From 6cb6ae4b727f5225546c126274107d7c8e07e2d4 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 31 Aug 2025 10:55:49 -0500 Subject: [PATCH] ci: Skip SELinux relabel on start By default, CRI-O assigns a random SELinux category to every pod, and then must adjust the label of every file and directory in the persistent volume to match. For very large volumes like a Buildroot output directory, this can take quite some time. Fortunately, if we assign a static category, we can tell CRI-O to skip the relabel step. Unfortunately, Jenkins does not merge the `securityContext` field of the pod spec when the `yamlMergeStrategy` is set to `merge`. For our custom settings to apply, we have to leave the merge strategy at the default, `override`. --- ci/Jenkinsfile | 1 - ci/podTemplate.yaml | 17 +++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/ci/Jenkinsfile b/ci/Jenkinsfile index f3f8e58..e275a13 100644 --- a/ci/Jenkinsfile +++ b/ci/Jenkinsfile @@ -11,7 +11,6 @@ pipeline { agent { kubernetes { yamlFile 'ci/podTemplate.yaml' - yamlMergeStrategy merge() workspaceVolume persistentVolumeClaimWorkspaceVolume( claimName: 'buildroot-airplaypi' ) diff --git a/ci/podTemplate.yaml b/ci/podTemplate.yaml index a15cc3b..798c308 100644 --- a/ci/podTemplate.yaml +++ b/ci/podTemplate.yaml @@ -1,4 +1,15 @@ +metadata: + annotations: + io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel: 'true' spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/jenkins + operator: Exists containers: - name: build image: git.pyrocufflink.net/containerimages/buildroot @@ -11,8 +22,14 @@ spec: - mountPath: /etc/ssh/ssh_known_hosts name: ssh-known-hosts subPath: ssh_known_hosts + nodeSelector: + kubernetes.io/arch: amd64 securityContext: fsGroupChangePolicy: OnRootMismatch + seLinuxOptions: + level: s0:c596,c675 + tolerations: + - key: du5t1n.me/jenkins volumes: - name: ssh-known-hosts configMap: