Skip to content
This repository has been archived by the owner on Jun 28, 2024. It is now read-only.

ci/openshift-ci: Enable selinux in CI runs #5798

Merged
merged 1 commit into from
Jan 19, 2024
Merged

ci/openshift-ci: Enable selinux in CI runs #5798

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions .ci/openshift-ci/cluster/deployments/relabel_selinux.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: relabel-selinux-daemonset
namespace: kube-system
spec:
selector:
matchLabels:
app: restorecon
template:
metadata:
labels:
app: restorecon
spec:
serviceAccountName: kata-deploy-sa
hostPID: true
containers:
- name: relabel-selinux-container
image: alpine
securityContext:
privileged: true
command: ["/bin/sh", "-c", "
set -e;
echo Starting the relabel;
nsenter --target 1 --mount bash -xc '
for ENTRY in \
\"/(.*/)?opt/kata/bin(/.*)?\" \
\"/(.*/)?opt/kata/runtime-rs/bin(/.*)?\" \
\"/(.*/)?opt/kata/share/kata-.*(/.*)?(/.*)?\" \
\"/(.*/)?opt/kata/share/ovmf(/.*)?\" \
\"/(.*/)?opt/kata/share/tdvf(/.*)?\" \
\"/(.*/)?opt/kata/libexec(/.*)?\";
do
semanage fcontext -a -t qemu_exec_t \"$ENTRY\" || { echo \"Error in semanage command\"; exit 1; }
done;
restorecon -v -R /opt/kata || { echo \"Error in restorecon command\"; exit 1; }
';
echo NSENTER_FINISHED_WITH: $?;
sleep infinity"]
8 changes: 8 additions & 0 deletions .ci/openshift-ci/cluster/install_kata.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,3 +181,11 @@ if [ ${SELINUX_PERMISSIVE} == "yes" ]; then
# The new SELinux configuration will trigger another reboot.
wait_for_reboot
fi

# FIXME: Remove when https://github.com/kata-containers/kata-containers/pull/8417 is resolved
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nitpick: My suggestion would be to convert this FIXME note into an Github issue, regardless if it will be solved soon or not.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest to create an issue in the tests repo and to keep a FIXME mentioning this issue in the code for greater visibility. If this code is moved to the main repo before kata-containers/kata-containers#8417 is merged, the issue will need to be converted to a kata-containers issue.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ack

# Selinux context is currently not handled by kata-deploy
oc apply -f ${deployments_dir}/relabel_selinux.yaml
( for I in $(seq 30); do
sleep 10
oc logs -n kube-system ds/relabel-selinux-daemonset | grep "NSENTER_FINISHED_WITH:" && exit
done ) || { echo "Selinux relabel failed, check the logs"; exit -1; }
2 changes: 1 addition & 1 deletion .ci/openshift-ci/test.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ export PATH=/tmp/shared:$PATH
oc version || die "Test cluster is unreachable"

info "Install and configure kata into the test cluster"
export SELINUX_PERMISSIVE="yes"
export SELINUX_PERMISSIVE="no"
${script_dir}/cluster/install_kata.sh || die "Failed to install kata-containers"

info "Run test suite: $suite"
Expand Down
Loading