-
Notifications
You must be signed in to change notification settings - Fork 53
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
image: add new
ContainerBuildable
flag to OSTreeDiskImage
One objective for bifrost images is that it should be possible to run osbuild inside a container. This can interfere with the selinux policies of the buildroot. Inside the container everything is labeled `system_u:object_r:container_files_t`. Labeling /usr/bin/osbuild as `osbuild_exec_t` is not possible in the general case because the host may not have `osbuild-selinux` installed that contains this type. The workaround is that the container labels osbuild itself as `install_exec_t`. This works fine however there is a selinux denial warning when the `{,u}mount` binary is called because the transition from `install_t`->`mount_t` is not allowed. The warning is "harmless" because `install_t` has enough privs to allow the `{,u}mount` binaries to work. To silence this warning we can label `{,u}mount` in the buildroot as `install_exec_t` directly. This commit allows to control this now via the `ContainerBuildable` flag that can be set on `manifest.Build` to enable this behavior.
- Loading branch information
Showing
5 changed files
with
176 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
package image | ||
|
||
import ( | ||
"github.com/osbuild/images/pkg/manifest" | ||
"github.com/osbuild/images/pkg/rpmmd" | ||
"github.com/osbuild/images/pkg/runner" | ||
) | ||
|
||
func MockManifestNewBuild(new func(m *manifest.Manifest, runner runner.Runner, repos []rpmmd.RepoConfig) *manifest.Build) (restore func()) { | ||
saved := manifestNewBuild | ||
manifestNewBuild = new | ||
return func() { | ||
manifestNewBuild = saved | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
package image_test | ||
|
||
import ( | ||
"math/rand" | ||
"testing" | ||
|
||
"github.com/stretchr/testify/require" | ||
|
||
"github.com/osbuild/images/internal/workload" | ||
"github.com/osbuild/images/pkg/container" | ||
"github.com/osbuild/images/pkg/image" | ||
"github.com/osbuild/images/pkg/manifest" | ||
"github.com/osbuild/images/pkg/platform" | ||
"github.com/osbuild/images/pkg/rpmmd" | ||
"github.com/osbuild/images/pkg/runner" | ||
) | ||
|
||
func TestOSTreeDiskImageManifestSetsContainerBuildable(t *testing.T) { | ||
rng := rand.New(rand.NewSource(0)) | ||
|
||
repos := []rpmmd.RepoConfig{} | ||
r := &runner.Fedora{Version: 39} | ||
|
||
ref := "ostree/1/1/0" | ||
containerSource := container.SourceSpec{ | ||
Source: "source-spec", | ||
Name: "name", | ||
} | ||
|
||
var buildPipeline *manifest.Build | ||
restore := image.MockManifestNewBuild(func(m *manifest.Manifest, r runner.Runner, repos []rpmmd.RepoConfig) *manifest.Build { | ||
buildPipeline = manifest.NewBuild(m, r, repos) | ||
return buildPipeline | ||
}) | ||
defer restore() | ||
|
||
for _, containerBuildable := range []bool{true, false} { | ||
mf := manifest.New() | ||
img := image.NewOSTreeDiskImageFromContainer(containerSource, ref) | ||
require.NotNil(t, img) | ||
img.Platform = &platform.X86{ | ||
BasePlatform: platform.BasePlatform{ | ||
ImageFormat: platform.FORMAT_QCOW2, | ||
}, | ||
BIOS: true, | ||
UEFIVendor: "fedora", | ||
} | ||
img.Workload = &workload.BaseWorkload{} | ||
img.OSName = "osname" | ||
img.ContainerBuildable = containerBuildable | ||
|
||
_, err := img.InstantiateManifest(&mf, repos, r, rng) | ||
require.Nil(t, err) | ||
require.NotNil(t, img) | ||
require.NotNil(t, buildPipeline) | ||
|
||
require.Equal(t, buildPipeline.ContainerBuildable, containerBuildable) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
package manifest | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/stretchr/testify/require" | ||
|
||
"github.com/osbuild/images/pkg/rpmmd" | ||
"github.com/osbuild/images/pkg/runner" | ||
) | ||
|
||
func TestBuildContainerBuildableNo(t *testing.T) { | ||
repos := []rpmmd.RepoConfig{} | ||
mf := New() | ||
runner := &runner.Fedora{Version: 39} | ||
|
||
build := NewBuild(&mf, runner, repos) | ||
require.NotNil(t, build) | ||
|
||
for _, tc := range []struct { | ||
packageSpec []rpmmd.PackageSpec | ||
containerBuildable bool | ||
expectedSELinuxLabels map[string]string | ||
}{ | ||
// no pkgs means no selinux labels (container build or not) | ||
{ | ||
[]rpmmd.PackageSpec{}, | ||
false, | ||
map[string]string{}, | ||
}, | ||
{ | ||
[]rpmmd.PackageSpec{}, | ||
true, | ||
map[string]string{}, | ||
}, | ||
{ | ||
[]rpmmd.PackageSpec{{Name: "coreutils"}}, | ||
false, | ||
map[string]string{ | ||
"/usr/bin/cp": "system_u:object_r:install_exec_t:s0", | ||
}, | ||
}, | ||
{ | ||
[]rpmmd.PackageSpec{{Name: "tar"}}, | ||
false, | ||
map[string]string{ | ||
"/usr/bin/tar": "system_u:object_r:install_exec_t:s0", | ||
}, | ||
}, | ||
{ | ||
[]rpmmd.PackageSpec{{Name: "coreutils"}, {Name: "tar"}}, | ||
false, | ||
map[string]string{ | ||
"/usr/bin/cp": "system_u:object_r:install_exec_t:s0", | ||
"/usr/bin/tar": "system_u:object_r:install_exec_t:s0", | ||
}, | ||
}, | ||
{ | ||
[]rpmmd.PackageSpec{{Name: "coreutils"}}, | ||
true, | ||
map[string]string{ | ||
"/usr/bin/cp": "system_u:object_r:install_exec_t:s0", | ||
"/usr/bin/mount": "system_u:object_r:install_exec_t:s0", | ||
"/usr/bin/umount": "system_u:object_r:install_exec_t:s0", | ||
}, | ||
}, | ||
{ | ||
[]rpmmd.PackageSpec{{Name: "coreutils"}, {Name: "tar"}}, | ||
true, | ||
map[string]string{ | ||
"/usr/bin/cp": "system_u:object_r:install_exec_t:s0", | ||
"/usr/bin/mount": "system_u:object_r:install_exec_t:s0", | ||
"/usr/bin/umount": "system_u:object_r:install_exec_t:s0", | ||
"/usr/bin/tar": "system_u:object_r:install_exec_t:s0", | ||
}, | ||
}, | ||
} { | ||
build.packageSpecs = tc.packageSpec | ||
build.ContainerBuildable = tc.containerBuildable | ||
|
||
labels := build.getSELinuxLabels() | ||
require.Equal(t, labels, tc.expectedSELinuxLabels) | ||
} | ||
} |