mount bash -xc \"for ENTRY in '/(.*/)?opt/kata/share/kata-.*(/.*)?(/.*)?' '/(.*/)?opt/kata/share/ovmf(/.*)?' '/(.*/)?opt/kata/share/tdvf(/.*)?' '/(.*/)?opt/kata/libexec(/.*)?'; do semanage fcontext -a -t qemu_exec_t \\\"\\$ENTRY\\\"; done; restorecon -v -R /opt/kata\"; echo NSENTER_FINISHED_WITH: $?; sleep infinity"]
6 changes: 5 additions & 1 deletion .ci/openshift-ci/cluster/install_kata.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,4 +184,8 @@ fi

# FIXME: Remove when https://github.com/kata-containers/kata-containers/pull/8417 is resolved
# Selinux context is currently not handled by kata-deploy
oc apply -f ${deployments_dir}/relable_selinux.yaml
oc apply -f ${deployments_dir}/relabel_selinux.yaml
( for I in $(seq 3); do
sleep 10
oc logs -n kube-system ds/relabel-selinux-daemonset | grep "NSENTER_FINISHED_WITH:" && exit
done ) || { echo "Selinux relabel failed, check the logs"; exit -1; }

0 comments on commit dbdd53a

Please sign in to comment.