Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Properly fix podman.socket permissions in tasks containers #598

Merged
merged 3 commits into from
Mar 13, 2024
Merged

Properly fix podman.socket permissions in tasks containers #598

merged 3 commits into from
Mar 13, 2024

Conversation

martinpitt
Copy link
Member

See individual commits for details.

I rolled this out onto rhos-01-1, switched it back to setenforce 1, and confirmed that sudo podman exec -it cockpit-tasks-1 podman-remote --url unix:///podman.sock ps works and also doesn't leave any "AVC denied" in journalctl -f.

@martinpitt
ansible: Create proper user/group for cockpituous services
f7d9b19 
This gets rid of duplicating the magic number "1111" in a lot of places.
It's also a prerequisite for the next commit, as systemd doesn't like
refering to random GIDs in units.
@martinpitt martinpitt mentioned this pull request Mar 13, 2024
Merged
6 tasks
jelly
jelly previously approved these changes Mar 13, 2024
View reviewed changes
Copy link
Member

@jelly jelly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't say if the SELinux code is correct but if it's already deployed / tested then 👍

@martinpitt
ansible: Properly set podman.socket group
149e864 
The `ExecStartPre=` was a quick hack, but it goes against the declared
system state and e.g. doesn't survive restarts of `podman.socket`.
Declare that properly with a unit drop-in.
@martinpitt
ansible: Add SELinux policy for podman socket
83d7f8c 
When the tasks/job containers access the bind-mounted podman.sock, they
currently run into a lot of SELinux denials. This happened to work
as we have run SELinux in permissive mode on our bots in the last two
weeks (see commit c118069).

Create a proper SELinux policy plugin instead, so that we can put it
back into enforce mode.
@martinpitt
Copy link
Member Author

@jelly I only deployed/tested it on rhos-01-1 before, I wanted to wait for the review. I fully deployed it, and unfortunately I was missing a trivial bit -- the file: module doesn't know how to create the directory of the file you want to create. I didn't notice that as I manually created that directory for the initial experimentation, and forgot to delete it afterwards.

I rolled it out everywhere with that fix, and re-enabled SELinux on all boxes.

@martinpitt martinpitt requested a review from jelly March 13, 2024 08:41
@martinpitt martinpitt merged commit 214be0c into main Mar 13, 2024
3 checks passed
@martinpitt martinpitt deleted the socket-permissions branch March 13, 2024 08:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jelly jelly jelly approved these changes

@allisonkarlitskaya allisonkarlitskaya Awaiting requested review from allisonkarlitskaya

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@martinpitt @jelly