Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix podman+selinux compatibility #132

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix podman+selinux compatibility #132

wants to merge 1 commit into from

Conversation

russellb
Copy link
Contributor

@russellb russellb commented Sep 27, 2024
edited
Loading

commit c39ba23
Author: Russell Bryant [email protected]
Date: Fri Sep 27 14:05:18 2024 +0000

Fix podman+selinux compatibility

When I ran `llama stack configure` for my `docker` based stack on my
system using podman + SELinux (CentOS Stream 9), The `podman run`
command failed due to SELinux blocking access to the volume mount.

As a simple fix, disable SELinux label checking.

Signed-off-by: Russell Bryant <[email protected]>

@facebook-github-bot
Copy link

Hi @russellb!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at [email protected]. Thanks!

markmc
markmc reviewed Sep 27, 2024
View reviewed changes
llama_stack/distribution/configure_container.sh Outdated
volume_opts=""
# If DOCKER_BINARY is podman and the system uses selinux
if [ "${DOCKER_BINARY}" = "podman" ] && [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
volume_opts=":z"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIR, it's safe to pass ":z" to Docker or to Podman if SELinux is disabled

@markmc
Copy link

markmc commented Sep 27, 2024

start_container.sh needs this too, perhaps with :Z for the model checkpoints dir since it would be shared between containers?

@markmc
Copy link

markmc commented Sep 27, 2024

start_container.sh needs this too, perhaps with :Z for the model checkpoints dir since it would be shared between containers?

Also, build_container.sh - and maybe for that, since it is the llama-stack source directory, it would be better just to use --security-opt=label=disable so we're not relabelling the source dir?

@facebook-github-bot facebook-github-bot added the CLA Signed This label is managed by the Meta Open Source bot. label Sep 27, 2024
@facebook-github-bot
Copy link

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

@russellb
Copy link
Contributor Author

@markmc thanks for highlighting where else this is needed! I had only changed the one spot I hit a failure in so far. I'll update this based on your feedback.

@russellb russellb changed the title configure: fix podman+selinux compatibility Fix podman+selinux compatibility Sep 28, 2024
@russellb
Copy link
Contributor Author

@markmc thanks again for the review. Can you take another look when you have a chance? Thanks!

@russellb
Fix podman+selinux compatibility
c39ba23 
When I ran `llama stack configure` for my `docker` based stack on my
system using podman + SELinux (CentOS Stream 9), The `podman run`
command failed due to SELinux blocking access to the volume mount.

As a simple fix, disable SELinux label checking.

Signed-off-by: Russell Bryant <[email protected]>
@russellb
Copy link
Contributor Author

start_container.sh needs this too, perhaps with :Z for the model checkpoints dir since it would be shared between containers?

Also, build_container.sh - and maybe for that, since it is the llama-stack source directory, it would be better just to use --security-opt=label=disable so we're not relabelling the source dir?

I ended up just doing this everywhere. I tried to be more clever, but when run failed because SELinux blocked access to the GPUs I gave up and took the easy route.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markmc markmc markmc left review comments

@ashwinb ashwinb Awaiting requested review from ashwinb ashwinb is a code owner

@yanxi0830 yanxi0830 Awaiting requested review from yanxi0830 yanxi0830 is a code owner

@hardikjshah hardikjshah Awaiting requested review from hardikjshah hardikjshah is a code owner

@dltn dltn Awaiting requested review from dltn dltn is a code owner

@raghotham raghotham Awaiting requested review from raghotham raghotham is a code owner

Assignees
No one assigned
Labels
CLA Signed This label is managed by the Meta Open Source bot.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@russellb @facebook-github-bot @markmc