On 04/11/2016 06:33 PM, Dusty Mabe wrote:
On 04/11/2016 10:37 AM, Daniel J Walsh wrote:
On 04/11/2016 10:25 AM, Tomáš Nožička wrote:
Hi,
I have been playing with vagrant-sshfs to build persistent storage for
docker registry inside ADB box but I have encountered SELinux issue.
Steps to reproduce:
$ Add sshfs folder into Vagrantfile
config.vm.synced_folder "/home/tnozicka/tmp/registry-data",
"/var/lib/registry", type: "sshfs"
$ vagrant up
$ vagrant ssh
$ docker run -it --rm -v /var/lib/registry:/var/lib/registry centos:7
bash -c 'mkdir /var/lib/registry/new-dir'
(fails [and should] since /var/lib/registry does not have the right
SELinux context)
$ docker run -it --rm -v /var/lib/registry:/var/lib/registry:Z
centos:7 bash -c 'mkdir /var/lib/registry/new-dir'
(FAILS with: Error response from daemon: operation not supported)
The later one (:Z) works for ordinary folders, but it is failing with
the one mounted by sshfs :( I tried to fix SELinux with:
$ sudo chcon -Rt svirt_sandbox_file_t /var/lib/registry
chcon: failed to change context of ‘docker’ to
‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
chcon: failed to change context of ‘/var/lib/registry’ to
‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
but without success. Does anybody have any ideas how to get sshfs and
Docker/SELinux working together?
Everything works after running:
$ sudo setenforce 0
inside ADB so it is almost definitely SELinux related issue.
Thanks,
Tomas Nozicka
[1] - http://www.projectatomic.io/blog/2015/06/using-volumes-with-docke
r-can-cause-problems-with-selinux/
_______________________________________________
Container-tools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/container-tools
What AVC's are you seeing. The problem is sshfs does not support
SELinux labels, so you
can not set them to share within the container. We could attempt to
mount the
sshfs with a context mount, if sshfs works that way.
mount ... context="system_u:object_r:svirt_sandbox_file_t:s0"
Something like this was added some time ago but there is no release
with it included as of yet:
https://github.com/libfuse/libfuse/commit/c52cafc81ced83fbd5cc7edf4ef5f7cb57b82729
Looks like it is implemented. So mounting a fuse file system with sshfs
with context="system_u:object_r:svirt_sandbox_file_t:s0:c1,c2"
is supposed to work.
Or we can add rules to svirt_sandbox_file_t to allow it to manage sshfs_t
_______________________________________________
Container-tools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/container-tools
_______________________________________________
Container-tools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/container-tools
_______________________________________________
Container-tools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/container-tools
