Tuesday, 2018-09-11

« Monday, 2018-09-10 Index Wednesday, 2018-09-12 »
*** sameo has quit IRC00:37
*** eernst has joined #kata-dev00:43
*** fuentess has quit IRC02:22
*** dlw has joined #kata-dev02:34
*** zerocoolback has joined #kata-dev02:47
*** ace__ has joined #kata-dev03:15
*** marcov has joined #kata-dev03:18
ace__hi03:19
ace__can I raise a problem here?03:20
*** ace__ has quit IRC03:20
*** zerocoolback has quit IRC03:30
*** zerocoolback has joined #kata-dev03:31
*** zerocoolback has quit IRC03:37
eernstsyre.03:47
*** zerocoolback has joined #kata-dev04:09
*** zerocoolback has quit IRC04:14
*** zerocoolback has joined #kata-dev04:14
*** sjas_ has joined #kata-dev04:22
*** sjas has quit IRC04:25
*** eernst has quit IRC04:44
*** eernst has joined #kata-dev04:45
*** eernst has quit IRC04:49
*** jodh has joined #kata-dev06:14
*** jodh has quit IRC06:14
*** jodh has joined #kata-dev06:14
*** sameo has joined #kata-dev07:44
*** davidgiluk has joined #kata-dev08:03
*** gwhaley has joined #kata-dev08:04
*** zerocoolback has quit IRC08:26
*** zerocoolback has joined #kata-dev08:27
*** zerocoolback has quit IRC09:33
xzrhmm okay, minor update on my quest to enable selinux, I've rebuilt the kernel with the selinux associated flags enabled, built my own os image with selinux packages included, switched those in for kata (kata-env reports correct ones), but still getting disabled for sestatus inside the container10:03
xzrany ideas on what I could be missing?10:04
gwhaleyhi xzr - not sure if you have seen or are tracking the PRs from nitkon wrt seccomp? I think there are a set of 3 PRs across 3 repos (agent, runtime and ... err, probably osbuilder/image iirc). Here is main thread I think: https://github.com/kata-containers/agent/pull/35310:08
gwhaleyoh, hold on, now I have to correlate seccomp/selinux in my head (mea culpa...!)10:09
gwhaleyright, maybe scrub that.... back to selinux :-)10:10
gwhaleyxzr: in short, no, sorry. Not an selinux person really - I think we'll have to at least see the failure line/log - presuming you run an selinux status check command that fails or you have something in dmesg?10:11
davidgilukxzr: My reading of libselinux (I don't know it well) is that it comes down to whether the selinux fs is mounted10:14
davidgilukxzr: So I think you need to get /sys/fs/selinux mounted inside the guest10:16
xzrthanks davidgiluk, I'll take a looksy10:17
xzrgwhaley: just the "disabled" output from sestatus10:17
xzrthe same check works for "regular" containers10:17
davidgilukxzr: That was just following the breadcrumbs from the code that printed 'enabled' in the selinux utils10:17
xzratleast it would seem that it doesn't exist when running my kata images :)10:24
xzrexists when I spin up a container with runc10:24
xzrso likely something there!10:24
gwhaleyxzr, davidgiluk: that fs mount sounds like a likely candidate. If it is not explicitly passed into the container in the json config, then the agent in the VM is probably not going to mount it.10:28
gwhaleyif you want to try to hand-force the mount, you will need to add the SYS_ADMIN cap to the container at runtime to allow you to do the hand mount btw I think10:29
xzrah hmm, could also be that my method is slightly misled10:32
xzrhttps://serverfault.com/questions/757606/how-to-enable-selinux-inside-of-a-centos-docker-container10:32
davidgilukyeh but kata isn't the same10:33
davidgilukyou've got your own kernel instance in there, so that needs configuring with se; although then there's the fun question of what's actually used to access the files if it's going through 9p; and hmmm that's probably a whole different quesiton10:35
xzrwell with the kernel comes the "thin" os between the container and the kernel as well though?10:36
xzrso in the thin os it could be enabled, but checking if selinux is enabled in the container like that might not work10:37
xzrfeel free to correct, my knowledge on kata is extremely thin10:37
davidgilukmy knowledge of what 9p looks like to selinux is no thicker10:37
gwhaleyjust for ref, we have both 9p mounts and the ability to do block device mounts given the right input (such as devicemaper on the host side) :-) Just to add to the mix10:39
davidgilukgwhaley: Well, block devices are in principal simple; that's vanilla selinux, that would all be the view of the guest10:39
gwhaleyyep - they should 'act as expected' I would think. I'll go peek at that 'selinux in a container' link to see if any prime kata differences leap out..10:40
davidgilukgwhaley: I think it's different in almost every way :-)10:40
xzrhmm10:41
xzrclear containers 3.0 seems to have support for selinux within guest10:41
gwhaleyheh, indeed it is davidgiluk. Interesting to see that selinux is not namespaced. That might come into play with multi-container-pods and kata - you'd end up similar to software containers, where the selinux policy would apply to all containers.10:43
gwhaleyif we ignore the discussion of if 9p gets checked by selinux for now, let's chase that mount.10:47
gwhaleyxzr, when you say CC3.0 had selinux support - do you have a link. Having a look at the repo/history, I can see we added support to the HOST side installation to allow the proxy to be recognised/enabled under an selinux enabled host. I'm not sure if we have guest support though.10:48
xzrjust this https://clearlinux.org/blogs/announcing-intel-clear-containers-3010:54
xzryet to dig into the implementation10:54
xzr"Clear Containers 3.0 introduces a libcontainer based agent which enables the application of policies and filters such as SELinux* and seccomp inside the Clear Containers guest. "10:54
gwhaleyah, right - that is noting when we moved to an agent that uses libcontainer so then we inherited all the 'features' from that library that runc had. we'll have to track down what work got done there - iirc, it was probably archana (amshinde) who was most involved.10:57
xzrseems the correct way to check selinux inside the container is to run ps -eZ11:06
davidgilukhmm, that's an odd way11:08
xzryou see if the labeling is working then I reckon11:09
xzrhttps://pastebin.com/aaqiYTMV11:10
xzrhttps://youtu.be/zWGFqMuEHdw?t=190211:11
*** gwhaley has quit IRC11:11
xzrah slightly different with --selinux-enabled with docker, forgot that from the previous11:15
xzrhttps://pastebin.com/Tggj7TfJ11:15
davidgilukyeh it's a way to see if it's working, but it's a pain to automate compared to the tools11:27
xzrfor sure11:27
xzranyway, I'll keep digging and see what I can come up with11:28
xzrbut if there's some selinux expertise from the guys coming from the clearlinux side of things, that would surely be extremely helpful11:28
xzrerm, clearcontainers11:28
*** eernst has joined #kata-dev11:31
*** dlw has quit IRC11:43
*** zerocoolback has joined #kata-dev12:12
*** jugs has quit IRC12:16
*** jugs has joined #kata-dev12:19
*** zerocoolback has quit IRC12:20
*** zerocool_ has joined #kata-dev12:21
*** gwhaley has joined #kata-dev12:21
*** devimc has joined #kata-dev12:30
*** eernst has quit IRC12:33
*** eernst has joined #kata-dev13:00
*** eernst has quit IRC13:21
*** fuentess has joined #kata-dev13:41
*** zerocool_ has quit IRC13:49
*** annabelleB has joined #kata-dev14:00
gwhaleyfuentess - woot - we got a metrics CI build pass on the packet.net slave.... http://jenkins.katacontainers.io/job/kata-metrics-proxy-ubuntu-18-04-PR/14/14:04
fuentessgwhaley: cool \o/14:04
gwhaleyI'll probably go hook the shim and the agent soon and then we can keep a better eye on it, before we finally hook the runtime and tests repos14:05
gwhaleyah, which has just remineded me of another topic I was going to raise ..... if we can in any way cache build artifacts to reduce our CI times. Let me go do that now....14:05
fuentessgwhaley: btw, I am going to add the ksm-throttler installation on the CI (as we currently do not have it), it will be disabled if running on the metrics CI machine14:06
gwhaleyfuentess - great, thanks! :-)14:09
fuentessgwhaley: and yes, it could be great if we can cache on the metrics CI system.14:09
gwhaleyfuentess - not just on the metrics system - ideally on all CIs. For instance, we must rebuild the proxy and shim all the time, whereas they very very rarely change. And the builds of the kernel and the .img files are the biggies .... let me write the Issue (in progress now)14:12
kata-irc-bot<jose.carlos.venegas.m> +114:12
*** annabelleB has quit IRC14:43
*** sameo has quit IRC14:51
*** eernst has joined #kata-dev14:54
*** zerocoolback has joined #kata-dev14:55
*** jodh has quit IRC14:59
*** zerocoolback has quit IRC14:59
*** zerocool_ has joined #kata-dev15:00
*** eernst has quit IRC15:01
davidgilukthe kata/qemu discussion is in 1 hr?? (says he always doubting his timezone conversions)15:01
gwhaleyI never make that call davidgiluk, so am not sure - I normally make the Monday call. Also, there is devseccon on right now I believe, so at least Anne and Eric are there I think - so, not sure if the call is on today15:04
davidgilukgwhaley: It's a one off that was going to be face-to-face but not many people are physically going to be there15:08
*** eernst has joined #kata-dev15:17
kata-irc-bot<eric.ernst> It should be on, davidgiluk15:18
davidgilukok, I'll dial in in about 40min15:18
*** dklyle has joined #kata-dev15:28
kata-irc-bot<sebastien.boeuf> yeah the meeting will happen in about 30min15:30
*** sameo has joined #kata-dev15:32
*** eernst has quit IRC15:49
*** annabelleB has joined #kata-dev15:52
*** mcastelino has joined #kata-dev15:55
*** eernst has joined #kata-dev16:02
*** eernst has quit IRC16:32
*** hongbin_ has joined #kata-dev16:34
*** hongbin_ has quit IRC16:36
*** sameo has quit IRC16:37
*** gwhaley has quit IRC16:39
*** sameo has joined #kata-dev16:55
*** sameo has quit IRC17:29
*** sameo has joined #kata-dev17:30
*** eernst has joined #kata-dev17:44
*** gwhaley has joined #kata-dev17:47
*** annabelleB has quit IRC17:53
*** eernst has quit IRC17:54
*** annabelleB has joined #kata-dev17:57
*** annabelleB has quit IRC18:01
*** david-lyle has joined #kata-dev18:04
*** dklyle has quit IRC18:05
*** eernst has joined #kata-dev18:14
*** david-lyle has quit IRC18:57
*** eernst has quit IRC19:02
*** davidgiluk has quit IRC19:08
*** gwhaley has quit IRC19:32
*** sjas_ is now known as sjas19:54
*** david-lyle has joined #kata-dev19:58
*** annabelleB has joined #kata-dev20:08
*** annabelleB has quit IRC20:34
*** annabelleB has joined #kata-dev20:40
*** eernst has joined #kata-dev20:41
*** david-lyle has quit IRC20:41
*** dklyle has joined #kata-dev20:42
*** eernst has quit IRC20:51
kata-irc-bot<jose.carlos.venegas.m> We just finish to release process for our first rc for 1.3.0 take a look to the release notes, thank you for all your contributions https://github.com/kata-containers/runtime/releases/tag/1.3.0-rc020:51
*** zerocool_ has quit IRC20:56
*** devimc has quit IRC21:02
*** david-lyle has joined #kata-dev21:09
*** dklyle has quit IRC21:09
*** david-lyle is now known as dklyle21:10
*** annabelleB has quit IRC21:34
*** dklyle has quit IRC21:48
*** dklyle has joined #kata-dev21:48
*** dklyle has quit IRC22:01
*** mcastelino has quit IRC22:02
*** dklyle has joined #kata-dev22:10
*** annabelleB has joined #kata-dev22:16
*** dklyle has quit IRC22:44
*** annabelleB has quit IRC22:46
*** dklyle has joined #kata-dev23:00
*** dklyle has quit IRC23:38
« Monday, 2018-09-10 Index Wednesday, 2018-09-12 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!