Bind mount docker-puppet.py in RO without SElinux labelling

docker-puppet.sh doesn't need to be bind-mounted in read-write,
read-only should be enough.
Therefore, we don't need to relabel the script when running the
container.

The background of this patch can be found here:
https://github.com/containers/libpod/issues/1844

The version of runc that is vendored in libpod contains is a bit old and
doesn't the labelling task isn't tied to the threads yet (done by
aa3fee6c80)

We will request an update of runc in libpod but we also want to avoid
useless RW for this bind mount, which is the goal of this patch.

Note: we also switch /etc/config.pp and /etc/puppet/ to RO, without labelling
as well.

Change-Id: I87568372e80bd8bdb17ae6396ffe5805e37359a7
This commit is contained in:
Emilien Macchi 2019-01-04 10:44:48 +01:00
parent e0723c59b2
commit 21145a91b5

@ -405,8 +405,8 @@ def mp_puppet_config(*args):
'--env', 'STEP=%s' % os.environ.get('STEP', '6'),
'--env', 'NET_HOST=%s' % os.environ.get('NET_HOST', 'false'),
'--volume', '/etc/localtime:/etc/localtime:ro',
'--volume', '%s:/etc/config.pp:ro,z' % tmp_man.name,
'--volume', '/etc/puppet/:/tmp/puppet-etc/:ro,z',
'--volume', '%s:/etc/config.pp:ro' % tmp_man.name,
'--volume', '/etc/puppet/:/tmp/puppet-etc/:ro',
# OpenSSL trusted CA injection
'--volume', '/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro',
'--volume', '/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro',
@ -416,7 +416,7 @@ def mp_puppet_config(*args):
# Syslog socket for puppet logs
'--volume', '/dev/log:/dev/log:rw',
# script injection
'--volume', '%s:%s:rw,z' % (sh_script, sh_script) ]
'--volume', '%s:%s:ro' % (sh_script, sh_script) ]
if privileged:
common_dcmd.push('--privileged')