Merge pull request #8017 from elegos/podman-volumes-extract-tarball-to-volume

Podman: disable selinux labels when extracting the tarball (permissions error)
2020-05-09 21:35:43 +00:00 · 2020-05-09 21:35:43 +00:00 · 7e3da0f8b0
parent 271ca3a7f0 9c43c47b06
commit 7e3da0f8b0
1 changed files with 11 additions and 1 deletions
--- a/pkg/drivers/kic/oci/volumes.go
+++ b/pkg/drivers/kic/oci/volumes.go
@ -21,6 +21,7 @@ import (
 	"bytes"
 	"fmt"
 	"os/exec"
+	"runtime"
 	"strings"

 	"github.com/golang/glog"
@ -80,7 +81,16 @@ func allVolumesByLabel(ociBin string, label string) ([]string, error) {
 // ExtractTarballToVolume runs a docker image imageName which extracts the tarball at tarballPath
 // to the volume named volumeName
 func ExtractTarballToVolume(ociBin string, tarballPath, volumeName, imageName string) error {
-	cmd := exec.Command(ociBin, "run", "--rm", "--entrypoint", "/usr/bin/tar", "-v", fmt.Sprintf("%s:/preloaded.tar:ro", tarballPath), "-v", fmt.Sprintf("%s:/extractDir", volumeName), imageName, "-I", "lz4", "-xvf", "/preloaded.tar", "-C", "/extractDir")
+	cmdArgs := []string{"run", "--rm", "--entrypoint", "/usr/bin/tar"}
+	// Podman:
+	// when selinux setenforce is enforced, normal mount will lead to file permissions error (-?????????)
+	// - option 1: label the file as container private (mount option :Z), but will alter the file in the host machine
+	// - option 2*: keep the file untouched and set --security-opt label=disable (no changes to file)
+	if ociBin == Podman && runtime.GOOS == "linux" {
+		cmdArgs = append(cmdArgs, "--security-opt", "label=disable")
+	}
+	cmdArgs = append(cmdArgs, "-v", fmt.Sprintf("%s:/preloaded.tar:ro", tarballPath), "-v", fmt.Sprintf("%s:/extractDir", volumeName), imageName, "-I", "lz4", "-xvf", "/preloaded.tar", "-C", "/extractDir")
+	cmd := exec.Command(ociBin, cmdArgs...)
 	if _, err := runCmd(cmd); err != nil {
 		return err
 	}