github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

cri: filter selinux xattr for image volumes

Browse Source 
Exclude the `security.selinux` xattr when copying content from layer
storage for image volumes. This allows for the already correct label
at the target location to be applied to the copied content, thus
enabling containers to write to volumes that they implicitly expect to be
able to write to.

- Fixes containerd/containerd#5090
- See rancher/rke2#690

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
This commit is contained in:
Jacob Blain Christen 2021-08-20 23:47:24 -07:00
parent ff2e58d114
commit c3609ff4ca
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/cri/opts/container.go
View File

@ -115,5 +115,5 @@ func copyExistingContents(source, destination string) error {
if len(dstList) != 0 { if len(dstList) != 0 {
return errors.Errorf("volume at %q is not initially empty", destination) return errors.Errorf("volume at %q is not initially empty", destination)
} }
return fs.CopyDir(destination, source) return fs.CopyDir(destination, source, fs.WithXAttrExclude("security.selinux"))
} }