On 3 September 2015 at 21:56, Daniel J Walsh <dwa...@redhat.com> wrote: > Remove the :Z from this line. You don't want to relabel /dev/log on the > host. > > MOUNTS="--volumes-from pulp_data -v /dev/log:/dev/log:Z" > > You should only be relabeling content specific to the container. > > restorecon -F /dev/log > > on the host should fix this label.
Thanks. With that fixed, I saw a few new errors that appear to be related to the volumes exported by the data container: 1x "SELinux is preventing httpd from read access on the file pulp_python.conf" 4x "SELinux is preventing celery from read access on the file server.conf" Reading http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/ suggested to me that they all needed the "chcon -Rt svirt_sandbox_file_t" applied. The ":z" suffix doesn't work for a volume export (Docker think it's a mount point for a host volume), and "<export path>::z" isn't valid syntax, so I tried reading the list of mounts from docker inspect and setting the context with chcon. While "ls -lZ" showed the context had been changed, I still got the SELinux error messages and the containers didn't start. At this point, I think Mark's approach of letting Kubernetes deal with the security context management is likely to be a better way to go. Regards, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
