Makefile: Add implicit SELinux labels when using podman #1598
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Podman is a Docker replacement, which is developed by RedHat and available on related Linux distributions (e.g. RHEL or Fedora). Podman differs from Docker in several security-related aspects. One of them is, that Podman requires poper SELinux labels on volume content mounted into a container. This difference to Docker results in the following error when building the specification: Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg. /var/lib/gems/3.0.0/gems/asciidoctor-2.0.23/lib/asciidoctor/cli/options.rb:238:in `stat': Permission denied @ rb_file_s_stat - src/riscv-privileged.adoc (Errno::EACCES) from /var/lib/gems/3.0.0/gems/asciidoctor-2.0.23/lib/asciidoctor/cli/options.rb:238:in `block in parse!' from /var/lib/gems/3.0.0/gems/asciidoctor-2.0.23/lib/asciidoctor/cli/options.rb:236:in `each' from /var/lib/gems/3.0.0/gems/asciidoctor-2.0.23/lib/asciidoctor/cli/options.rb:236:in `parse!' from /var/lib/gems/3.0.0/gems/asciidoctor-pdf-2.3.18/bin/asciidoctor-pdf:40:in `<top (required)>' from /usr/local/bin/asciidoctor-pdf:25:in `load' from /usr/local/bin/asciidoctor-pdf:25:in `<main>' make[2]: *** [Makefile:92: build/riscv-privileged.pdf] Error 1 To address this, podman-run(1) recommends using the ':z' suffix to the volume mount. This patch does so, if the docker command has been identified (reliably) to be emulated by Podman. Tested on Fedora 40. Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu>
aswaterman
approved these changes
Aug 14, 2024
|
It's a bug that podman pretends to be docker when it isn't. But the patch is harmless, so we'll run with it. |
cmuellner
added a commit
to cmuellner/docs-spec-template
that referenced
this pull request
Aug 14, 2024
Podman is a Docker replacement, which is developed by RedHat and available
on related Linux distributions (e.g. RHEL or Fedora). Podman differs from
Docker in several security-related aspects. One of them is, that Podman
requires poper SELinux labels on volume content mounted into a container.
This difference to Docker results in the following error when building
a document (the riscv-isa-manual in this example):
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
/var/lib/gems/3.0.0/gems/asciidoctor-2.0.23/lib/asciidoctor/cli/options.rb:238:in `stat': Permission denied @ rb_file_s_stat - src/riscv-privileged.adoc (Errno::EACCES)
from /var/lib/gems/3.0.0/gems/asciidoctor-2.0.23/lib/asciidoctor/cli/options.rb:238:in `block in parse!'
from /var/lib/gems/3.0.0/gems/asciidoctor-2.0.23/lib/asciidoctor/cli/options.rb:236:in `each'
from /var/lib/gems/3.0.0/gems/asciidoctor-2.0.23/lib/asciidoctor/cli/options.rb:236:in `parse!'
from /var/lib/gems/3.0.0/gems/asciidoctor-pdf-2.3.18/bin/asciidoctor-pdf:40:in `<top (required)>'
from /usr/local/bin/asciidoctor-pdf:25:in `load'
from /usr/local/bin/asciidoctor-pdf:25:in `<main>'
make[2]: *** [Makefile:92: build/riscv-privileged.pdf] Error 1
To address this, podman-run(1) recommends using the ':z' suffix to the
volume mount. This patch does so, if the docker command has been
identified (reliably) to be emulated by Podman.
Tested on Fedora 40.
This change was also accepted and merged as part of the riscv-isa-manual
repo, but the patch might be better suited to be included in this
project. See also riscv/riscv-isa-manual#1598.
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Podman is a Docker replacement, which is developed by RedHat and available on related Linux distributions (e.g. RHEL or Fedora). Podman differs from Docker in several security-related aspects. One of them is, that Podman requires poper SELinux labels on volume content mounted into a container. This difference to Docker results in the following error when building the specification:
To address this, podman-run(1) recommends using the
:zsuffix to the volume mount. This patch does so if the docker command has been identified (reliably) to be emulated by Podman.Tested on Fedora 40.