feature: support selinux #4639
Draft
feature: support selinux #4639
+137
−4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ningmingxiao
force-pushed
the
selinux_support
branch
7 times, most recently
from
d69b7e0 to
2eaa687
Compare
ningmingxiao
changed the title
ningmingxiao
force-pushed
the
selinux_support
branch
from
2eaa687 to
1e356d6
Compare
This was referenced Dec 6, 2025
ningmingxiao
force-pushed
the
selinux_support
branch
from
1e356d6 to
56a8926
Compare
AkihiroSuda
reviewed
Dec 8, 2025
|
|
||
| func TestRunSelinuxWithSecurityOpt(t *testing.T) { | ||
| require.Not(nerdtest.NoSelinux) | ||
| base := testutil.NewBase(t) |
Member
There was a problem hiding this comment.
NewBase should not be used for new tests
AkihiroSuda
reviewed
Dec 8, 2025
| inspectCmd := base.Cmd("inspect", testContainer, "--format", "{{.State.Pid}}") | ||
| inspectRes := inspectCmd.Run() | ||
| pid := strings.TrimSpace(inspectRes.Stdout()) | ||
| cmd := exec.Command("ps", "-Z", pid) |
Member
There was a problem hiding this comment.
You can just read /proc/PID/attr/* without using ps -Z
AkihiroSuda
reviewed
Dec 8, 2025
| defer func() { | ||
| base.Cmd("rm", "-f", testContainer) | ||
| }() | ||
| inspectCmd := base.Cmd("inspect", testContainer, "--format", "{{.State.Pid}}") |
Member
There was a problem hiding this comment.
nerdctl container inspect, not nerdctl inspect
AkihiroSuda
reviewed
Dec 8, 2025
pkg/config/config.go
Outdated
| DNSOpts []string `toml:"dns_opts,omitempty"` | ||
| DNSSearch []string `toml:"dns_search,omitempty"` | ||
| DisableHCSystemd bool `toml:"disable_hc_systemd"` | ||
| SexlinuxEnabled bool `toml:"selinux_enabled"` |
AkihiroSuda
reviewed
Dec 8, 2025
| require.Not(nerdtest.NoSelinux) | ||
| base := testutil.NewBase(t) | ||
| testContainer := testutil.Identifier(t) | ||
| base.Cmd("--selinux-enabled", "run", "--name", testContainer, "-d", testutil.AlpineImage, "sleep", "infinity").AssertOK() |
Member
There was a problem hiding this comment.
For docker target, this has to be skipped, or executed with a custom daemon config
AkihiroSuda
reviewed
Dec 8, 2025
| require.Not(nerdtest.NoSelinux) | ||
| base := testutil.NewBase(t) | ||
| testContainer := testutil.Identifier(t) | ||
| base.Cmd("run", "--name", testContainer, "-d", "--security-opt", "label=type:container_t", testutil.AlpineImage, "sleep", "infinity").AssertOK() |
Member
There was a problem hiding this comment.
Doesn't this need --selinux-enabled?
AkihiroSuda
reviewed
Dec 8, 2025
| } | ||
| } | ||
|
|
||
| func TestRunSelinux(t *testing.T) { |
Member
There was a problem hiding this comment.
Maybe not really useful without :z and :Z mounts
AkihiroSuda
reviewed
Dec 8, 2025
| if err != nil { | ||
| output := strings.TrimSpace(string(stdout)) | ||
| if strings.Contains(output, "container_t") { | ||
| t.Fatal(fmt.Errorf("expect label container_t but get %s", output)) |
Member
There was a problem hiding this comment.
The uniqueness of the MCS categories have to be checked too?
AkihiroSuda
reviewed
Dec 8, 2025
| - :nerd_face: `--host-gateway-ip`: IP address that the special 'host-gateway' string in --add-host resolves to. It has no effect without setting --add-host | ||
| - Default: the IP address of the host | ||
| - :nerd_face: `--userns-remap=<username>:<groupname>`: Support idmapping of containers. This options is only supported on rootful linux for container create and run if a user name and optionally group name is passed, it does idmapping based on the uidmap and gidmap ranges specified in /etc/subuid and /etc/subgid respectively. Note: `--userns-remap` is not supported for building containers. Nerdctl Build doesn't support userns-remap feature. (format: <name|uid>[:<group|gid>]) | ||
| - :nerd_face: `--selinux-enabled`: Enable selinux support |
Member
There was a problem hiding this comment.
https://github.com/containerd/nerdctl/blob/main/docs/config.md needs to be updated too
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
ningmingxiao
force-pushed
the
selinux_support
branch
from
56a8926 to
a210aa3
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ping @AkihiroSuda