Merge pull request #8017 from elegos/podman-volumes-extract-tarball-t…

…o-volume Podman: disable selinux labels when extracting the tarball (permissions error)
kubernetes · May 9, 2020 · 7e3da0f · 7e3da0f
2 parents 271ca3a + 9c43c47
commit 7e3da0f
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/pkg/drivers/kic/oci/volumes.go b/pkg/drivers/kic/oci/volumes.go
@@ -21,6 +21,7 @@ import (
 	"bytes"
 	"fmt"
 	"os/exec"
+	"runtime"
 	"strings"
 
 	"github.com/golang/glog"
@@ -80,7 +81,16 @@ func allVolumesByLabel(ociBin string, label string) ([]string, error) {
 // ExtractTarballToVolume runs a docker image imageName which extracts the tarball at tarballPath
 // to the volume named volumeName
 func ExtractTarballToVolume(ociBin string, tarballPath, volumeName, imageName string) error {
-	cmd := exec.Command(ociBin, "run", "--rm", "--entrypoint", "/usr/bin/tar", "-v", fmt.Sprintf("%s:/preloaded.tar:ro", tarballPath), "-v", fmt.Sprintf("%s:/extractDir", volumeName), imageName, "-I", "lz4", "-xvf", "/preloaded.tar", "-C", "/extractDir")
+	cmdArgs := []string{"run", "--rm", "--entrypoint", "/usr/bin/tar"}
+	// Podman:
+	// when selinux setenforce is enforced, normal mount will lead to file permissions error (-?????????)
+	// - option 1: label the file as container private (mount option :Z), but will alter the file in the host machine
+	// - option 2*: keep the file untouched and set --security-opt label=disable (no changes to file)
+	if ociBin == Podman && runtime.GOOS == "linux" {
+		cmdArgs = append(cmdArgs, "--security-opt", "label=disable")
+	}
+	cmdArgs = append(cmdArgs, "-v", fmt.Sprintf("%s:/preloaded.tar:ro", tarballPath), "-v", fmt.Sprintf("%s:/extractDir", volumeName), imageName, "-I", "lz4", "-xvf", "/preloaded.tar", "-C", "/extractDir")
+	cmd := exec.Command(ociBin, cmdArgs...)
 	if _, err := runCmd(cmd); err != nil {
 		return err
 	}