Merge pull request os-autoinst#23686 from ricardobranco777/docker_selinux

containers/docker: Apply workaround for bsc#1252290

Author: ricardobranco777

lib/containers/common.pm

@@ -154,7 +154,14 @@ sub install_docker_when_needed {
     systemctl('start docker', timeout => 180);
     systemctl('is-active docker');
     systemctl('status docker', timeout => 120);
-    install_oci_runtime("docker") if ($host_os =~ /sle|opensuse/);
+    if ($host_os =~ /sle|opensuse/) {
+        install_oci_runtime("docker");
+        if (script_run('test -d /sys/fs/selinux') == 0 && script_run("docker info -f '{{.SecurityOptions}}' | grep -q selinux")) {
+            record_soft_failure('bsc#1252290 - docker comes without SELinux support enabled by default');
+            assert_script_run q(sed -i '/DOCKER_OPTS/s/"$/ --selinux-enabled"/' /etc/sysconfig/docker);
+            systemctl('restart docker');
+        }
+    }
     record_info('docker', script_output('docker info'));
     record_info('version', script_output('docker version'));
 }

tests/containers/volumes.pm

@@ -24,7 +24,7 @@ sub run {
 
     # From https://docs.docker.com/storage/bind-mounts/
     # The --mount flag does not support z or Z options for modifying selinux labels.
-    my $Z = $runtime eq "podman" ? ",Z" : "";
+    my $z = $runtime eq "podman" ? ",z" : "";
 
     my $test_file = "test_file";
     my $test_image = "test_image";
@@ -36,6 +36,12 @@ sub run {
     # Create Dockerfile with VOLUME defined
     assert_script_run("echo -e 'FROM registry.opensuse.org/opensuse/busybox:latest\\nVOLUME /$test_dir' > $test_dir/Dockerfile");
 
+    if ($runtime eq "docker") {
+        my $selinux_enabled = script_run("test -d /sys/fs/selinux") == 0;
+        # Apply fix suggested in docker-run(1)
+        assert_script_run("chcon -Rt svirt_sandbox_file_t test_dir") if $selinux_enabled;
+    }
+
     # Build image
     assert_script_run("$runtime build -t $test_image -f $test_dir/Dockerfile $test_dir/");
 
@@ -48,29 +54,29 @@ sub run {
     # Case 2: Check that the volume from container is visible in another container, but the
     # first container is mounting it in the directory specified as VOLUME in the Dockerfile
     assert_script_run("touch $test_dir/$test_file");
-    assert_script_run("$runtime run -d --name $test_container -v \$PWD/$test_dir:/$test_dir:Z $test_image");
+    assert_script_run("$runtime run -d --name $test_container -v \$PWD/$test_dir:/$test_dir:z $test_image");
     assert_script_run("$runtime run --rm --volumes-from $test_container $test_image ls /$test_dir/$test_file");
 
     assert_script_run("$runtime rm -vf $test_container");
 
     # Test --volume option with directory (read-only)
-    assert_script_run("! $runtime run --rm --volume \$PWD/$test_dir:/$test_dir:ro,Z $test_image rm /$test_dir/$test_file");
+    assert_script_run("! $runtime run --rm --volume \$PWD/$test_dir:/$test_dir:ro,z $test_image rm /$test_dir/$test_file");
     assert_script_run("test -f $test_dir/$test_file");
 
     # Equivalent --mount option to above
-    assert_script_run("! $runtime run --rm --mount type=bind,source=\$PWD/$test_dir,destination=/$test_dir,readonly$Z $test_image rm /$test_dir/$test_file");
+    assert_script_run("! $runtime run --rm --mount type=bind,source=\$PWD/$test_dir,destination=/$test_dir,readonly$z $test_image rm /$test_dir/$test_file");
     assert_script_run("test -f $test_dir/$test_file");
 
     assert_script_run("rm $test_dir/$test_file");
 
     # Test --volume option with directory (read-write)
-    assert_script_run("$runtime run --rm --volume \$PWD/$test_dir:/$test_dir:Z $test_image touch /$test_dir/$test_file");
+    assert_script_run("$runtime run --rm --volume \$PWD/$test_dir:/$test_dir:z $test_image touch /$test_dir/$test_file");
     assert_script_run("test -f $test_dir/$test_file");
 
     assert_script_run("rm $test_dir/$test_file");
 
     # Equivalent --mount option to above
-    assert_script_run("$runtime run --rm --mount type=bind,source=\$PWD/$test_dir,destination=/${test_dir}$Z $test_image touch /$test_dir/$test_file");
+    assert_script_run("$runtime run --rm --mount type=bind,source=\$PWD/$test_dir,destination=/${test_dir}$z $test_image touch /$test_dir/$test_file");
     assert_script_run("test -f $test_dir/$test_file");
 
     # Test volume subcommands
@@ -94,14 +100,14 @@ sub run {
         assert_script_run("test -f $test_dir/$test_file");
 
         # Equivalent --mount option to above
-        assert_script_run("$runtime run --rm --mount type=volume,source=$test_volume,destination=/$test_dir$Z $test_image touch /$test_dir/$test_file");
+        assert_script_run("$runtime run --rm --mount type=volume,source=$test_volume,destination=/$test_dir$z $test_image touch /$test_dir/$test_file");
 
         # Test --volume option with volume (read-only)
         assert_script_run("! $runtime run --rm --volume $test_volume:/$test_dir:ro $test_image rm /$test_dir/$test_file");
         assert_script_run("test -f $test_dir/$test_file");
 
         # Equivalent --mount option to above
-        assert_script_run("! $runtime run --rm --mount type=volume,source=$test_volume,destination=/$test_dir,readonly$Z $test_image rm /$test_dir/$test_file");
+        assert_script_run("! $runtime run --rm --mount type=volume,source=$test_volume,destination=/$test_dir,readonly$z $test_image rm /$test_dir/$test_file");
 
         assert_script_run("$runtime volume rm $test_volume");
         assert_script_run("! $runtime volume inspect $test_volume");