Bind mount docker-puppet.py in RO without SElinux labelling
docker-puppet.sh doesn't need to be bind-mounted in read-write,
read-only should be enough.
Therefore, we don't need to relabel the script when running the
container.
The background of this patch can be found here:
https://github.com/containers/libpod/issues/1844
The version of runc that is vendored in libpod contains is a bit old and
doesn't the labelling task isn't tied to the threads yet (done by
aa3fee6c80
)
We will request an update of runc in libpod but we also want to avoid
useless RW for this bind mount, which is the goal of this patch.
Note: we also switch /etc/config.pp and /etc/puppet/ to RO, without labelling
as well.
Change-Id: I87568372e80bd8bdb17ae6396ffe5805e37359a7
This commit is contained in:
parent
e0723c59b2
commit
21145a91b5
@ -405,8 +405,8 @@ def mp_puppet_config(*args):
|
||||
'--env', 'STEP=%s' % os.environ.get('STEP', '6'),
|
||||
'--env', 'NET_HOST=%s' % os.environ.get('NET_HOST', 'false'),
|
||||
'--volume', '/etc/localtime:/etc/localtime:ro',
|
||||
'--volume', '%s:/etc/config.pp:ro,z' % tmp_man.name,
|
||||
'--volume', '/etc/puppet/:/tmp/puppet-etc/:ro,z',
|
||||
'--volume', '%s:/etc/config.pp:ro' % tmp_man.name,
|
||||
'--volume', '/etc/puppet/:/tmp/puppet-etc/:ro',
|
||||
# OpenSSL trusted CA injection
|
||||
'--volume', '/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro',
|
||||
'--volume', '/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro',
|
||||
@ -416,7 +416,7 @@ def mp_puppet_config(*args):
|
||||
# Syslog socket for puppet logs
|
||||
'--volume', '/dev/log:/dev/log:rw',
|
||||
# script injection
|
||||
'--volume', '%s:%s:rw,z' % (sh_script, sh_script) ]
|
||||
'--volume', '%s:%s:ro' % (sh_script, sh_script) ]
|
||||
if privileged:
|
||||
common_dcmd.push('--privileged')
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user