New version of container-selinux required
#573
Assignees
Labels
Milestone
Comments
NicolasT
added a commit
that referenced
this issue
Feb 13, 2019
The default `container-selinux` policies as provided by CentOS (2.74) are not compatible with `containerd`/`runc` (AVC denials when `runc` attempts to `setattr` on `fifo_file` resources, see links below). This PR forces the install of a third-party package (so this introduces some technical debt...), and includes a simple test-script (to be invoked manually) to check `containerd` is working correctly. Fixes: #573 See: containers/podman#1980 See: containers/container-selinux@ae6e25b
This was referenced Feb 13, 2019
NicolasT
added a commit
that referenced
this issue
Feb 13, 2019
The default `container-selinux` policies as provided by CentOS (2.74) are not compatible with `containerd`/`runc` (AVC denials when `runc` attempts to `setattr` on `fifo_file` resources, see links below). This PR forces the install of a third-party package (so this introduces some technical debt...), and includes a simple test-script (to be invoked manually) to check `containerd` is working correctly. Fixes: #573 See: containers/podman#1980 See: containers/container-selinux@ae6e25b
sayf-eddine-scality
pushed a commit
that referenced
this issue
Feb 14, 2019
The default `container-selinux` policies as provided by CentOS (2.74) are not compatible with `containerd`/`runc` (AVC denials when `runc` attempts to `setattr` on `fifo_file` resources, see links below). This PR forces the install of a third-party package (so this introduces some technical debt...), and includes a simple test-script (to be invoked manually) to check `containerd` is working correctly. Fixes: #573 See: containers/podman#1980 See: containers/container-selinux@ae6e25b
|
Closed by #574 |
NicolasT
added a commit
that referenced
this issue
Jul 4, 2019
The upstream CentOS 'extras' repository now ships `container-selinux-2.99-1.el7_6.noarch` which is sufficiently new enough (i.e., >= 2.77) for `containerd` to work properly. As a result, we no longer need the version from ScientificLinux. Since this was the only package in the `metalk8s-external` repository, this whole repository and the build infrastructure coming with it is now gone. Fixes: #575 See: #575 See: #573 See: #574
NicolasT
added a commit
that referenced
this issue
Jul 4, 2019
The upstream CentOS 'extras' repository now ships `container-selinux-2.99-1.el7_6.noarch` which is sufficiently new enough (i.e., >= 2.77) for `containerd` to work properly. As a result, we no longer need the version from ScientificLinux. Since this was the only package in the `metalk8s-external` repository, this whole repository and the build infrastructure coming with it is now gone. Fixes: #575 See: #575 See: #573 See: #574
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As discussed in #553 (review). The current upstream version of
container-selinux, 2.74-1, isn't compatible withcontainerd. We need 2.77-1 or newer.The spec-file for this version is in the CentOS Git repository, but no builds seem to be available. However, there's a ScientificLinux build at ftp://ftp.pbone.net/mirror/ftp.scientificlinux.org/linux/scientific/7x/external_products/extras/x86_64/container-selinux-2.77-1.el7_6.noarch.rpm
Would be good to have a script to test
containerdfunctionality, until we have better testing infrastructure in place.The text was updated successfully, but these errors were encountered: