On 04/12/2016 03:02 PM, Daniel J Walsh wrote: > > > On 04/11/2016 06:33 PM, Dusty Mabe wrote: >> >> On 04/11/2016 10:37 AM, Daniel J Walsh wrote: >>> >>> On 04/11/2016 10:25 AM, Tomáš Nožička wrote: >>>> Hi, >>>> >>>> I have been playing with vagrant-sshfs to build persistent storage for >>>> docker registry inside ADB box but I have encountered SELinux issue. >>>> >>>> Steps to reproduce: >>>> $ Add sshfs folder into Vagrantfile >>>> config.vm.synced_folder "/home/tnozicka/tmp/registry-data", >>>> "/var/lib/registry", type: "sshfs" >>>> $ vagrant up >>>> $ vagrant ssh >>>> $ docker run -it --rm -v /var/lib/registry:/var/lib/registry centos:7 >>>> bash -c 'mkdir /var/lib/registry/new-dir' >>>> (fails [and should] since /var/lib/registry does not have the right >>>> SELinux context) >>>> >>>> $ docker run -it --rm -v /var/lib/registry:/var/lib/registry:Z >>>> centos:7 bash -c 'mkdir /var/lib/registry/new-dir' >>>> (FAILS with: Error response from daemon: operation not supported) >>>> >>>> The later one (:Z) works for ordinary folders, but it is failing with >>>> the one mounted by sshfs :( I tried to fix SELinux with: >>>> $ sudo chcon -Rt svirt_sandbox_file_t /var/lib/registry >>>> chcon: failed to change context of ‘docker’ to >>>> ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported >>>> chcon: failed to change context of ‘/var/lib/registry’ to >>>> ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported >>>> >>>> but without success. Does anybody have any ideas how to get sshfs and >>>> Docker/SELinux working together? >>>> >>>> Everything works after running: >>>> $ sudo setenforce 0 >>>> inside ADB so it is almost definitely SELinux related issue. >>>> >>>> >>>> Thanks, >>>> Tomas Nozicka >>>> >>>> >>>> [1] - http://www.projectatomic.io/blog/2015/06/using-volumes-with-docke >>>> r-can-cause-problems-with-selinux/ >>>> >>>> _______________________________________________ >>>> Container-tools mailing list >>>> [email protected] >>>> https://www.redhat.com/mailman/listinfo/container-tools >>> What AVC's are you seeing. The problem is sshfs does not support >>> SELinux labels, so you >>> can not set them to share within the container. We could attempt to >>> mount the >>> sshfs with a context mount, if sshfs works that way. >>> >>> mount ... context="system_u:object_r:svirt_sandbox_file_t:s0" >> Something like this was added some time ago but there is no release >> with it included as of yet: >> >> https://github.com/libfuse/libfuse/commit/c52cafc81ced83fbd5cc7edf4ef5f7cb57b82729 > Looks like it is implemented. So mounting a fuse file system with sshfs > with context="system_u:object_r:svirt_sandbox_file_t:s0:c1,c2" > is supposed to work.
Well.. It has been implemented but not released, which is why it doesn't work in CentOS/Fedora. It is a pretty small patch if we wanted to carry it for now. On a side note `setsebool -P virt_sandbox_use_fusefs 1` works so maybe I'll modify the vagrant-sshfs plugin to do that when performing these mounts. Dusty _______________________________________________ Container-tools mailing list [email protected] https://www.redhat.com/mailman/listinfo/container-tools
