Skip to content

Commit

Permalink
[release/1.5 backport] cri: filter selinux xattr for image volumes
Browse files Browse the repository at this point in the history 
Exclude the `security.selinux` xattr when copying content from layer
storage for image volumes. This allows for the already correct label
at the target location to be applied to the copied content, thus
enabling containers to write to volumes that they implicitly expect to be
able to write to.

- Fixes #5090 for 1.5.x
- See rancher/rke2#690

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
(cherry picked from commit c3609ff)
  • Loading branch information
@dweomer
dweomer committed Aug 25, 2021
1 parent 69e5db8 commit c0534c1
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion pkg/cri/opts/container.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,5 +115,5 @@ func copyExistingContents(source, destination string) error {
if len(dstList) != 0 {
return errors.Errorf("volume at %q is not initially empty", destination)
}
return fs.CopyDir(destination, source)
return fs.CopyDir(destination, source, fs.WithXAttrExclude("security.selinux"))
}

0 comments on commit c0534c1

Please sign in to comment.