fix security opt in phoebus launch

epics-containers · Dec 10, 2024 · 991a5ab · 991a5ab
1 parent 58445c5
commit 991a5ab
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 7 deletions.
diff --git a/.copier-answers.yml b/.copier-answers.yml
@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier; NEVER EDIT MANUALLY
-_commit: 4.1.0
+_commit: 4.1.0-4-ged64dd7
 _src_path: gh:epics-containers/ioc-template
 description: Generic IOC for the Delta Tau turbo pmac and power pmac motion controllers
 git_platform: github.com

diff --git a/opi/phoebus-launch.sh b/opi/phoebus-launch.sh
@@ -17,12 +17,12 @@ settings="
 -settings /tmp/settings.ini
 "
 
-if which phoebus.sh &>/dev/null ; then
+if which phoebus.sh &>/dev/null && [[ -z ${use_container} ]] ; then
     echo "Using phoebus.sh from PATH"
     set -x
     phoebus.sh ${settings} "${@}"
 
-elif module load phoebus 2>/dev/null; then
+elif module load phoebus 2>/dev/null && [[ -z ${use_container} ]] ; then
     echo "Using phoebus module"
     set -x
     phoebus.sh ${settings} "${@}"
@@ -33,16 +33,14 @@ else
     # prefer podman but use docker if USE_DOCKER is set
     if podman version &> /dev/null && [[ -z $USE_DOCKER ]]
         then docker=podman; UIDGID=0:0
-        else docker=docker; UIDGID=$(id -u):$(id -g)
+        else docker=docker; UIDGID=$(id -u):$(id -g); xhost +SI:localuser:$(id -un)
     fi
     echo "Using $docker as container runtime"
 
-    # ensure local container users can access X11 server
-    xhost +SI:localuser:$(id -un)
 
     # settings for container launch
     x11="-e DISPLAY --net host"
-    args="--rm -it --security-opt=label=none --user ${UIDGID}"
+    args="--rm -it --security-opt=label=disable --user ${UIDGID}"
     mounts="-v=/tmp:/tmp -v=${workspace}:/workspace -v=${workspace}/..:/workspaces"
     image="ghcr.io/epics-containers/ec-phoebus:latest"