Skip to content

fix: Add SELinux label to local docker volumes #3790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
May 17, 2023
Merged

fix: Add SELinux label to local docker volumes #3790

merged 7 commits into from
May 17, 2023

Conversation

sodre
Copy link
Contributor

@sodre sodre commented Apr 14, 2023
edited
Loading

Issue #, if available:

Description of changes:
Add the SELinux ":z" option to the docker volume mounts. Without this setting the mounted volume is not visible inside the container. More documentation about the SELabel mount options and docker can be found in this blog-post

Testing done:
Ran sagemaker local in an SELinux enabled workstation.

Merge Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your pull request.

General

  • I have read the CONTRIBUTING doc
  • I certify that the changes I am introducing will be backward compatible, and I have discussed concerns about this, if any, with the Python SDK team
  • I used the commit message format described in CONTRIBUTING
  • I have passed the region in to all S3 and STS clients that I've initialized as part of this change.
  • I have updated any necessary documentation, including READMEs and API docs (if appropriate)

Tests

  • I have added tests that prove my fix is effective or that my feature works (if appropriate)
  • I have added unit and/or integration tests as appropriate to ensure backward compatibility of the changes
  • I have checked that my tests are not configured for a specific region or account (if appropriate)
  • I have used unique_name_from_base to create resource names in integ tests (if appropriate)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@sodre sodre requested a review from a team as a code owner April 14, 2023 18:56
@sodre sodre requested review from knikure and removed request for a team April 14, 2023 18:56
@sodre sodre marked this pull request as draft April 14, 2023 18:57
@knikure knikure self-assigned this Apr 24, 2023
@knikure knikure force-pushed the f/sm-local-selinux branch from 16d174e to 047e158 Compare April 24, 2023 20:20
@sodre sodre force-pushed the f/sm-local-selinux branch from 734b7bf to 4bae16e Compare May 4, 2023 22:02
@sodre sodre marked this pull request as ready for review May 4, 2023 22:02
@sodre
Copy link
Contributor Author

sodre commented May 4, 2023

@knikure, this PR is ready for review

sodre
sodre commented May 4, 2023
View reviewed changes
Copy link
Contributor Author

@sodre sodre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added notes for reviewer.

src/sagemaker/local/image.py Outdated
@@ -49,6 +49,9 @@
TRAINING_JOB_NAME_ENV_NAME = "TRAINING_JOB_NAME"
S3_ENDPOINT_URL_ENV_NAME = "S3_ENDPOINT_URL"

# SELinux Enabled
SELINUX_ENABLED = os.environ.get("SAGEMAKER_LOCAL_SELINUX_ENABLED", "False").lower() in ["1", "true", "yes"]
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used an environment variable because I could not find a pythonic way to check if the system is running SELinux. The selinux package in pypi failed on my workstation when installed inside a conda environment, so I am discarding that option.

tests/unit/sagemaker/local/test_local_image.py
@@ -513,6 +513,7 @@ def test_train_local_code(get_data_source_instance, tmpdir, sagemaker_session):
assert config["services"][h]["image"] == image
assert config["services"][h]["command"] == "train"
volumes = config["services"][h]["volumes"]
volumes = [v[:-2] if v.endswith(":z") else v for v in volumes]
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove the :z SELinux label while reading the volume back from compose_data

src/sagemaker/local/image.py
@@ -349,6 +352,7 @@ def retrieve_artifacts(self, compose_data, output_data_config, job_name):
# Gather the artifacts from all nodes into artifacts/model and artifacts/output
for host in self.hosts:
volumes = compose_data["services"][str(host)]["volumes"]
volumes = [v[:-2] if v.endswith(":z") else v for v in volumes]
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove the :z SELinux label while reading the volume back from compose_data

knikure
knikure reviewed May 5, 2023
View reviewed changes
Copy link
Contributor

@knikure knikure left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/bot run all

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-unit-tests
  • Commit ID: cc75bfb
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@knikure
Copy link
Contributor

knikure commented May 5, 2023

@knikure, this PR is ready for review

@sodre Can you fix pylint and other errors listed in unit-tests build logs?

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-local-mode-tests
  • Commit ID: cc75bfb
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-notebook-tests
  • Commit ID: cc75bfb
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-pr
  • Commit ID: cc75bfb
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-slow-tests
  • Commit ID: cc75bfb
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sodre sodre force-pushed the f/sm-local-selinux branch from 2453ae9 to ba4fc0f Compare May 12, 2023 13:54
@sodre
Copy link
Contributor Author

sodre commented May 12, 2023

/bot run all

@sodre
Copy link
Contributor Author

sodre commented May 12, 2023

@knikure, I fixed the lint issues. I don't think the failed integration tests are related to the change I made. Can you trigger the CI/CD again?

@knikure knikure force-pushed the f/sm-local-selinux branch from a129ece to 41e6187 Compare May 16, 2023 20:58
knikure
knikure reviewed May 16, 2023
View reviewed changes
Copy link
Contributor

@knikure knikure left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/bot run pr, slow-tests

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-local-mode-tests
  • Commit ID: 41e6187
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-notebook-tests
  • Commit ID: 41e6187
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-unit-tests
  • Commit ID: 41e6187
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@codecov-commenter
Copy link

codecov-commenter commented May 16, 2023
edited
Loading

Codecov Report

Merging #3790 (41e6187) into master (ca2d1c1) will decrease coverage by 0.71%.
The diff coverage is 98.59%.

@@            Coverage Diff             @@
##           master    #3790      +/-   ##
==========================================
- Coverage   89.95%   89.25%   -0.71%     
==========================================
  Files        1140      267     -873     
  Lines      105316    26061   -79255     
==========================================
- Hits        94741    23261   -71480     
+ Misses      10575     2800    -7775
Impacted Files Coverage Δ
src/sagemaker/inputs.py 100.00% <ø> (ø)
src/sagemaker/remote_function/client.py 96.90% <ø> (ø)
...rc/sagemaker/remote_function/core/serialization.py 96.07% <97.67%> (ø)
src/sagemaker/experiments/run.py 99.14% <100.00%> (ø)
...ference_recommender/inference_recommender_mixin.py 95.00% <100.00%> (ø)
src/sagemaker/local/image.py 76.48% <100.00%> (ø)
.../sagemaker/remote_function/core/stored_function.py 100.00% <100.00%> (ø)
src/sagemaker/remote_function/errors.py 100.00% <100.00%> (ø)
src/sagemaker/remote_function/invoke_function.py 77.35% <100.00%> (ø)
src/sagemaker/remote_function/job.py 88.93% <100.00%> (ø)

... and 1397 files with indirect coverage changes

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-slow-tests
  • Commit ID: 41e6187
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-pr
  • Commit ID: 41e6187
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-pr
  • Commit ID: 41e6187
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-slow-tests
  • Commit ID: 41e6187
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@knikure knikure merged commit 0809b05 into aws:master May 17, 2023
@sodre sodre deleted the f/sm-local-selinux branch May 24, 2023 18:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knikure knikure knikure approved these changes

Assignees

@knikure knikure

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sodre @sagemaker-bot @knikure @codecov-commenter