extern/podman-compose
1
0
Fork 1
mirror of https://github.com/containers/podman-compose.git synced 2025-08-18 01:20:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1210 from jarovo/main

Browse Source 
Add relabel option to secrets
This commit is contained in:
Povilas Kanapickas
2025-06-05 13:02:18 +03:00
committed by GitHub
parent 4c6df85efa 82d7622c45
commit ee90712843
4 changed files with 42 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
podman_compose.py
View File

@@ -616,6 +616,7 @@ def get_secret_args(
declared_secret = compose.declared_secrets[secret_name]
source_file = declared_secret.get("file")
x_podman_relabel = declared_secret.get("x-podman.relabel")
dest_file = ""
secret_opts = ""
@@ -657,7 +658,18 @@ def get_secret_args(
dest_file = f"/run/secrets/{sec}"
else:
dest_file = secret_target
volume_ref = ["--volume", f"{source_file}:{dest_file}:ro,rprivate,rbind"]
mount_options = 'ro,rprivate,rbind'
selinux_relabel_to_mount_option_map = {None: "", "z": ",z", "Z": ",Z"}
try:
mount_options += selinux_relabel_to_mount_option_map[x_podman_relabel]
except KeyError as exc:
raise ValueError(
f'ERROR: Run secret "{secret_name} has invalid "relabel" option related '
+ f' to SELinux "{x_podman_relabel}". Expected "z" "Z" or nothing.'
) from exc
volume_ref = ["--volume", f"{source_file}:{dest_file}:{mount_options}"]
if secret_uid or secret_gid or secret_mode:
sec = secret_target if secret_target else secret_name