Fix podman+selinux compatibility (meta-llama#132)

russellb · web-flow · commit cb36be320fba · 2024-09-29T20:19:44.000-07:00
When I ran `llama stack configure` for my `docker` based stack on my
system using podman + SELinux (CentOS Stream 9), The `podman run`
command failed due to SELinux blocking access to the volume mount.

As a simple fix, disable SELinux label checking.

Signed-off-by: Russell Bryant &lt;rbryant@redhat.com&gt;
diff --git a/llama_stack/distribution/build_container.sh b/llama_stack/distribution/build_container.sh
@@ -117,6 +117,9 @@ if [ -n "$LLAMA_MODELS_DIR" ]; then
   mounts="$mounts -v $(readlink -f $LLAMA_MODELS_DIR):$models_mount"
 fi
 
+# Disable SELinux labels -- we don't want to relabel the llama-stack source dir
+DOCKER_OPTS="$DOCKER_OPTS --security-opt label=disable"
+
 set -x
 $DOCKER_BINARY build $DOCKER_OPTS -t $image_name -f "$TEMP_DIR/Dockerfile" "$REPO_DIR" $mounts
 set +x
diff --git a/llama_stack/distribution/configure_container.sh b/llama_stack/distribution/configure_container.sh
@@ -27,6 +27,9 @@ docker_image="$1"
 host_build_dir="$2"
 container_build_dir="/app/builds"
 
+# Disable SELinux labels
+DOCKER_OPTS="$DOCKER_OPTS --security-opt label=disable"
+
 set -x
 $DOCKER_BINARY run $DOCKER_OPTS -it \
   -v $host_build_dir:$container_build_dir \
diff --git a/llama_stack/distribution/start_container.sh b/llama_stack/distribution/start_container.sh
@@ -39,6 +39,9 @@ shift
 
 set -x
 
+# Disable SELinux labels
+DOCKER_OPTS="$DOCKER_OPTS --security-opt label=disable"
+
 if [ -n "$LLAMA_CHECKPOINT_DIR" ]; then
   $DOCKER_BINARY run $DOCKER_OPTS -it \
     -p $port:$port \
