openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 21:46:22 +01:00
Code Issues Releases Activity

Merge pull request #41252 from MirzWeiss/BZ-2040457

Browse Source 
BZ:2040457 - Updated known issue in RN with additional information.
This commit is contained in:
Christopher Tauchen
2022-02-09 10:32:49 +00:00
committed by GitHub
parent 84564d89be 5bba6b1eef
commit fc1c824509
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
sandboxed_containers/sandboxed-containers-4.9-release-notes.adoc
View File

@@ -47,7 +47,13 @@ You can now install the {sandboxed-containers-operator} in a disconnected enviro
[id="sandboxed-containers-1-1-known-issues"]
== Known issues
* If you are using {sandboxed-containers-first}, you cannot use the `hostPath` volume in an {product-title} cluster to mount a file or directory from the host nodes file system into your pod. As an alternative, you can use local persistent volumes. See xref:../storage/persistent_storage/persistent-storage-local.adoc[Persistent storage using local volumes] for more information. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1904609[*BZ#1904609*])
* If you are using {sandboxed-containers-first}, you might receive SELinux denials accessing files or directories mounted from the `hostPath` volume in an {product-title} cluster. These denials can occur even when running privileged sandboxed containers, since privileged sandboxed containers do not disable SELinux checks.
+
Following SELinux policy on the host guarantees full isolation of the host file system from the sandboxed workload by default, and provides stronger protection against potential security flaws in `virtiofsd` or QEMU.
+
If the mounted files or directories do not have specific SELinux requirements on the host, you can use local persistent volumes as an alternative. Files are automatically relabeled to `container_file_t`, following SELinux policy for container runtimes. See xref:../storage/persistent_storage/persistent-storage-local.adoc[Persistent storage using local volumes] for more information.
+
Automatic relabeling is not an option when mounted files or directories are expected to have specific SELinux labels on the host. Instead, you can set custom SELinux rules on the host in order to allow virtiofsd to access these specific labels. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1904609[*BZ#1904609*])
[id="sandboxed-containers-1-1-asynchronous-errata-updates"]
== Asynchronous errata updates