mirror of
https://github.com/scylladb/scylladb.git
synced 2026-05-30 11:36:54 +00:00
5f98b81cb3
By default, Docker uses SELinux to prevent malicious code in the container from "escaping" and touching files outside the container: The container is only allowed to touch files with a special SELinux label, which the outside files simply do not have. However, this means that if you want to "mount" outside files into the container, Docker needs to add the special label to them. This is why one needs to use the ":z" option when mounting an outside file inside docker - it asks docker to "relabel" the directory to be usable in Docker. But this relabeling process is slow and potentially harmful if done to large directories such as your home directory, where you may theoretically have SELinux labels for other reasons. The relabling is also unnecessary - we don't really need the SELinux protection in dbuild. Dbuild was meant to provide a common toolchain - it was never meant to protect the build host from a malicious build script. The alternative we use in this patch is "--security-opt label=disable". This allows the container to access any file in the host filesystem, but as usual - only if it's explicitly "mounted" into the container. All ":z" we added in the past can be removed. Signed-off-by: Nadav Har'El <nyh@scylladb.com> Closes #10945