Re: [atomic-devel] docker optionsin /etc/sysconfig/docker

[Daniel Walsh <dwalsh redhat com>]

On 06/02/2018 12:29 PM, arnaud gaboury wrote:

On Sat, Jun 2, 2018 at 4:21 PM Colin Walters <walters verbum org> wrote:

On Sat, Jun 2, 2018, at 8:30 AM, arnaud gaboury wrote:
>
>  # systemctl edit docker.service
> [Service]
> Execstart=
> ExecStart=/usr/bin/dockerd --selinux-enabled
> # systemctl restart docker
> # docker run fedora cat /proc/self/attr/current
> system_u:system_r:container_t:s0:c81,c142#

See:
/usr/lib/systemd/system/docker.service
You need all that stuff in the default ExecStart= to have the config files work.

I am confused between /etc/sysconfig/docker and /etc/docker/daemon.json. It seems to me there is some redundancy. As a note, I run Arch and the /etc/sysconfig has been removed since long.

After some tests:  

--------------------------------------

1- no /etc/docker/daemon.json, no /etc/sysconfig/docker, no docker.service override

# docker run fedora cat /proc/self/attr/current
system_u:system_r:spc_t:s0#  

2- no /etc/docker/daemon.json, no /etc/sysconfig/docker, docker.service override

# docker run fedora cat /proc/self/attr/current
system_u:system_r:container_t:s0:c499,c950#  

3- /etc/docker/daemon.json, no /etc/sysconfig/docker, no docker.service override

# docker run fedora cat /proc/self/attr/current
system_u:system_r:container_t:s0:c471,c600#    

4- no /etc/docker/daemon.json, /etc/sysconfig/docker, no docker.service override

# docker run fedora cat /proc/self/attr/current        
system_u:system_r:spc_t:s0#

---------------------------------------------

As you can see, some settings will not work. As for my "test", solution 3 (/etc/docker/daemon.json, no /etc/sysconfig/docker, no docker.service override) is the one I will use.

Ok you can add the selinux-enabled field to /etc/docker/daemon.json (Although I am not aware of the syntax.)  I thought you were doing this testing with the Projectatomic/docker.  It looks like you are working with the upstream docker-ce, which I am sad to say seems to not enable selinux by default at least on Arch.