rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-08-10 11:13:44 +00:00
Code Issues Releases Wiki Activity

Apply MCS label when privileged is false

Browse Source
This commit is contained in:
Sebastiaan van Steenis 2019-08-30 16:33:22 +02:00 committed by Alena Prokharchyk
parent 798632b3a4
commit 32bf922fc5
1 changed files with 18 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
services/services.go
View File

@ -122,22 +122,25 @@ func GetProcessConfig(process v3.Process, host *hosts.Host) (*container.Config,
if len(process.RestartPolicy) > 0 { if len(process.RestartPolicy) > 0 {
hostCfg.RestartPolicy = container.RestartPolicy{Name: process.RestartPolicy} hostCfg.RestartPolicy = container.RestartPolicy{Name: process.RestartPolicy}
} }
for _, securityOpt := range host.DockerInfo.SecurityOptions { // The MCS label only needs to be applied when container is not running privileged, and running privileged negates need for applying the label
// If Docker is configured with selinux-enabled:true, we need to specify MCS label to allow files from service-sidekick to be shared between containers if !process.Privileged {
if securityOpt == "selinux" { for _, securityOpt := range host.DockerInfo.SecurityOptions {
logrus.Debugf("Found selinux in DockerInfo.SecurityOptions on host [%s]", host.Address) // If Docker is configured with selinux-enabled:true, we need to specify MCS label to allow files from service-sidekick to be shared between containers
// Check for containers having the sidekick container if securityOpt == "selinux" {
for _, volumeFrom := range hostCfg.VolumesFrom { logrus.Debugf("Found selinux in DockerInfo.SecurityOptions on host [%s]", host.Address)
if volumeFrom == SidekickContainerName { // Check for containers having the sidekick container
logrus.Debugf("Found [%s] in VolumesFrom on host [%s], applying MCSLabel [%s]", SidekickContainerName, host.Address, MCSLabel) for _, volumeFrom := range hostCfg.VolumesFrom {
hostCfg.SecurityOpt = []string{MCSLabel} if volumeFrom == SidekickContainerName {
logrus.Debugf("Found [%s] in VolumesFrom on host [%s], applying MCSLabel [%s]", SidekickContainerName, host.Address, MCSLabel)
hostCfg.SecurityOpt = []string{MCSLabel}
}
} }
} // Check for sidekick container itself
// Check for sidekick container itself if value, ok := imageCfg.Labels[ContainerNameLabel]; ok {
if value, ok := imageCfg.Labels[ContainerNameLabel]; ok { if value == SidekickContainerName {
if value == SidekickContainerName { logrus.Debugf("Found [%s=%s] in Labels on host [%s], applying MCSLabel [%s]", ContainerNameLabel, SidekickContainerName, host.Address, MCSLabel)
logrus.Debugf("Found [%s=%s] in Labels on host [%s], applying MCSLabel [%s]", ContainerNameLabel, SidekickContainerName, host.Address, MCSLabel) hostCfg.SecurityOpt = []string{MCSLabel}
hostCfg.SecurityOpt = []string{MCSLabel} }
} }
} }
} }