extern/podman-compose
1
0
Fork 1
mirror of https://github.com/containers/podman-compose.git synced 2025-06-20 03:37:47 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1210 from jarovo/main

Browse Source 
Add relabel option to secrets
This commit is contained in:
Povilas Kanapickas 2025-06-05 13:02:18 +03:00 committed by GitHub
commit ee90712843
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 42 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
docs/Extensions.md
View File

@ -27,6 +27,22 @@ services:
For explanations of these extensions, please refer to the [Podman Documentation](https://docs.podman.io/). For explanations of these extensions, please refer to the [Podman Documentation](https://docs.podman.io/).
## Secrets
The following extension keys are available under `secret` configuration:
x-podman.relabel - Configure SELinux relabeling
For example, the following configures custom-secret to use mount with private and unshared content.
Only the current container can use a private volume.
```yml
secrets:
custom-secret:
x-podman.relabel: Z
```
For explanations of these extensions, please refer to the [podman-run --volume documentation](https://docs.podman.io/en/latest/markdown/podman-run.1.html#volume-v-source-volume-host-dir-container-dir-options)).
## Network management ## Network management
The following extension keys are available under network configuration: The following extension keys are available under network configuration:

1
newsfragments/secret-selinux-relabel-option.feature Normal file
View File

@ -0,0 +1 @@
- Add relabel option to secret to make possible to read the secret file by the contained process.

14
podman_compose.py
View File

@ -616,6 +616,7 @@ def get_secret_args(
declared_secret = compose.declared_secrets[secret_name] declared_secret = compose.declared_secrets[secret_name]
source_file = declared_secret.get("file") source_file = declared_secret.get("file")
x_podman_relabel = declared_secret.get("x-podman.relabel")
dest_file = "" dest_file = ""
secret_opts = "" secret_opts = ""
@ -657,7 +658,18 @@ def get_secret_args(
dest_file = f"/run/secrets/{sec}" dest_file = f"/run/secrets/{sec}"
else: else:
dest_file = secret_target dest_file = secret_target
volume_ref = ["--volume", f"{source_file}:{dest_file}:ro,rprivate,rbind"]
mount_options = 'ro,rprivate,rbind'
selinux_relabel_to_mount_option_map = {None: "", "z": ",z", "Z": ",Z"}
try:
mount_options += selinux_relabel_to_mount_option_map[x_podman_relabel]
except KeyError as exc:
raise ValueError(
f'ERROR: Run secret "{secret_name} has invalid "relabel" option related '
+ f' to SELinux "{x_podman_relabel}". Expected "z" "Z" or nothing.'
) from exc
volume_ref = ["--volume", f"{source_file}:{dest_file}:{mount_options}"]
if secret_uid or secret_gid or secret_mode: if secret_uid or secret_gid or secret_mode:
sec = secret_target if secret_target else secret_name sec = secret_target if secret_target else secret_name

12
tests/unit/test_container_to_args_secrets.py
View File

@ -306,6 +306,18 @@ class TestContainerToArgsSecrets(unittest.IsolatedAsyncioTestCase):
"file_secret", "file_secret",
repo_root() + "/test_dirname/my_secret:/run/secrets/file_secret:ro,rprivate,rbind", repo_root() + "/test_dirname/my_secret:/run/secrets/file_secret:ro,rprivate,rbind",
), ),
(
"relabel",
{"file_secret": {"file": "./my_secret", "x-podman.relabel": "Z"}},
"file_secret",
repo_root() + "/test_dirname/my_secret:/run/secrets/file_secret:ro,rprivate,rbind,Z",
),
(
"relabel",
{"file_secret": {"file": "./my_secret", "x-podman.relabel": "z"}},
"file_secret",
repo_root() + "/test_dirname/my_secret:/run/secrets/file_secret:ro,rprivate,rbind,z",
),
( (
"custom_target_name", "custom_target_name",
{ {