rpms / skopeo

Clone
Source Code
GIT

#2 containers-common: create /srv/containers and /var/srv/containers
Merged 4 years ago by lsm5. Opened 4 years ago by mnguyen.
rpms/ mnguyen/skopeo master  into  master

file modified
+10 -1 
@@ -42,7 +42,7 @@ 
 

  Epoch: 0
 

  %endif
 

  Version: 0.1.40
 

- Release: 0.9.dev.git%{shortcommit0}%{?dist}
 

+ Release: 0.10.dev.git%{shortcommit0}%{?dist}
 

  Summary: Inspect container images and repositories on registries
 

  License: ASL 2.0
 

  URL: %{git0}
 
@@ -316,6 +316,10 @@ 
 

  ln -s %{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm
 

  ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/rhel7.repo
 

  

+ # shareable directory for containers
 

+ mkdir -p %{buildroot}/var/srv/containers
 

+ mkdir -p %{buildroot}/srv/containers
 

+ 

  # source codes for building projects
 

  %if 0%{?with_devel}
 

  install -d -p %{buildroot}/%{gopath}/src/%{import_path}/
 
@@ -373,6 +377,8 @@ 
 

  %endif
 

  

  %files -n containers-common
 

+ %dir /var/srv/containers
 

+ %dir /srv/containers
 

  %dir %{_sysconfdir}/containers
 

  %dir %{_sysconfdir}/containers/certs.d
 

  %dir %{_sysconfdir}/containers/registries.d
 
@@ -402,6 +408,9 @@ 
 

  %{_datadir}/bash-completion/completions/%{name}
 

  

  %changelog
 

+ * Thu Sep 19 2019 Michael Nguyen <mnguyen@redhat.com> - 1:0.1.40-0.10.dev.git7eb5f39
 

+ - Add /srv/containers and /var/srv/container directories to containers-common
 

+ 

  * Wed Sep 18 2019 Lokesh Mandvekar (Bot) <lsm5+bot@fedoraproject.org> - 1:0.1.40-0.9.dev.git7eb5f39
 

  - autobuilt 7eb5f39

Addresses:
- https://github.com/coreos/fedora-coreos-tracker/issues/42
- https://pagure.io/atomic-wg/issue/505

These directories can be the assumed default interchange point for
containers and host. Selinux labeling will be handled by

https://github.com/containers/container-selinux/pull/72

LGTM - but I am no Dan Walsh :)

I would like to know what these directories are for? It seems to me that you are setting up a couple of directories that allow all containers to commicate/attack each other in? Is that the intention? If you want these directories to be readable by all containers we could use a different label.

I think the goal is to have a directory where if you use that as a volume mount into a container you shouldn't have issues with SELinux. i.e. rather than helping a user and asking "what labels are on the directory you are using" we can inspect and see they are using var/srv/containers and know we shouldn't be hitting issues there.

A past version of dan walsh had a comment on this. Dan, what do you think is the best solution to this problem?

Did not remember this discussion at all.
We already have two default labels for this.

/var/lib/containers/storage/volumes/[^/]/. gen_context(system_u:object_r:container_file_t,s0)
/var/lib/origin(/.*)? gen_context(system_u:object_r:container_file_t,s0)

So I guess I can live with this.

I should probably bring up Udica https://github.com/containers/udica as a possible tool we could use to make labels easier, for random directories like /home.

Building container-selinux-2.104-1.git7baad79.fc*

Thanks for taking a look @dwalsh! Thanks @dustymabe for covering the motivation behind this.

@mnguyen - can you rebase this?

@dwalsh bump - should this be merged!

rebased onto 68103cd
4 years ago

rebased onto 03c53f2
4 years ago

rebased ^^

LGTM

rebased onto 3d61ec8
4 years ago

comment so I can subscribe to notifications for this PR

Pull-Request has been merged by lsm5
4 years ago
Changes Summary 1
+10 -1
file changed
skopeo.spec
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.