[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] docker optionsin /etc/sysconfig/docker





On Sat, Jun 2, 2018 at 2:24 PM arnaud gaboury <arnaud gaboury gmail com> wrote:
On Sat, Jun 2, 2018 at 2:02 PM arnaud gaboury <arnaud gaboury gmail com> wrote:
On Fri, Jun 1, 2018 at 10:36 PM Daniel Walsh <dwalsh redhat com> wrote:
On 06/01/2018 04:31 PM, arnaud gaboury wrote:


On Fri, Jun 1, 2018 at 9:49 PM Daniel Walsh <dwalsh redhat com> wrote:
On 06/01/2018 01:52 PM, arnaud gaboury wrote:


On Fri, Jun 1, 2018 at 7:46 PM Daniel Walsh <dwalsh redhat com> wrote:
On 06/01/2018 01:44 PM, arnaud gaboury wrote:


On Fri, Jun 1, 2018 at 7:12 PM Daniel Walsh <dwalsh redhat com> wrote:
On 06/01/2018 01:08 PM, arnaud gaboury wrote:


On Fri, Jun 1, 2018 at 6:53 PM Daniel Walsh <dwalsh redhat com> wrote:
On 06/01/2018 12:33 PM, arnaud gaboury wrote:


On Fri, Jun 1, 2018 at 6:25 PM arnaud gaboury <arnaud gaboury gmail com> wrote:
On Fri, Jun 1, 2018 at 6:19 PM Daniel Walsh <dwalsh redhat com> wrote:
On 06/01/2018 12:07 PM, arnaud gaboury wrote:


On Fri, Jun 1, 2018 at 5:04 PM Daniel Walsh <dwalsh redhat com> wrote:
On 06/01/2018 10:58 AM, arnaud gaboury wrote:
> I am switching from fedora server to Atomic.
>
> In the old world, my "/etc/sysconfig/docker" file had the content:
> OPTIONS="--selinux-enable"
> Now, after running the script container-storage-setup to create a thin
> pool volume, the file with options is now
> "/etc/sysconfig/docker-storage" and has the following content:
> ---------------------
> DOCKER_STORAGE_OPTIONS="--storage-driver devicemapper --storage-opt
> dm.fs=xfs --storage-opt
> dm.thinpooldev=/dev/mapper/vg--docker-docker--pool --storage-opt
> dm.use_deferred_removal=true --storage-opt dm.use_deferred_deletion=true "
> ---------------------
>
> Nothing about SELinux. Is it expected? Shall I write this option
> somewhere else?
>
> Thank you.

I think it should have that flag. If you run a container what does cat
/proc/self/attr/current show?

------------------------
# docker run hello-world
.........
# cat /proc/self/attr/current
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023#  
----------------------------

Should have been more clear

docker run fedora cat /proc/self/attr/current

What does this command show?

Of course I would prefer

podman run fedora cat /proc/self/attr/current


I didn't know this command...so many new stuff to learn !

------------------
 % man podman
No manual entry for podman
--------------------

:-(   snif


Thats weird. 

rpm -q podman
podman-0.5.4-1.git1f2e2a2.fc28.x86_64

Their should be man pages. You doing this on atomic host?

YES.
Atomic host excludes man pages.
You can read lots of docs on podman at
https://github.com/projectatomic/libpod/

Man pages are here
https://github.com/projectatomic/libpod/blob/master/commands.md

You never showed me the output of the docker command.

Sorry for this confusion

----------------------------
root control2➤➤ ~ # docker run fedora cat /proc/self/attr/current
Unable to find image 'fedora:latest' locally
latest: Pulling from library/fedora
e71c36a80ba9: Pull complete
Digest: sha256:7ae08e5637170eb47c01e315b6e64e0d48c6200d2942c695d0bee61b38c65b39
Status: Downloaded newer image for fedora:latest
system_u:system_r:spc_t:s0#    
Ok that indicates SELinux is disabled in the daemon.  Adding back the --selinux-enabled will fix this issue.

where? In /etc/sysconfig/docker?  Or is there a new config file in Atomic to set this option?

Still in /etc/sysconfig/docker, then restart docker service and the docker run line should show you container_t rather then spc_t.

-----------------------------------
# cat /etc/sysconfig/docker                    
OPTIONS='--selinux-enable'
# systemctl start docker
 # docker run fedora cat /proc/self/attr/current
.......
system_u:system_r:spc_t:s0# 
-------------------------

doesn't work.

 # systemctl edit docker.service
[Service]
Execstart=
ExecStart=/usr/bin/dockerd --selinux-enabled
# systemctl restart docker
# docker run fedora cat /proc/self/attr/current
system_u:system_r:container_t:s0:c81,c142#  

As a temporary worka

Sorry for the missing last part, email was sent too early

 # systemctl edit docker.service
[Service]
Execstart=
ExecStart=/usr/bin/dockerd --selinux-enabled
# systemctl restart docker
# docker run fedora cat /proc/self/attr/current
system_u:system_r:container_t:s0:c81,c142#  

As a temporary workaround, that's fine. But it seems docker doesn't take into account the /etc/sysconfig/docker file, or something like that.
On another machine, fedora 28, with same docker-ce version, it works fine.







Lokesh, Franticek, the docker we are shipping on atomic host does not have SELinux enabled?


--------------------------------------------

I did in one previous email (06:25)

---------------------------------
  # podman run fedora cat /proc/self/attr/current
Trying to pull docker.io/fedora:latest...Getting image source signatures
Copying blob sha256:e71c36a80ba912dd7a5a9f2f2d6136c148afa19bc7d024bd616b74a0bc7a2774
 82.57 MB / 82.57 MB [=====================================================] 20s
Copying config sha256:cc510acfcd701a409014118d5f417f0022520802a26c650866b8a9594d75f3a7
 2.29 KB / 2.29 KB [========================================================] 0s
Writing manifest to image destination
Storing signatures
system_u:system_r:container_t:s0:c377,c551#  
---------------------------------------------

Thats the output of podman, I need docker.




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]