Add relabel option to secrets #1210
Conversation
|
Is this part of compose spec? Seems that no. In such case it should be named with |
Thanks for the suggestion. It is not a part of the docker-compose spec and i don't know about any equivalent option there. What about changig this to zzmount? |
|
Similar issue -- with volumes in docker was discussed here with a conclusion that the best approach is setting the se-linux labels on host. Should podman-compose or podman or something on the host relabel the files containing the secrets automagically? |
jarovo
force-pushed
the
main
branch
2 times, most recently
from
eede052 to
d8d852f
Compare
|
Sorry for delay, I will get back to this. |
docs/Extensions.md
Outdated
| custom-secret: | ||
| x-podman.relabel: z | ||
| ``` | ||
| For explanations of these extensions, please refer to the [PR discussion](https://github.com/containers/podman-compose/pull/1210). |
There was a problem hiding this comment.
This needs proper documentation, not link to PR. Copy if needed.
docs/Extensions.md
Outdated
| ```yml | ||
| secrets: | ||
| custom-secret: | ||
| x-podman.relabel: z |
There was a problem hiding this comment.
I think it makes sense to borrow values of the podman mount option (https://docs.podman.io/en/latest/markdown/podman-run.1.html#mount-type-type-type-specific-option). Bind and glob support relabel option with shared and private values possible.
|
I looked into how podman handles relabeling and it does have |
| @@ -302,6 +302,17 @@ async def test_secret_target_matches_secret_name_secret_type_not_env(self): | |||
| "file_secret", | |||
| repo_root() + "/test_dirname/my_secret:/run/secrets/file_secret:ro,rprivate,rbind", | |||
| ), | |||
| ( | |||
| "relabel", | |||
There was a problem hiding this comment.
This will need 2 cases: for private and shared relabel, because we'll be translating things to what podman understands in this context.
|
static checks test fails due to formatting. to fix it, install test-requirements.txt in your virtualenv and run |
|
I am searching for proper doc for the relabel option. Ther are It should be noted that the mount options related to shared subtrees uses the words |
Thanks. This helped. I really wasn't keen on reformatting the whole source (:+1: |
|
@jarovo I think that the current naming and meaning is correct. If we go by https://docs.podman.io/en/latest/markdown/podman-run.1.html#mount-type-type-type-specific-option, then we see that:
|
|
Here is the doc: I believe :zZ are options for podman --volume option and it actually has not much to do with private or shared mount option. Here is what mount command supports: https://www.man7.org/linux/man-pages/man8/mount.8.html note that there is no :zZ. I think podman does the magic of relabeling the contents of the mounted filesystem subtree I am happy with the curent state. We can merge. |
|
So if I understand, there is no blocker for merging this |
|
@p12tic what can I do to get this merged? Thank you. |
Reflecting changes in containers/podman-compose#1210 Signed-off-by: Jaroslav Henner <1187265+jarovo@users.noreply.github.com>
|
Sorry for delays, this is one of these more difficult PRs where I need to figure out more things than usual :-)
But If we look into podman sources, we see that |
[jhenner@vydra tmp]$ rm /tmp/foo/ -rf
[jhenner@vydra tmp]$ mkdir /tmp/foo; echo Hello world > /tmp/foo/bar
[jhenner@vydra tmp]$ ll -Z foo/bar
-rw-r--r--. 1 jhenner jhenner unconfined_u:object_r:user_tmp_t:s0 12 4. čen 12.17 foo/bar
[jhenner@vydra tmp]$ podman run -v ./foo:/foo:relabel=shared alpine cat /foo/bar
Error: invalid option type "relabel=shared"
[jhenner@vydra tmp]$ ll -Z foo/bar
-rw-r--r--. 1 jhenner jhenner unconfined_u:object_r:user_tmp_t:s0 12 4. čen 12.17 foo/barThe selinux label was not touched. Now we are talking! The files have been relabeled by something. Surely podman did this in the file you mentioned
Thanks for the sources links! I searched the options declarations in the same repo. I see Perhaps that is why only |
Indeed, podman tries to conform to docker API and docker only has z and Z in volume option (https://docs.docker.com/engine/storage/bind-mounts/#options-for---volume). So most likely podman documentation is wrong. |
| @@ -27,6 +27,14 @@ services: | |||
|
|
|||
| For explanations of these extensions, please refer to the [Podman Documentation](https://docs.podman.io/). | |||
|
|
|||
| ## Secrets | |||
| ```yml | |||
There was a problem hiding this comment.
Add:
`The following extension keys are available under secret configuration:
x-podman.relabel- Configure SELinux relabeling
For example, the following configures custom-secret to use mount with private and unshared content.
podman_compose.py
Outdated
| selinux_mount_option = selinux_relabel_to_mount_option_map[x_podman_relabel] | ||
| except KeyError as exc: | ||
| raise ValueError( | ||
| f'ERORR: Run secret "{secret_name} has invalid "relabel" option related ' |
podman_compose.py
Outdated
|
|
||
| selinux_relabel_to_mount_option_map = {None: "", "z": ",z", "Z": ",Z"} | ||
| try: | ||
| selinux_mount_option = selinux_relabel_to_mount_option_map[x_podman_relabel] |
There was a problem hiding this comment.
Maybe immediately do mount_options += selinux_relabel_to_mount_option_map[x_podman_relabel]
On selinux enabled system, the secrets cannot be read without proper relabeling or correct policy being set. This patch enables user to instruc podman-copose to use :z or :Z mount options to make podman relabel the file under bind-mount. More info here: https://unix.stackexchange.com/questions/728801/host-wide-consequences-of-setting-selinux-z-z-option-on-container-bind-mounts?rq=1 Signed-off-by: Jaroslav Henner <1187265+jarovo@users.noreply.github.com>
On selinux enabled system, the secrets cannot be read without proper relabeling or correct policy being set.
This patch enables user to instruc podman-copose to use :z or :Z --volume options to make podman relabel the file under bind-mount.
More info here:
https://unix.stackexchange.com/questions/728801/host-wide-consequences-of-setting-selinux-z-z-option-on-container-bind-mounts?rq=1
Contributor Checklist:
If this PR adds a new feature that improves compatibility with docker-compose, please add a link
to the exact part of compose spec that the PR touches.
For any user-visible change please add a release note to newsfragments directory, e.g.
newsfragments/my_feature.feature. See newsfragments/README.md for more details.
All changes require additional unit tests.