Message ID | 20230726212009.221147-2-thomas.petazzoni@bootlin.com |
---|---|
State | Superseded |
Headers | show |
Series | [RFC,1/2] utils/docker-run: make it compatible with SELinux | expand |
Thomas, All, On 2023-07-26 23:20 +0200, Thomas Petazzoni via buildroot spake thusly: > If the user has defined $BR2_DL_DIR in the environment, it would be > nice to have it accessible inside the Docker container, and the > BR2_DL_DIR environment variable set to access it. > > This commit does exactly this: it mounts the host $BR2_DL_DIR as /dl > in the container, and sets BR2_DL_DIR=/dl in the container. > > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> > --- > Here as well, opinion from Docker expert would be useful. For example, > with this change, the files added in the download directory are owned > by $USER:docker and not $USER:$USER as would probably be expected. Here, with --mount, they do belong to $USER:$USER... So, I guess your issue is that /dl does not exist in the container, so it is created by the docker runtime and thus group-belongs to docker, and the SELinux labelling means that everything beneath it also belongs to docker. Also: * what about files that already existed before: are the chgrp-ed to docker, or do they retain their group? * and from within the container, whom do the files belong to? Regards, Yann E. MORIN. > --- > utils/docker-run | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/utils/docker-run b/utils/docker-run > index eee1aad7a4..6ea4311c68 100755 > --- a/utils/docker-run > +++ b/utils/docker-run > @@ -20,4 +20,8 @@ if tty -s; then > docker_opts+=( -t ) > fi > > +if test -n "${BR2_DL_DIR}"; then > + docker_opts+=( --volume "${BR2_DL_DIR}:/dl:Z" -e "BR2_DL_DIR=/dl" ) > +fi > + > exec docker run "${docker_opts[@]}" "${IMAGE}" "${@}" > -- > 2.41.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
Hello, On Tue, 8 Aug 2023 22:50:47 +0200 "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: > So, I guess your issue is that /dl does not exist in the container, so > it is created by the docker runtime and thus group-belongs to docker, > and the SELinux labelling means that everything beneath it also belongs > to docker. > > Also: > > * what about files that already existed before: are the chgrp-ed to > docker, or do they retain their group? Folders in /dl that existed before in the BR2_DL_DIR on my "host" look like this outside the container: $ ls -l ~/dl/xz drwxr-xr-x. 2 thomas thomas 4096 6 août 00:05 /home/thomas/dl/xz and inside the container: $ ./utils/docker-run ls -ld /dl/xz drwxr-xr-x. 2 br-user br-user 4096 Aug 5 22:05 /dl/xz > * and from within the container, whom do the files belong to? The files downloaded in /dl from within the container (by running a Buildroot build in the container, that causes some downloads to take place). They appear outside the container as such: $ ls -ld ~/dl/swig drwxr-xr-x. 2 thomas docker 4096 26 juil. 23:00 /home/thomas/dl/swig/ And within the container they appear as such: $ ./utils/docker-run ls -ld /dl/swig drwxr-xr-x. 2 br-user 976 4096 Jul 26 21:00 /dl/swig Inside the container, the /dl directory itself is owned by br-user:br-user: $ ./utils/docker-run ls -ld /dl drwxr-xr-x. 276 br-user br-user 12288 Aug 8 21:18 /dl Does that answer your question? Thomas
diff --git a/utils/docker-run b/utils/docker-run index eee1aad7a4..6ea4311c68 100755 --- a/utils/docker-run +++ b/utils/docker-run @@ -20,4 +20,8 @@ if tty -s; then docker_opts+=( -t ) fi +if test -n "${BR2_DL_DIR}"; then + docker_opts+=( --volume "${BR2_DL_DIR}:/dl:Z" -e "BR2_DL_DIR=/dl" ) +fi + exec docker run "${docker_opts[@]}" "${IMAGE}" "${@}"
If the user has defined $BR2_DL_DIR in the environment, it would be nice to have it accessible inside the Docker container, and the BR2_DL_DIR environment variable set to access it. This commit does exactly this: it mounts the host $BR2_DL_DIR as /dl in the container, and sets BR2_DL_DIR=/dl in the container. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> --- Here as well, opinion from Docker expert would be useful. For example, with this change, the files added in the download directory are owned by $USER:docker and not $USER:$USER as would probably be expected. --- utils/docker-run | 4 ++++ 1 file changed, 4 insertions(+)