#2 containers-common: create /srv/containers and /var/srv/containers
Merged a month ago by lsm5. Opened 5 months ago by mnguyen.
rpms/ mnguyen/skopeo master  into  master

file modified
+10 -1

@@ -42,7 +42,7 @@ 

  Epoch: 0

  %endif

  Version: 0.1.40

- Release: 0.9.dev.git%{shortcommit0}%{?dist}

+ Release: 0.10.dev.git%{shortcommit0}%{?dist}

  Summary: Inspect container images and repositories on registries

  License: ASL 2.0

  URL: %{git0}

@@ -316,6 +316,10 @@ 

  ln -s %{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm

  ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/rhel7.repo

  

+ # shareable directory for containers

+ mkdir -p %{buildroot}/var/srv/containers

+ mkdir -p %{buildroot}/srv/containers

+ 

  # source codes for building projects

  %if 0%{?with_devel}

  install -d -p %{buildroot}/%{gopath}/src/%{import_path}/

@@ -373,6 +377,8 @@ 

  %endif

  

  %files -n containers-common

+ %dir /var/srv/containers

+ %dir /srv/containers

  %dir %{_sysconfdir}/containers

  %dir %{_sysconfdir}/containers/certs.d

  %dir %{_sysconfdir}/containers/registries.d

@@ -402,6 +408,9 @@ 

  %{_datadir}/bash-completion/completions/%{name}

  

  %changelog

+ * Thu Sep 19 2019 Michael Nguyen <mnguyen@redhat.com> - 1:0.1.40-0.10.dev.git7eb5f39

+ - Add /srv/containers and /var/srv/container directories to containers-common

+ 

  * Wed Sep 18 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 1:0.1.40-0.9.dev.git7eb5f39

  - autobuilt 7eb5f39

  

Addresses:
- https://github.com/coreos/fedora-coreos-tracker/issues/42
- https://pagure.io/atomic-wg/issue/505

These directories can be the assumed default interchange point for
containers and host. Selinux labeling will be handled by

https://github.com/containers/container-selinux/pull/72

LGTM - but I am no Dan Walsh :)

I would like to know what these directories are for? It seems to me that you are setting up a couple of directories that allow all containers to commicate/attack each other in? Is that the intention? If you want these directories to be readable by all containers we could use a different label.

I think the goal is to have a directory where if you use that as a volume mount into a container you shouldn't have issues with SELinux. i.e. rather than helping a user and asking "what labels are on the directory you are using" we can inspect and see they are using var/srv/containers and know we shouldn't be hitting issues there.

A past version of dan walsh had a comment on this. Dan, what do you think is the best solution to this problem?

Did not remember this discussion at all.
We already have two default labels for this.

/var/lib/containers/storage/volumes/[^/]/. gen_context(system_u:object_r:container_file_t,s0)
/var/lib/origin(/.*)? gen_context(system_u:object_r:container_file_t,s0)

So I guess I can live with this.

I should probably bring up Udica https://github.com/containers/udica as a possible tool we could use to make labels easier, for random directories like /home.

Building container-selinux-2.104-1.git7baad79.fc*

Thanks for taking a look @dwalsh! Thanks @dustymabe for covering the motivation behind this.

@mnguyen - can you rebase this?

@dwalsh bump - should this be merged!

rebased onto 68103cd

a month ago

rebased onto 03c53f2

a month ago

rebased onto 3d61ec8

a month ago

comment so I can subscribe to notifications for this PR

Pull-Request has been merged by lsm5

a month ago