Revert "Do not rewrite SELinux labels on volume mounts"

superseb · web-flow · commit 51a6b50a8446 · 2021-07-29T08:59:54.000+02:00
diff --git a/cluster/cluster.go b/cluster/cluster.go
@@ -99,7 +99,6 @@ const (
 	NameLabel              = "name"
 
 	WorkerThreads = util.WorkerThreads
-	SELinuxLabel  = services.SELinuxLabel
 
 	serviceAccountTokenFileParam = "service-account-key-file"
 
diff --git a/cluster/file-deployer.go b/cluster/file-deployer.go
@@ -60,15 +60,9 @@ func doDeployFile(ctx context.Context, host *hosts.Host, fileName, fileContents,
 	}
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
 		},
 	}
-	if hosts.IsDockerSELinuxEnabled(host) {
-		// We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z)
-		logrus.Debugf("Applying security opt label [%s] for [%s] container on host [%s]", SELinuxLabel, ContainerName, host.Address)
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
-
 	if err := docker.DoRunOnetimeContainer(ctx, host.DClient, imageCfg, hostCfg, ContainerName, host.Address, ServiceName, prsMap); err != nil {
 		return err
 	}
diff --git a/cluster/plan.go b/cluster/plan.go
@@ -266,10 +266,10 @@ func (c *Cluster) BuildKubeAPIProcess(host *hosts.Host, serviceOptions v3.Kubern
 		services.SidekickContainerName,
 	}
 	Binds := []string{
-		fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
+		fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
 	}
 	if c.Services.KubeAPI.AuditLog != nil && c.Services.KubeAPI.AuditLog.Enabled {
-		Binds = append(Binds, fmt.Sprintf("%s:/var/log/kube-audit", path.Join(host.PrefixPath, "/var/log/kube-audit")))
+		Binds = append(Binds, fmt.Sprintf("%s:/var/log/kube-audit:z", path.Join(host.PrefixPath, "/var/log/kube-audit")))
 		bytes, err := yaml.Marshal(c.Services.KubeAPI.AuditLog.Configuration.Policy)
 		if err != nil {
 			logrus.Warnf("Error while marshalling auditlog policy: %v", err)
@@ -358,7 +358,7 @@ func (c *Cluster) BuildKubeControllerProcess(host *hosts.Host, serviceOptions v3
 		services.SidekickContainerName,
 	}
 	Binds := []string{
-		fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
+		fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
 	}
 
 	for arg, value := range c.Services.KubeController.ExtraArgs {
@@ -485,29 +485,29 @@ func (c *Cluster) BuildKubeletProcess(host *hosts.Host, serviceOptions v3.Kubern
 		}
 	} else {
 		Binds = []string{
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
-			"/etc/cni:/etc/cni:rw",
-			"/opt/cni:/opt/cni:rw",
-			fmt.Sprintf("%s:/var/lib/cni", path.Join(host.PrefixPath, "/var/lib/cni")),
-			"/var/lib/calico:/var/lib/calico",
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
+			"/etc/cni:/etc/cni:rw,z",
+			"/opt/cni:/opt/cni:rw,z",
+			fmt.Sprintf("%s:/var/lib/cni:z", path.Join(host.PrefixPath, "/var/lib/cni")),
+			"/var/lib/calico:/var/lib/calico:z",
 			"/etc/resolv.conf:/etc/resolv.conf",
 			"/sys:/sys:rprivate",
-			host.DockerInfo.DockerRootDir + ":" + host.DockerInfo.DockerRootDir + ":rw,rslave",
-			fmt.Sprintf("%s:%s:shared", path.Join(host.PrefixPath, "/var/lib/kubelet"), path.Join(host.PrefixPath, "/var/lib/kubelet")),
-			"/var/lib/rancher:/var/lib/rancher:shared",
+			host.DockerInfo.DockerRootDir + ":" + host.DockerInfo.DockerRootDir + ":rw,rslave,z",
+			fmt.Sprintf("%s:%s:shared,z", path.Join(host.PrefixPath, "/var/lib/kubelet"), path.Join(host.PrefixPath, "/var/lib/kubelet")),
+			"/var/lib/rancher:/var/lib/rancher:shared,z",
 			"/var/run:/var/run:rw,rprivate",
 			"/run:/run:rprivate",
 			fmt.Sprintf("%s:/etc/ceph", path.Join(host.PrefixPath, "/etc/ceph")),
 			"/dev:/host/dev:rprivate",
-			"/var/log/containers:/var/log/containers",
-			"/var/log/pods:/var/log/pods",
+			"/var/log/containers:/var/log/containers:z",
+			"/var/log/pods:/var/log/pods:z",
 			"/usr:/host/usr:ro",
 			"/etc:/host/etc:ro",
 		}
 
 		// Special case to simplify using flex volumes
 		if path.Join(host.PrefixPath, "/var/lib/kubelet") != "/var/lib/kubelet" {
-			Binds = append(Binds, "/var/lib/kubelet/volumeplugins:/var/lib/kubelet/volumeplugins:shared")
+			Binds = append(Binds, "/var/lib/kubelet/volumeplugins:/var/lib/kubelet/volumeplugins:shared,z")
 		}
 	}
 	Binds = append(Binds, host.GetExtraBinds(kubelet.BaseService)...)
@@ -622,7 +622,7 @@ func (c *Cluster) BuildKubeProxyProcess(host *hosts.Host, serviceOptions v3.Kube
 		}
 	} else {
 		Binds = []string{
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
 			"/run:/run",
 		}
 
@@ -740,7 +740,7 @@ func (c *Cluster) BuildSchedulerProcess(host *hosts.Host, serviceOptions v3.Kube
 		services.SidekickContainerName,
 	}
 	Binds := []string{
-		fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
+		fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
 	}
 
 	for arg, value := range c.Services.Scheduler.ExtraArgs {
@@ -910,8 +910,8 @@ func (c *Cluster) BuildEtcdProcess(host *hosts.Host, etcdHosts []*hosts.Host, se
 	}
 
 	Binds := []string{
-		fmt.Sprintf("%s:%s", path.Join(host.PrefixPath, "/var/lib/etcd"), services.EtcdDataDir),
-		fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
+		fmt.Sprintf("%s:%s:z", path.Join(host.PrefixPath, "/var/lib/etcd"), services.EtcdDataDir),
+		fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
 	}
 
 	if serviceOptions.Etcd != nil {
diff --git a/hosts/hosts.go b/hosts/hosts.go
@@ -51,7 +51,6 @@ const (
 	CleanerContainerName    = "kube-cleaner"
 	LogCleanerContainerName = "rke-log-cleaner"
 	RKELogsPath             = "/var/lib/rancher/rke/log"
-	SELinuxLabel            = "label=type:rke_container_t"
 
 	B2DOS               = "Boot2Docker"
 	B2DPrefixPath       = "/mnt/sda1/rke"
@@ -307,14 +306,11 @@ func buildCleanerConfig(host *Host, toCleanDirs []string, cleanerImage string) (
 	}
 	bindMounts := []string{}
 	for _, vol := range toCleanDirs {
-		bindMounts = append(bindMounts, fmt.Sprintf("%s:%s", vol, vol))
+		bindMounts = append(bindMounts, fmt.Sprintf("%s:%s:z", vol, vol))
 	}
 	hostCfg := &container.HostConfig{
 		Binds: bindMounts,
 	}
-	if IsDockerSELinuxEnabled(host) {
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
 	return imageCfg, hostCfg
 }
 
diff --git a/pki/deploy.go b/pki/deploy.go
@@ -86,7 +86,7 @@ func DeployStateOnPlaneHost(ctx context.Context, host *hosts.Host, stateDownload
 	}
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
 		},
 		Privileged: true,
 	}
@@ -142,7 +142,7 @@ func doRunDeployer(ctx context.Context, host *hosts.Host, containerEnv []string,
 	}
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
 		},
 		Privileged: true,
 	}
@@ -300,7 +300,7 @@ func FetchFileFromHost(ctx context.Context, filePath, image string, host *hosts.
 	}
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
 		},
 		Privileged: true,
 	}
diff --git a/pki/pki.go b/pki/pki.go
@@ -112,8 +112,8 @@ func SaveBackupBundleOnHost(ctx context.Context, host *hosts.Host, alpineSystemI
 	hostCfg := &container.HostConfig{
 
 		Binds: []string{
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
-			fmt.Sprintf("%s:/backup", etcdSnapshotPath),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
+			fmt.Sprintf("%s:/backup:z", etcdSnapshotPath),
 		},
 		Privileged: true,
 	}
@@ -149,8 +149,8 @@ func ExtractBackupBundleOnHost(ctx context.Context, host *hosts.Host, alpineSyst
 	hostCfg := &container.HostConfig{
 
 		Binds: []string{
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
-			fmt.Sprintf("%s:/backup", etcdSnapshotPath),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
+			fmt.Sprintf("%s:/backup:z", etcdSnapshotPath),
 		},
 		Privileged: true,
 	}
diff --git a/services/controlplane.go b/services/controlplane.go
@@ -374,7 +374,7 @@ func RunGetStateFileFromConfigMap(ctx context.Context, controlPlaneHost *hosts.H
 	}
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(controlPlaneHost.PrefixPath, "/etc/kubernetes")),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(controlPlaneHost.PrefixPath, "/etc/kubernetes")),
 		},
 		NetworkMode:   container.NetworkMode("host"),
 		RestartPolicy: container.RestartPolicy{Name: "no"},
diff --git a/services/etcd.go b/services/etcd.go
@@ -346,16 +346,12 @@ func RunEtcdSnapshotSave(ctx context.Context, etcdHost *hosts.Host, prsMap map[s
 	}
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
+			fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
 		NetworkMode:   container.NetworkMode("host"),
 		RestartPolicy: container.RestartPolicy{Name: restartPolicy},
 	}
 
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
-
 	if once {
 		log.Infof(ctx, "[etcd] Running snapshot save once on host [%s]", etcdHost.Address)
 		logrus.Debugf("[etcd] Using command [%s] for snapshot save once container [%s] on host [%s]", getSanitizedSnapshotCmd(imageCfg, es.BackupConfig), EtcdSnapshotOnceContainerName, etcdHost.Address)
@@ -417,16 +413,12 @@ func RunGetStateFileFromSnapshot(ctx context.Context, etcdHost *hosts.Host, prsM
 	}
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
+			fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
 		},
 		NetworkMode:   container.NetworkMode("host"),
 		RestartPolicy: container.RestartPolicy{Name: "no"},
 	}
 
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
-
 	if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdStateFileContainerName, etcdHost.Address); err != nil {
 		return "", err
 	}
@@ -488,14 +480,11 @@ func DownloadEtcdSnapshotFromS3(ctx context.Context, etcdHost *hosts.Host, prsMa
 	log.Infof(ctx, s3Logline)
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
+			fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
 		NetworkMode:   container.NetworkMode("host"),
 		RestartPolicy: container.RestartPolicy{Name: "no"},
 	}
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
 	if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdDownloadBackupContainerName, etcdHost.Address); err != nil {
 		return err
 	}
@@ -547,14 +536,11 @@ func RestoreEtcdSnapshot(ctx context.Context, etcdHost *hosts.Host, prsMap map[s
 	}
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			"/opt/rke/:/opt/rke/",
-			fmt.Sprintf("%s:/var/lib/rancher/etcd", path.Join(etcdHost.PrefixPath, "/var/lib/etcd")),
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
+			"/opt/rke/:/opt/rke/:z",
+			fmt.Sprintf("%s:/var/lib/rancher/etcd:z", path.Join(etcdHost.PrefixPath, "/var/lib/etcd")),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
 		NetworkMode: container.NetworkMode("host"),
 	}
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
 	if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdRestoreContainerName, etcdHost.Address); err != nil {
 		return err
 	}
@@ -624,13 +610,10 @@ func RunEtcdSnapshotRemove(ctx context.Context, etcdHost *hosts.Host, prsMap map
 
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
+			fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
 		},
 		RestartPolicy: container.RestartPolicy{Name: "no"},
 	}
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
 	if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdSnapshotRemoveContainerName, etcdHost.Address); err != nil {
 		return err
 	}
@@ -667,12 +650,9 @@ func GetEtcdSnapshotChecksum(ctx context.Context, etcdHost *hosts.Host, prsMap m
 	}
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			"/opt/rke/:/opt/rke/",
+			"/opt/rke/:/opt/rke/:z",
 		}}
 
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
 	if err := docker.DoRunContainer(ctx, etcdHost.DClient, imageCfg, hostCfg, EtcdChecksumContainerName, etcdHost.Address, ETCDRole, prsMap); err != nil {
 		return checksum, err
 	}
@@ -751,14 +731,11 @@ func StartBackupServer(ctx context.Context, etcdHost *hosts.Host, prsMap map[str
 
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
+			fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
 		NetworkMode:   container.NetworkMode("host"),
 		RestartPolicy: container.RestartPolicy{Name: "no"},
 	}
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
 	if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdServeBackupContainerName, etcdHost.Address); err != nil {
 		return err
 	}
@@ -802,14 +779,11 @@ func DownloadEtcdSnapshotFromBackupServer(ctx context.Context, etcdHost *hosts.H
 
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
+			fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
 		NetworkMode:   container.NetworkMode("host"),
 		RestartPolicy: container.RestartPolicy{Name: "on-failure"},
 	}
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
 	if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdDownloadBackupContainerName, etcdHost.Address); err != nil {
 		return err
 	}
@@ -852,13 +826,6 @@ func setEtcdPermissions(ctx context.Context, etcdHost *hosts.Host, prsMap map[st
 	hostCfg := &container.HostConfig{
 		Binds: []string{dataBind},
 	}
-
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		// We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z)
-		logrus.Debugf("Applying security opt label [%s] for [%s] container on host [%s]", SELinuxLabel, EtcdPermFixContainerName, etcdHost.Address)
-		hostCfg.SecurityOpt = []string{SELinuxLabel}
-	}
-
 	if err := docker.DoRunOnetimeContainer(ctx, etcdHost.DClient, imageCfg, hostCfg, EtcdPermFixContainerName,
 		etcdHost.Address, ETCDRole, prsMap); err != nil {
 		return err
diff --git a/services/services.go b/services/services.go
@@ -52,7 +52,6 @@ const (
 
 	ContainerNameLabel = "io.rancher.rke.container.name"
 	MCSLabel           = "label=level:s0:c1000,c1001"
-	SELinuxLabel       = "label=type:rke_container_t"
 )
 
 type RestartFunc func(context.Context, *hosts.Host) error
@@ -143,10 +142,6 @@ func GetProcessConfig(process v3.Process, host *hosts.Host) (*container.Config,
 				hostCfg.SecurityOpt = []string{MCSLabel}
 			}
 		}
-		// We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z)
-		logrus.Debugf("Applying security opt label [%s] for etcd container on host [%s]", SELinuxLabel, host.Address)
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-
 	}
 	return imageCfg, hostCfg, process.HealthCheck.URL
 }

Original file line number	Diff line number	Diff line change
`@@ -60,15 +60,9 @@ func doDeployFile(ctx context.Context, host *hosts.Host, fileName, fileContents,`
`60`	`60`	`}`
`61`	`61`	`hostCfg := &container.HostConfig{`
`62`	`62`	`Binds: []string{`
`63`		`- fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),`
	`63`	`+ fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),`
`64`	`64`	`},`
`65`	`65`	`}`
`66`		`- if hosts.IsDockerSELinuxEnabled(host) {`
`67`		`- // We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z)`
`68`		`- logrus.Debugf("Applying security opt label [%s] for [%s] container on host [%s]", SELinuxLabel, ContainerName, host.Address)`
`69`		`- hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)`
`70`		`- }`
`71`		`-`
`72`	`66`	`if err := docker.DoRunOnetimeContainer(ctx, host.DClient, imageCfg, hostCfg, ContainerName, host.Address, ServiceName, prsMap); err != nil {`
`73`	`67`	`return err`
`74`	`68`	`}`
Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,6 @@ const (`
`51`	`51`	`CleanerContainerName = "kube-cleaner"`
`52`	`52`	`LogCleanerContainerName = "rke-log-cleaner"`
`53`	`53`	`RKELogsPath = "/var/lib/rancher/rke/log"`
`54`		`- SELinuxLabel = "label=type:rke_container_t"`
`55`	`54`
`56`	`55`	`B2DOS = "Boot2Docker"`
`57`	`56`	`B2DPrefixPath = "/mnt/sda1/rke"`
`@@ -307,14 +306,11 @@ func buildCleanerConfig(host *Host, toCleanDirs []string, cleanerImage string) (`
`307`	`306`	`}`
`308`	`307`	`bindMounts := []string{}`
`309`	`308`	`for _, vol := range toCleanDirs {`
`310`		`- bindMounts = append(bindMounts, fmt.Sprintf("%s:%s", vol, vol))`
	`309`	`+ bindMounts = append(bindMounts, fmt.Sprintf("%s:%s:z", vol, vol))`
`311`	`310`	`}`
`312`	`311`	`hostCfg := &container.HostConfig{`
`313`	`312`	`Binds: bindMounts,`
`314`	`313`	`}`
`315`		`- if IsDockerSELinuxEnabled(host) {`
`316`		`- hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)`
`317`		`- }`
`318`	`314`	`return imageCfg, hostCfg`
`319`	`315`	`}`
`320`	`316`
Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,7 @@ func DeployStateOnPlaneHost(ctx context.Context, host *hosts.Host, stateDownload`
`86`	`86`	`}`
`87`	`87`	`hostCfg := &container.HostConfig{`
`88`	`88`	`Binds: []string{`
`89`		`- fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),`
	`89`	`+ fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),`
`90`	`90`	`},`
`91`	`91`	`Privileged: true,`
`92`	`92`	`}`
`@@ -142,7 +142,7 @@ func doRunDeployer(ctx context.Context, host *hosts.Host, containerEnv []string,`
`142`	`142`	`}`
`143`	`143`	`hostCfg := &container.HostConfig{`
`144`	`144`	`Binds: []string{`
`145`		`- fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),`
	`145`	`+ fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),`
`146`	`146`	`},`
`147`	`147`	`Privileged: true,`
`148`	`148`	`}`
`@@ -300,7 +300,7 @@ func FetchFileFromHost(ctx context.Context, filePath, image string, host *hosts.`
`300`	`300`	`}`
`301`	`301`	`hostCfg := &container.HostConfig{`
`302`	`302`	`Binds: []string{`
`303`		`- fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),`
	`303`	`+ fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),`
`304`	`304`	`},`
`305`	`305`	`Privileged: true,`
`306`	`306`	`}`
Original file line number	Diff line number	Diff line change
`@@ -374,7 +374,7 @@ func RunGetStateFileFromConfigMap(ctx context.Context, controlPlaneHost *hosts.H`
`374`	`374`	`}`
`375`	`375`	`hostCfg := &container.HostConfig{`
`376`	`376`	`Binds: []string{`
`377`		`- fmt.Sprintf("%s:/etc/kubernetes", path.Join(controlPlaneHost.PrefixPath, "/etc/kubernetes")),`
	`377`	`+ fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(controlPlaneHost.PrefixPath, "/etc/kubernetes")),`
`378`	`378`	`},`
`379`	`379`	`NetworkMode: container.NetworkMode("host"),`
`380`	`380`	`RestartPolicy: container.RestartPolicy{Name: "no"},`
Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,6 @@ const (`
`52`	`52`
`53`	`53`	`ContainerNameLabel = "io.rancher.rke.container.name"`
`54`	`54`	`MCSLabel = "label=level:s0:c1000,c1001"`
`55`		`- SELinuxLabel = "label=type:rke_container_t"`
`56`	`55`	`)`
`57`	`56`
`58`	`57`	`type RestartFunc func(context.Context, *hosts.Host) error`
`@@ -143,10 +142,6 @@ func GetProcessConfig(process v3.Process, host hosts.Host) (container.Config,`
`143`	`142`	`hostCfg.SecurityOpt = []string{MCSLabel}`
`144`	`143`	`}`
`145`	`144`	`}`
`146`		`- // We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z)`
`147`		`- logrus.Debugf("Applying security opt label [%s] for etcd container on host [%s]", SELinuxLabel, host.Address)`
`148`		`- hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)`
`149`		`-`
`150`	`145`	`}`
`151`	`146`	`return imageCfg, hostCfg, process.HealthCheck.URL`
`152`	`147`	`}`