mirror of
https://github.com/rancher/rke.git
synced 2025-09-10 03:20:20 +00:00
Revert "Do not rewrite SELinux labels on volume mounts"
This commit is contained in:
Sebastiaan van Steenis
committed by
GitHub
GitHub
parent
e0b892247f
commit
51a6b50a84
@@ -346,16 +346,12 @@ func RunEtcdSnapshotSave(ctx context.Context, etcdHost *hosts.Host, prsMap map[s
|
||||
}
|
||||
hostCfg := &container.HostConfig{
|
||||
Binds: []string{
|
||||
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
|
||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
||||
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
|
||||
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
||||
NetworkMode: container.NetworkMode("host"),
|
||||
RestartPolicy: container.RestartPolicy{Name: restartPolicy},
|
||||
}
|
||||
|
||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
||||
}
|
||||
|
||||
if once {
|
||||
log.Infof(ctx, "[etcd] Running snapshot save once on host [%s]", etcdHost.Address)
|
||||
logrus.Debugf("[etcd] Using command [%s] for snapshot save once container [%s] on host [%s]", getSanitizedSnapshotCmd(imageCfg, es.BackupConfig), EtcdSnapshotOnceContainerName, etcdHost.Address)
|
||||
@@ -417,16 +413,12 @@ func RunGetStateFileFromSnapshot(ctx context.Context, etcdHost *hosts.Host, prsM
|
||||
}
|
||||
hostCfg := &container.HostConfig{
|
||||
Binds: []string{
|
||||
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
|
||||
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
|
||||
},
|
||||
NetworkMode: container.NetworkMode("host"),
|
||||
RestartPolicy: container.RestartPolicy{Name: "no"},
|
||||
}
|
||||
|
||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
||||
}
|
||||
|
||||
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdStateFileContainerName, etcdHost.Address); err != nil {
|
||||
return "", err
|
||||
}
|
||||
@@ -488,14 +480,11 @@ func DownloadEtcdSnapshotFromS3(ctx context.Context, etcdHost *hosts.Host, prsMa
|
||||
log.Infof(ctx, s3Logline)
|
||||
hostCfg := &container.HostConfig{
|
||||
Binds: []string{
|
||||
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
|
||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
||||
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
|
||||
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
||||
NetworkMode: container.NetworkMode("host"),
|
||||
RestartPolicy: container.RestartPolicy{Name: "no"},
|
||||
}
|
||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
||||
}
|
||||
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdDownloadBackupContainerName, etcdHost.Address); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -547,14 +536,11 @@ func RestoreEtcdSnapshot(ctx context.Context, etcdHost *hosts.Host, prsMap map[s
|
||||
}
|
||||
hostCfg := &container.HostConfig{
|
||||
Binds: []string{
|
||||
"/opt/rke/:/opt/rke/",
|
||||
fmt.Sprintf("%s:/var/lib/rancher/etcd", path.Join(etcdHost.PrefixPath, "/var/lib/etcd")),
|
||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
||||
"/opt/rke/:/opt/rke/:z",
|
||||
fmt.Sprintf("%s:/var/lib/rancher/etcd:z", path.Join(etcdHost.PrefixPath, "/var/lib/etcd")),
|
||||
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
||||
NetworkMode: container.NetworkMode("host"),
|
||||
}
|
||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
||||
}
|
||||
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdRestoreContainerName, etcdHost.Address); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -624,13 +610,10 @@ func RunEtcdSnapshotRemove(ctx context.Context, etcdHost *hosts.Host, prsMap map
|
||||
|
||||
hostCfg := &container.HostConfig{
|
||||
Binds: []string{
|
||||
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
|
||||
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
|
||||
},
|
||||
RestartPolicy: container.RestartPolicy{Name: "no"},
|
||||
}
|
||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
||||
}
|
||||
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdSnapshotRemoveContainerName, etcdHost.Address); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -667,12 +650,9 @@ func GetEtcdSnapshotChecksum(ctx context.Context, etcdHost *hosts.Host, prsMap m
|
||||
}
|
||||
hostCfg := &container.HostConfig{
|
||||
Binds: []string{
|
||||
"/opt/rke/:/opt/rke/",
|
||||
"/opt/rke/:/opt/rke/:z",
|
||||
}}
|
||||
|
||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
||||
}
|
||||
if err := docker.DoRunContainer(ctx, etcdHost.DClient, imageCfg, hostCfg, EtcdChecksumContainerName, etcdHost.Address, ETCDRole, prsMap); err != nil {
|
||||
return checksum, err
|
||||
}
|
||||
@@ -751,14 +731,11 @@ func StartBackupServer(ctx context.Context, etcdHost *hosts.Host, prsMap map[str
|
||||
|
||||
hostCfg := &container.HostConfig{
|
||||
Binds: []string{
|
||||
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
|
||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
||||
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
|
||||
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
||||
NetworkMode: container.NetworkMode("host"),
|
||||
RestartPolicy: container.RestartPolicy{Name: "no"},
|
||||
}
|
||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
||||
}
|
||||
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdServeBackupContainerName, etcdHost.Address); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -802,14 +779,11 @@ func DownloadEtcdSnapshotFromBackupServer(ctx context.Context, etcdHost *hosts.H
|
||||
|
||||
hostCfg := &container.HostConfig{
|
||||
Binds: []string{
|
||||
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
|
||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
||||
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
|
||||
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
||||
NetworkMode: container.NetworkMode("host"),
|
||||
RestartPolicy: container.RestartPolicy{Name: "on-failure"},
|
||||
}
|
||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
||||
}
|
||||
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdDownloadBackupContainerName, etcdHost.Address); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -852,13 +826,6 @@ func setEtcdPermissions(ctx context.Context, etcdHost *hosts.Host, prsMap map[st
|
||||
hostCfg := &container.HostConfig{
|
||||
Binds: []string{dataBind},
|
||||
}
|
||||
|
||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
||||
// We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z)
|
||||
logrus.Debugf("Applying security opt label [%s] for [%s] container on host [%s]", SELinuxLabel, EtcdPermFixContainerName, etcdHost.Address)
|
||||
hostCfg.SecurityOpt = []string{SELinuxLabel}
|
||||
}
|
||||
|
||||
if err := docker.DoRunOnetimeContainer(ctx, etcdHost.DClient, imageCfg, hostCfg, EtcdPermFixContainerName,
|
||||
etcdHost.Address, ETCDRole, prsMap); err != nil {
|
||||
return err
|
||||
|
||||
Reference in New Issue
Block a user