infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity

jenkins: Avoid SELinux relabel of data dir 

Setting a static SELinux level for the container allows CRI-O to skip
relabeling all the files in the persistent volume each time the
container starts.  For this to work, the pod needs a special annotation,
and CRI-O itself has to be configured to respect it:

```toml
[crio.runtime.runtimes.runc]
allowed_annotations = ["io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel"]
```

This *dramatically* improves the start time of the Jenkins container.
Instead of taking 5+ minutes, it now starts instantly.

https://github.com/cri-o/cri-o/issues/6185#issuecomment-1334719982
dch-webhooks-secrets
Dustin 2022-12-01 21:35:02 -06:00
parent 2c794a9399
commit b8ccbd0b09
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
jenkins/jenkins.yaml
View File

@ -108,6 +108,8 @@ spec:
app.kubernetes.io/instance: jenkins app.kubernetes.io/instance: jenkins
template: template:
metadata: metadata:
annotations:
io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel: 'true'
labels: labels:
app.kubernetes.io/name: jenkins app.kubernetes.io/name: jenkins
app.kubernetes.io/component: master app.kubernetes.io/component: master
@ -122,6 +124,9 @@ spec:
containerPort: 8080 containerPort: 8080
- name: jnlp - name: jnlp
containerPort: 40414 containerPort: 40414
securityContext:
seLinuxOptions:
level: s0:c525,c600
volumeMounts: volumeMounts:
- name: jenkins-data - name: jenkins-data
mountPath: /var/jenkins_home mountPath: /var/jenkins_home