From df72802a1ed8b5236095bcfc13f58bcc92509d3a Mon Sep 17 00:00:00 2001 From: Jeff MAURY Date: Thu, 7 Mar 2024 10:22:51 +0100 Subject: [PATCH] fix: disable selinux label when mounting a volume Fixes #130 Signed-off-by: Jeff MAURY --- packages/backend/src/managers/applicationManager.ts | 10 ++++++---- packages/backend/src/managers/playground.spec.ts | 2 ++ packages/backend/src/managers/playground.ts | 3 ++- packages/backend/src/utils/utils.ts | 2 ++ 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/packages/backend/src/managers/applicationManager.ts b/packages/backend/src/managers/applicationManager.ts index f6b651373..7ad54cef6 100644 --- a/packages/backend/src/managers/applicationManager.ts +++ b/packages/backend/src/managers/applicationManager.ts @@ -21,10 +21,11 @@ import type { GitCloneInfo, GitManager } from './gitManager'; import fs from 'fs'; import * as path from 'node:path'; import { - type PodCreatePortOptions, containerEngine, - type TelemetryLogger, + type HostConfig, + type PodCreatePortOptions, type PodInfo, + type TelemetryLogger, type Webview, } from '@podman-desktop/api'; import type { AIConfig, AIConfigFile, ContainerConfig } from '../models/AIConfig'; @@ -35,7 +36,7 @@ import type { ModelInfo } from '@shared/src/models/IModelInfo'; import type { ModelsManager } from './modelsManager'; import { getPortsInfo } from '../utils/ports'; import { goarch } from '../utils/arch'; -import { getDurationSecondsSince, timeout } from '../utils/utils'; +import { DISABLE_SELINUX_LABEL_SECURITY_OPTION, getDurationSecondsSince, timeout } from '../utils/utils'; import type { LocalRepositoryRegistry } from '../registries/LocalRepositoryRegistry'; import { LABEL_MODEL_ID, LABEL_MODEL_PORTS } from './playground'; import type { ApplicationState } from '@shared/src/models/IApplicationState'; @@ -257,7 +258,7 @@ export class ApplicationManager { const containers: ContainerAttachedInfo[] = []; await Promise.all( images.map(async image => { - let hostConfig: unknown; + let hostConfig: HostConfig; let envs: string[] = []; // if it's a model service we mount the model as a volume if (image.modelService) { @@ -271,6 +272,7 @@ export class ApplicationManager { Type: 'bind', }, ], + SecurityOpt: [DISABLE_SELINUX_LABEL_SECURITY_OPTION], }; envs = [`MODEL_PATH=/${modelName}`]; } else { diff --git a/packages/backend/src/managers/playground.spec.ts b/packages/backend/src/managers/playground.spec.ts index b3125bc75..44d623f56 100644 --- a/packages/backend/src/managers/playground.spec.ts +++ b/packages/backend/src/managers/playground.spec.ts @@ -24,6 +24,7 @@ import type { ImageInfo, TelemetryLogger, Webview } from '@podman-desktop/api'; import type { ModelInfo } from '@shared/src/models/IModelInfo'; import OpenAI from 'openai'; import { Stream } from 'openai/streaming'; +import { DISABLE_SELINUX_LABEL_SECURITY_OPTION } from '../utils/utils'; const mocks = vi.hoisted(() => ({ postMessage: vi.fn(), @@ -138,6 +139,7 @@ test('startPlayground should download image if not present then create container Type: 'bind', }, ], + SecurityOpt: [DISABLE_SELINUX_LABEL_SECURITY_OPTION], PortBindings: { '8000/tcp': [ { diff --git a/packages/backend/src/managers/playground.ts b/packages/backend/src/managers/playground.ts index 3232ce7e5..2447d23e2 100644 --- a/packages/backend/src/managers/playground.ts +++ b/packages/backend/src/managers/playground.ts @@ -33,7 +33,7 @@ import type { PlaygroundState, PlaygroundStatus } from '@shared/src/models/IPlay import type { ContainerRegistry } from '../registries/ContainerRegistry'; import type { PodmanConnection } from './podmanConnection'; import OpenAI from 'openai'; -import { getDurationSecondsSince, timeout } from '../utils/utils'; +import { DISABLE_SELINUX_LABEL_SECURITY_OPTION, getDurationSecondsSince, timeout } from '../utils/utils'; import type { ModelInfo } from '@shared/src/models/IModelInfo'; export const LABEL_MODEL_ID = 'ai-studio-model-id'; @@ -212,6 +212,7 @@ export class PlayGroundManager { Type: 'bind', }, ], + SecurityOpt: [DISABLE_SELINUX_LABEL_SECURITY_OPTION], PortBindings: { '8000/tcp': [ { diff --git a/packages/backend/src/utils/utils.ts b/packages/backend/src/utils/utils.ts index d59f1efc3..959de3cae 100644 --- a/packages/backend/src/utils/utils.ts +++ b/packages/backend/src/utils/utils.ts @@ -49,3 +49,5 @@ export async function isEndpointAlive(endPoint: string): Promise { export function getDurationSecondsSince(startTimeMs: number) { return Math.round((performance.now() - startTimeMs) / 1000); } + +export const DISABLE_SELINUX_LABEL_SECURITY_OPTION = 'label=disable';