building images in container fails due to selinux fixes

Bug #1779273 reported by Artem Goncharov on 2018-06-29
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
diskimage-builder
Undecided
Pierre Riteau

Bug Description

It is currently impossible to build rpm based image in the container, since rpm-distro/cleanup.d/99-selinux-fixfiles-restore tries to execute `runcon` on chroot which will not work in container, since selinux is disabled there:

(app-root) runcon -t setfiles_mac_t -- /opt
runcon: runcon may be used only on a SELinux kernel
(app-root) sestatus
SELinux status: disabled

`disk-image-create fedora-28 vm` fails because of that.

It is generally not very nice to create images in container, but I am trying to containerize Zuul, which uses diskimage-builer, so I face this problem

Artem Goncharov (gtema) wrote :

last release which works is 2.6.1

Will Szumski (willjs) wrote :

Facing a similar issue using bifrost stable/queens, which builds images within a docker container. Disk Image Builder is failing with:

`kauditd not found, suggesting auditing support is disabled in the host kernel. setfiles will fail without this, please enable and rebuild`

even though the call to setfiles actually succeeds if you comment out the check that causes this:

https://github.com/openstack/diskimage-builder/commit/7566819139e31c95038f9f1c39a2995d1fc93c17

presumably runcon is set to ""?

Pierre Riteau (priteau) on 2018-10-04
Changed in diskimage-builder:
status: New → Confirmed

Fix proposed to branch: master
Review: https://review.openstack.org/608187

Changed in diskimage-builder:
assignee: nobody → Pierre Riteau (priteau)
status: Confirmed → In Progress
Pierre Riteau (priteau) wrote :

I submitted a patch which should fix the issue reported by willjs at https://bugs.launchpad.net/diskimage-builder/+bug/1779273/comments/2.

It's unclear which diskimage-builder release the original issue was using. Since commit http://git.openstack.org/cgit/openstack/diskimage-builder/commit/?id=b1961e14ea6e3bcdc80ca6e02e80646280b3a86a the script should correctly identify that SELinux is disabled and set _runcon to an empty string.

Reviewed: https://review.openstack.org/608187
Committed: https://git.openstack.org/cgit/openstack/diskimage-builder/commit/?id=bacceba41d86d59982b3e48f6c4289afc074ec9b
Submitter: Zuul
Branch: master

commit bacceba41d86d59982b3e48f6c4289afc074ec9b
Author: Pierre Riteau <email address hidden>
Date: Fri Oct 5 10:02:14 2018 +0100

    Fail build due to missing kauditd only when SELinux is enabled

    With the check added in commit 7566819139e31c95038f9f1c39a2995d1fc93c17,
    diskimage-builder fails to build RPM-based images if kauditd is not
    running. However, this is only valid for environments where SELinux is
    enabled. If SELinux is disabled (which is identified by an empty _runcon
    variable), proceed with running setfiles.

    Change-Id: I1b056f20a3a55f7333391207d9e1049d25ece041
    Closes-Bug: #1779273

Changed in diskimage-builder:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers