Fix gVisor SELinux context

Signed-off-by: Tommy <contact@tommytran.io>
2024-11-25 10:21:33 -05:00 · 2023-04-15 04:22:01 -04:00 · 2023-04-15 04:22:01 -04:00 · af51a505ae
commit af51a505ae
parent 6a0f4afe1d
4 changed files with 4 additions and 2 deletions
--- a/Docker-Compose.ign
+++ b/Docker-Compose.ign
@ -170,7 +170,7 @@
        "name": "setsebool.service"
      },
      {
-        "contents": "[Unit]\nDescription=gVisor Update\nRequire=network-online.target\nBefore=docker.service\n\n[Service]\nWorkingDirectory=/var/roothome\nType=oneshot\nExecStart=/usr/bin/sleep 5\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1\nExecStart=/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin\n\n[Install]\nWantedBy=multi-user.target\n",
+        "contents": "[Unit]\nDescription=gVisor Update\nRequire=network-online.target\nBefore=docker.service\n\n[Service]\nWorkingDirectory=/var/roothome\nType=oneshot\nExecStart=/usr/bin/sleep 5\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1\nExecStart=/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin\nExecStart=/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc\n\n[Install]\nWantedBy=multi-user.target\n",
        "enabled": true,
        "name": "gvisor-updater.service"
      },
--- a/Docker-Compose.yml
+++ b/Docker-Compose.yml
@ -84,6 +84,7 @@ systemd:
        ExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512
        ExecStart=/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1
        ExecStart=/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin
        ExecStart=/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc
        [Install]
        WantedBy=multi-user.target
--- a/Generic.ign
+++ b/Generic.ign
@ -168,7 +168,7 @@
        "name": "setsebool.service"
      },
      {
-        "contents": "[Unit]\nDescription=gVisor Update\nRequire=network-online.target\nBefore=docker.service\n\n[Service]\nWorkingDirectory=/var/roothome\nType=oneshot\nExecStart=/usr/bin/sleep 5\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1\nExecStart=/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin\n\n[Install]\nWantedBy=multi-user.target\n",
+        "contents": "[Unit]\nDescription=gVisor Update\nRequire=network-online.target\nBefore=docker.service\n\n[Service]\nWorkingDirectory=/var/roothome\nType=oneshot\nExecStart=/usr/bin/sleep 5\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1\nExecStart=/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin\nExecStart=/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc\n\n[Install]\nWantedBy=multi-user.target\n",
        "enabled": true,
        "name": "gvisor-updater.service"
      },
--- a/Generic.yml
+++ b/Generic.yml
@ -102,6 +102,7 @@ systemd:
        ExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512
        ExecStart=/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1
        ExecStart=/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin
        ExecStart=/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc
        [Install]
        WantedBy=multi-user.target