SELinux: Mount image using different contexts

The OCI Volume Source Kubernetes enhancement (https://kep.k8s.io/4639) will require CRI-O to mount images on container creation. The pull itself will not change from a runtime perspective, but we need to use the existing `MountImage` API to create an OCI mount from the host path to the workload destination.

https://github.com/containers/storage/blob/52b643e1ff51ae0a05693adf8fae5a134b32b478/store.go#L259-L262

The API supports passing a `mountLabel`, but multiple containers could request the same image mount using different labels.

Would it make sense to extend the API to have a unique mount path per SELinux context?

cc @mrunalp @haircommander 

	// MountImage mounts an image to temp directory and returns the mount point.
	// MountImage allows caller to mount an image. Images will always
	// be mounted read/only
	MountImage(id string, mountOptions []string, mountLabel string) (string, error)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

SELinux: Mount image using different contexts #1994

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

SELinux: Mount image using different contexts #1994

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions