kamu-cli icon indicating copy to clipboard operation
kamu-cli copied to clipboard
verified publisher icon kamu-data

SELinux support

Open sergiimk opened this issue 4 years ago • 2 comments

User reported that kamu fails to pull a root dataset when installed on fresh Fedora host:

[4/7] Failed to update root dataset (ca.bankofcanada.exchange-rates.daily)

Summary of errors:
ca.bankofcanada.exchange-rates.daily: Ingest error: Engine error: Process error: Process exited with code 1, see log files for details:
- .kamu/run/spark-DNSwZEEJZl.err.txt

Error: Partial failure

Spark logs:

Exception in thread "main" java.nio.file.AccessDeniedException: /opt/engine/in-out/request.yaml
	at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84)
	at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)

sergiimk avatar Jan 14 '22 21:01 sergiimk

Upon investigation we ran a simple test:

Create a simple file:

echo "test" > test.txt

Then we start container:

podman run --rm -it -v `pwd`:/opt/engine/in-out --user=root --entrypoint=bash "docker.io/kamudata/engine-spark:0.15.0-spark_3.1.2"

Once inside, we try read the file:

cat /opt/engine/in-out/test.txt

Which failed with:

cat: /opt/engine/in-out/test.txt: Permission denied

sergiimk avatar Jan 14 '22 21:01 sergiimk

The issue turned out to be SELinux enabled by default on Fedora.

When mounting volumes with SELinux docker/podman require some extra labels: https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

We should investigate adding detection and support for SELinux or other ways to work around this issue.

sergiimk avatar Jan 14 '22 21:01 sergiimk