Skip to content

helpers for local development#518

Open
zmiklank wants to merge 1 commit intoenvoyproxy:release/v1.36from
zmiklank:add_openssl_run
Open

helpers for local development#518
zmiklank wants to merge 1 commit intoenvoyproxy:release/v1.36from
zmiklank:add_openssl_run

Conversation

@zmiklank
Copy link
Copy Markdown
Contributor

@zmiklank zmiklank commented Apr 13, 2026

  • support selinux enabled systems
  • add openssl/run_envoy_docker.sh script for easier local builds

@zmiklank
helpers for local development
b497902 
- support selinux enabled systems
- add openssl/run_envoy_docker.sh script for easier local builds

Signed-off-by: Zuzana Miklankova <zmiklank@redhat.com>
jwendell
jwendell reviewed Apr 13, 2026
View reviewed changes
ci/docker-compose.yml
- ${ENVOY_DOCKER_BUILD_DIR:-/tmp/envoy-docker-build}:/build
- ${SOURCE_DIR:-..}:/source
- ${SHARED_TMP_DIR:-/tmp/bazel-shared}:${SHARED_TMP_DIR:-/tmp/bazel-shared}
- ${ENVOY_DOCKER_BUILD_DIR:-/tmp/envoy-docker-build}:/build:z
Copy link
Copy Markdown
Member

@jwendell jwendell Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this applicable on upstream (main branch at least)?

Copy link
Copy Markdown
Contributor Author

@zmiklank zmiklank Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup, I hope so. After some more testing I would like to contribute this upstream too.

Copy link
Copy Markdown
Member

@jwendell jwendell Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What kind of more tests? Remember, this is also upstream, used by other parties.

Copy link
Copy Markdown
Contributor Author

@zmiklank zmiklank Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to try to run this on Ubuntu.

@jwendell
Copy link
Copy Markdown
Member

jwendell commented Apr 13, 2026

The key change to the docker compose file is adding :z to every volume mount. This is a SELinux volume label option that tells Docker to relabel the volume content with a shared SELinux label so the container can access it.

On SELinux-enabled systems (Fedora, RHEL, CentOS): This is necessary — without it, containers may get "permission denied" errors when accessing mounted volumes.

On Ubuntu: Ubuntu does not enable SELinux by default (it uses AppArmor instead). When SELinux is not active, Docker simply ignores the :z flag. So this change is harmless on Ubuntu — it will work fine.

The :z (lowercase) flag applies a shared label (svirt_sandbox_file_t), meaning multiple containers can access the volume. This is the correct choice here (as opposed to :Z uppercase, which would restrict access to a single container and could break things like the docker socket mount).

Bottom line: This will work on Ubuntu. The :z flag is a no-op when SELinux is not enabled, so Ubuntu users won't see any difference in behavior.

@jwendell
Copy link
Copy Markdown
Member

jwendell commented Apr 13, 2026

Claude comment above ^

@zmiklank It should be fine on Ubuntu. I guess we can merge this on the fork for branches <= 1.37 and submit it in Envoy for main?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jwendell jwendell jwendell approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zmiklank @jwendell