-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support mounting with SeLinux mount options #577
Comments
@cjorge-graphops Just trying to understand here from the CSIDriver point of view, the changes needed are just about adding |
@Abhinandan-Purkait my understanding of it is based on this:
The fact that kubernetes will only attempt to use this when it detects the OS does have SeLinux support, and ZFS supports SeLinux, I think so. It would come down to advertising it and handling it ok upon having some extra mount options for the context passed/handled (the -o context) But my knowledge of these interfaces is quite non-existant, this is mostly guess-work and an educated guess at this point, so take it with a grain of salt.
Yes, that link I posted specifies all the conditions that need to come together for kubernetes to even pass this context to the CSIDriver. For instance, besides the two feature gates that are still beta, the POD also needs to at least specify
The CSI driver spec mentions that kubernetes does check if the OS supports SeLinux, and won't even attempt to pass -o context if that requirement is not satisfied, so I don't think that burden falls on zfs-localpv |
@cjorge-graphops Are you interested in contributing to this? Let's keep it open to see views from community. |
@Abhinandan-Purkait sorry for the late reply. I most definitely need to eventually address this for my own use-cases so the answer is yes, as I said do have workloads that use millions of small files on SeLinux enabled systems... and having PODs take upwards of 30m to restart is not a viable status-quo. I'm interested in contributing at least after I've validated, and I'm sure to get to it at some point, but may take me some time however as it is not the highest of priorities for me. Thank you! |
@cjorge-graphops Thanks, I guess to start with you can at least add a design document with your validation, and then it can be worked upon by anyone interested. |
@cjorge-graphops any updates on your end? |
@avishnu sorry for the delay in getting back at this, opened a PR with a simple design document, please review/discuss and let me know about next steps 🙇. I have successfully validated the feature works as intended when the required conditions are met, allowing some of my workloads to go from 1h+ boot time to a few seconds. For peace of mind I've also validated that behavior stays exactly as it was when some of the requirements aren't met, with the exception of using this in a non-SELinux enabled host (have none of those easily at hand). I didn't build a new chart, or tried rolling out an update, but given the CSIDriver CRD can be changed, that shouldn't be problematic right? |
Describe the problem/challenge you have
For PVCs with millions of small files, relabeling them takes an enormous amount of time
Describe the solution you'd like
Kubernetes tries to address this as described here: https://kubernetes.io/blog/2023/04/18/kubernetes-1-27-efficient-selinux-relabeling-beta/
but zfs-localpv would need to support mounting with SeLinux mount options, and the CSI driver would need to advertise that
The text was updated successfully, but these errors were encountered: