Re: Becoming comaintainer for Fedora-Dockerfiles

2015-10-08 Thread Matthew Miller 
On Wed, Oct 07, 2015 at 12:11:47AM -0400, Bohuslav Kabrda wrote:
> > So, would all of _those_ examples go into a single entity (package,
> > repo, whatever)? What should the distribution method for _these_ be?
> I'm not sure :) In fact, I'm wondering whether it's really necessary
> to be shipping these as RPMs. Dockerfiles are good candidates for
> shipping via RPMs, since they are the recipes used to build images
> that are actually out there (on dockerhub, etc). kubernetes/Nulecule
> examples, on the other hand, will be just *examples*, not something
> you would want to build, deploy and use as is.

Well, let's say we want to ship a Fedora Server role as an Atomic App.
Or, say, Kolab. Where would the nulecule files for that live?


-- 
Matthew Miller

Fedora Project Leader
___
cloud mailing list
cloud@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Becoming comaintainer for Fedora-Dockerfiles

2015-10-08 Thread Joe Brockmeier 
On 10/08/2015 07:55 AM, Matthew Miller wrote:
> Well, let's say we want to ship a Fedora Server role as an Atomic App.
> Or, say, Kolab. Where would the nulecule files for that live?

So - we're currently keeping working examples here:

https://github.com/projectatomic/nulecule/tree/master/examples

I would love to see a central repo for any Nulecule / Atomic Apps.

For users, if they're pulling a pre-made app it should live on Docker
Hub. So they'd just need "sudo atomic run fedora/kolab" or similar to
grab it.

(I suppose Fedora could have its own registry for containers, but not
sure we want to / are ready to go there.)

Best,

jzb
-- 
Joe Brockmeier | Community Team, OSAS
j...@redhat.com | http://community.redhat.com/
Twitter: @jzb  | http://dissociatedpress.net/



signature.asc
Description: OpenPGP digital signature
___
cloud mailing list
cloud@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

selinux denials when starting docker in F23

2015-10-08 Thread Dusty Mabe 
Hey guys anybody seen these when starting 
docker-1.8.2-5.gitcb216be.fc23.x86_64:


```
Oct 08 18:55:47 cloudhost.localdomain audit[1513]: AVC avc:  denied { 
read } for  pid=1513 comm="iptables" path="net:[4026531957]" dev="nsfs" 
ino=4026531957 scontext=system_u:system_r:iptables_t:s0 
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0

```

Nevertheless the docker daemon is up and running but if I start a 
container and then force remove it I see:


```
Error deleting container: Error response from daemon: Cannot destroy 
container 
710f834e316946a422a00fb3470b895b387519ecb01a5b195cc818b9764f82a7: Failed 
to set container state to RemovalInProgress: Status is already 
RemovalInProgress

```

and this is in the journal:

```
Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0 
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 
msg='Unknown permission stop for class system 
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0 
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 
msg='Unknown permission stop for class system 
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

```
___
cloud mailing list
cloud@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: selinux denials when starting docker in F23

2015-10-08 Thread Dusty Mabe 



On 10/08/2015 03:06 PM, Dusty Mabe wrote:

Hey guys anybody seen these when starting
docker-1.8.2-5.gitcb216be.fc23.x86_64:

```
Oct 08 18:55:47 cloudhost.localdomain audit[1513]: AVC avc: denied {
read } for  pid=1513 comm="iptables" path="net:[4026531957]"
dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
```

Nevertheless the docker daemon is up and running but if I start a
container and then force remove it I see:

```
Error deleting container: Error response from daemon: Cannot destroy
container
710f834e316946a422a00fb3470b895b387519ecb01a5b195cc818b9764f82a7:
Failed to set container state to RemovalInProgress: Status is already
RemovalInProgress
```

and this is in the journal:

```
Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='Unknown permission stop for class system
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='Unknown permission stop for class system
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
```


Also (on a separate machine - this time the f23 cloud vagrant box) - I 
am seeing this when I run `docker run -it --rm busybox /bin/sh`:


```
[root@f23 ~]# docker run -it --rm busybox /bin/sh
permission denied
Error response from daemon: Cannot start container 
48f491260754d82c292f0d52154cb9fc45f8dede1a9bdc9adbe9a465406671e5: [8] 
System error: permission denied

```

and from the journal:

```
Oct 08 19:19:01 f23 audit[998]: AVC avc:  denied  { transition } for 
pid=998 comm="exe" path="/bin/sh" dev="dm-3" ino=33555457 
scontext=system_u:system_r:unconfined_service_t:s0 
tcontext=system_u:system_r:svirt_lxc_net_t:s0:c581,c843 tclass=process 
permissive=0

```
___
cloud mailing list
cloud@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Becoming comaintainer for Fedora-Dockerfiles

2015-10-08 Thread Matthew Miller 
On Thu, Oct 08, 2015 at 09:09:11AM -0400, Joe Brockmeier wrote:
> So - we're currently keeping working examples here:
> https://github.com/projectatomic/nulecule/tree/master/examples
> I would love to see a central repo for any Nulecule / Atomic Apps.

I *think* that in our first pass, layered images will all be produced
by installing packages. So maybe each nulecule becomes an RPM? That
seems like a lot of overhead. (But hey, when you've got a hammer)

Alternately, maybe the Dockerfiles dist-git could have (well, have a
lookaside cache to) source tarballs that aren't in RPM. Maybe that's
already in the works in the upstream, but I don't know if we're ready
for it.


> For users, if they're pulling a pre-made app it should live on Docker
> Hub. So they'd just need "sudo atomic run fedora/kolab" or similar to
> grab it.

Yeah, I don't want to put users in the position of thinking they have
to build them themselves, for sure.

> (I suppose Fedora could have its own registry for containers, but not
> sure we want to / are ready to go there.)

The releng team working on this is talking about that as a possible target
for F24.


-- 
Matthew Miller

Fedora Project Leader
___
cloud mailing list
cloud@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: selinux denials when starting docker in F23

2015-10-08 Thread Matthew Miller 
On Thu, Oct 08, 2015 at 03:06:09PM -0400, Dusty Mabe wrote:
> Hey guys anybody seen these when starting
> docker-1.8.2-5.gitcb216be.fc23.x86_64:

Uh oh. File that as a freeze exception bug, quick?

-- 
Matthew Miller

Fedora Project Leader
___
cloud mailing list
cloud@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct