From 991a5ab5e33d1002066c96aabb7cc05e8085e119 Mon Sep 17 00:00:00 2001 From: Giles Knap Date: Tue, 10 Dec 2024 08:05:10 +0000 Subject: [PATCH] fix security opt in phoebus launch --- .copier-answers.yml | 2 +- opi/phoebus-launch.sh | 10 ++++------ 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/.copier-answers.yml b/.copier-answers.yml index df0d692..5e5e788 100644 --- a/.copier-answers.yml +++ b/.copier-answers.yml @@ -1,5 +1,5 @@ # Changes here will be overwritten by Copier; NEVER EDIT MANUALLY -_commit: 4.1.0 +_commit: 4.1.0-4-ged64dd7 _src_path: gh:epics-containers/ioc-template description: Generic IOC for the Delta Tau turbo pmac and power pmac motion controllers git_platform: github.com diff --git a/opi/phoebus-launch.sh b/opi/phoebus-launch.sh index 3341945..c923537 100755 --- a/opi/phoebus-launch.sh +++ b/opi/phoebus-launch.sh @@ -17,12 +17,12 @@ settings=" -settings /tmp/settings.ini " -if which phoebus.sh &>/dev/null ; then +if which phoebus.sh &>/dev/null && [[ -z ${use_container} ]] ; then echo "Using phoebus.sh from PATH" set -x phoebus.sh ${settings} "${@}" -elif module load phoebus 2>/dev/null; then +elif module load phoebus 2>/dev/null && [[ -z ${use_container} ]] ; then echo "Using phoebus module" set -x phoebus.sh ${settings} "${@}" @@ -33,16 +33,14 @@ else # prefer podman but use docker if USE_DOCKER is set if podman version &> /dev/null && [[ -z $USE_DOCKER ]] then docker=podman; UIDGID=0:0 - else docker=docker; UIDGID=$(id -u):$(id -g) + else docker=docker; UIDGID=$(id -u):$(id -g); xhost +SI:localuser:$(id -un) fi echo "Using $docker as container runtime" - # ensure local container users can access X11 server - xhost +SI:localuser:$(id -un) # settings for container launch x11="-e DISPLAY --net host" - args="--rm -it --security-opt=label=none --user ${UIDGID}" + args="--rm -it --security-opt=label=disable --user ${UIDGID}" mounts="-v=/tmp:/tmp -v=${workspace}:/workspace -v=${workspace}/..:/workspaces" image="ghcr.io/epics-containers/ec-phoebus:latest"