On Fri, Feb 17, 2023 at 9:24 AM Chen, Qi <[email protected]> wrote: > > OK, I see. Let's just drop this patch so that libselinux is still a > dependency and the layer check is still there. > I'll send out V2 of the README change to match the current situation.
It would be nice to have the ability to disable the selinux support, for those that don't need it. So triggering everything off the distro feature is fine, if you want to do that with the v2. No need to modify the crio.conf for now, as we don't have selinux policies to fully test it regardless. Bruce > > Regards, > Qi > > -----Original Message----- > From: Bruce Ashfield <[email protected]> > Sent: Friday, February 17, 2023 10:11 PM > To: Chen, Qi <[email protected]> > Cc: [email protected] > Subject: Re: [meta-virtualization][PATCH 2/5] cri-o: use PACKAGECONFIG to > handle selinux > > On Fri, Feb 17, 2023 at 8:56 AM Chen, Qi <[email protected]> wrote: > > > > I disable it by default to align with oe-core/meta-openembedded practice, > > although some of the recipes there are using DISTRO_FEATURES to determine > > the default value. > > Also, selinux is set to 'false' by default in crio.conf, both in the old > > crio.conf and the new one. > > > > There's no such policy in meta-virt. > > My point is that libselinux was previously a DEPENDS. Which means that it > would always be available to be discovered/probed by the cri-o build. Which > means that it is (at least theoretically) enabled by default when cri-o is > used. > > By making this a packageconfig, and then not enabling it by default, means > that we are changing the default behaviour. Which we won't do unless > something is broken. > > > Do you think the default value should be set according to DISTRO_FEATURES? > > Or we should just make selinux enabled by default? > > > > Doing it by distro feature check is acceptable, and in theory, we should take > it a step further and do a sed operation to change the crio.conf at the same > time. > > Bruce > > > Regards, > > Qi > > > > -----Original Message----- > > From: Bruce Ashfield <[email protected]> > > Sent: Friday, February 17, 2023 9:48 PM > > To: Chen, Qi <[email protected]> > > Cc: [email protected] > > Subject: Re: [meta-virtualization][PATCH 2/5] cri-o: use PACKAGECONFIG > > to handle selinux > > > > This still needs to be enabled by default in the packageconfig, unless you > > can show that the existing builds were not detecting libselinux and using > > it. > > > > Bruce > > > > On Fri, Feb 17, 2023 at 12:32 AM Chen Qi <[email protected]> wrote: > > > > > > For cri-o, libselinux is optional, this can be seen from its Makefile. > > > So let's make selinux optional by using PACKAGECONFIG. > > > In this way, meta-selinux dependency could be removed. > > > > > > Signed-off-by: Chen Qi <[email protected]> > > > --- > > > recipes-containers/cri-o/cri-o_git.bb | 4 ++-- > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > > diff --git a/recipes-containers/cri-o/cri-o_git.bb > > > b/recipes-containers/cri-o/cri-o_git.bb > > > index 66d1116..7af698f 100644 > > > --- a/recipes-containers/cri-o/cri-o_git.bb > > > +++ b/recipes-containers/cri-o/cri-o_git.bb > > > @@ -39,14 +39,14 @@ DEPENDS = " \ > > > ostree \ > > > libdevmapper \ > > > libseccomp \ > > > - libselinux \ > > > " > > > RDEPENDS:${PN} = " \ > > > cni \ > > > libdevmapper \ > > > " > > > > > > -SKIP_RECIPE[cri-o] ?= "${@bb.utils.contains('BBFILE_COLLECTIONS', > > > 'selinux', '', 'Depends on libselinux from meta-selinux which is not > > > included', d)}" > > > +PACKAGECONFIG ?= "" > > > +PACKAGECONFIG[selinux] = ",,libselinux" > > > > > > PACKAGES =+ "${PN}-config" > > > > > > -- > > > 2.37.1 > > > > > > > > > > > > > > > > > > -- > > - Thou shalt not follow the NULL pointer, for chaos and madness await > > thee at its end > > - "Use the force Harry" - Gandalf, Star Trek II > > > > -- > - Thou shalt not follow the NULL pointer, for chaos and madness await thee at > its end > - "Use the force Harry" - Gandalf, Star Trek II -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7874): https://lists.yoctoproject.org/g/meta-virtualization/message/7874 Mute This Topic: https://lists.yoctoproject.org/mt/97023221/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/leave/6693005/21656/1014668956/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
