Hi Bruce,
I've tested master-next and sent out three patches against it.
The first one is a revert, which only means 'please drop the original
patch from master-next'.
With these three patches on master-next, the following two tests pass:
1. skopeo copy
2. k8s + cri-o + flannel
Regards,
Qi
On 2/18/23 04:36, Bruce Ashfield wrote:
On Fri, Feb 17, 2023 at 10:30 AM Chen, Qi <[email protected]> wrote:
Hi Bruce,
I've sent out V2.
I also noticed there's a cri-o upgrade in master-next, so I cherry-picked it
onto my branch and tested 'k8s + cri-o + flannel' for qemux86-64. Things are
working.
I've grabbed parts of the original series and the v2 patches and
staged them onto master-next.
I also have my container-host bbclass and configuration work on master-next.
My tests passed, but it would be good to get your results with it as
well .. as I may have missed part of your series. If I did miss
something, resend it against master-next and I'll add them to the
queue.
Bruce
Regards,
Qi
-----Original Message-----
From: Bruce Ashfield <[email protected]>
Sent: Friday, February 17, 2023 10:27 PM
To: Chen, Qi <[email protected]>
Cc: [email protected]
Subject: Re: [meta-virtualization][PATCH 2/5] cri-o: use PACKAGECONFIG to
handle selinux
On Fri, Feb 17, 2023 at 9:24 AM Chen, Qi <[email protected]> wrote:
OK, I see. Let's just drop this patch so that libselinux is still a dependency
and the layer check is still there.
I'll send out V2 of the README change to match the current situation.
It would be nice to have the ability to disable the selinux support, for those
that don't need it.
So triggering everything off the distro feature is fine, if you want to do that
with the v2. No need to modify the crio.conf for now, as we don't have selinux
policies to fully test it regardless.
Bruce
Regards,
Qi
-----Original Message-----
From: Bruce Ashfield <[email protected]>
Sent: Friday, February 17, 2023 10:11 PM
To: Chen, Qi <[email protected]>
Cc: [email protected]
Subject: Re: [meta-virtualization][PATCH 2/5] cri-o: use PACKAGECONFIG
to handle selinux
On Fri, Feb 17, 2023 at 8:56 AM Chen, Qi <[email protected]> wrote:
I disable it by default to align with oe-core/meta-openembedded practice,
although some of the recipes there are using DISTRO_FEATURES to determine the
default value.
Also, selinux is set to 'false' by default in crio.conf, both in the old
crio.conf and the new one.
There's no such policy in meta-virt.
My point is that libselinux was previously a DEPENDS. Which means that it would
always be available to be discovered/probed by the cri-o build. Which means
that it is (at least theoretically) enabled by default when cri-o is used.
By making this a packageconfig, and then not enabling it by default, means that
we are changing the default behaviour. Which we won't do unless something is
broken.
Do you think the default value should be set according to DISTRO_FEATURES? Or
we should just make selinux enabled by default?
Doing it by distro feature check is acceptable, and in theory, we should take
it a step further and do a sed operation to change the crio.conf at the same
time.
Bruce
Regards,
Qi
-----Original Message-----
From: Bruce Ashfield <[email protected]>
Sent: Friday, February 17, 2023 9:48 PM
To: Chen, Qi <[email protected]>
Cc: [email protected]
Subject: Re: [meta-virtualization][PATCH 2/5] cri-o: use
PACKAGECONFIG to handle selinux
This still needs to be enabled by default in the packageconfig, unless you can
show that the existing builds were not detecting libselinux and using it.
Bruce
On Fri, Feb 17, 2023 at 12:32 AM Chen Qi <[email protected]> wrote:
For cri-o, libselinux is optional, this can be seen from its Makefile.
So let's make selinux optional by using PACKAGECONFIG.
In this way, meta-selinux dependency could be removed.
Signed-off-by: Chen Qi <[email protected]>
---
recipes-containers/cri-o/cri-o_git.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/recipes-containers/cri-o/cri-o_git.bb
b/recipes-containers/cri-o/cri-o_git.bb
index 66d1116..7af698f 100644
--- a/recipes-containers/cri-o/cri-o_git.bb
+++ b/recipes-containers/cri-o/cri-o_git.bb
@@ -39,14 +39,14 @@ DEPENDS = " \
ostree \
libdevmapper \
libseccomp \
- libselinux \
"
RDEPENDS:${PN} = " \
cni \
libdevmapper \
"
-SKIP_RECIPE[cri-o] ?= "${@bb.utils.contains('BBFILE_COLLECTIONS', 'selinux', '',
'Depends on libselinux from meta-selinux which is not included', d)}"
+PACKAGECONFIG ?= ""
+PACKAGECONFIG[selinux] = ",,libselinux"
PACKAGES =+ "${PN}-config"
--
2.37.1
--
- Thou shalt not follow the NULL pointer, for chaos and madness
await thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee at
its end
- "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#7884):
https://lists.yoctoproject.org/g/meta-virtualization/message/7884
Mute This Topic: https://lists.yoctoproject.org/mt/97023221/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
