Re: Becoming comaintainer for Fedora-Dockerfiles
On Wed, Oct 07, 2015 at 12:11:47AM -0400, Bohuslav Kabrda wrote: > > So, would all of _those_ examples go into a single entity (package, > > repo, whatever)? What should the distribution method for _these_ be? > I'm not sure :) In fact, I'm wondering whether it's really necessary > to be shipping these as RPMs. Dockerfiles are good candidates for > shipping via RPMs, since they are the recipes used to build images > that are actually out there (on dockerhub, etc). kubernetes/Nulecule > examples, on the other hand, will be just *examples*, not something > you would want to build, deploy and use as is. Well, let's say we want to ship a Fedora Server role as an Atomic App. Or, say, Kolab. Where would the nulecule files for that live? -- Matthew MillerFedora Project Leader ___ cloud mailing list cloud@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Becoming comaintainer for Fedora-Dockerfiles
On 10/08/2015 07:55 AM, Matthew Miller wrote: > Well, let's say we want to ship a Fedora Server role as an Atomic App. > Or, say, Kolab. Where would the nulecule files for that live? So - we're currently keeping working examples here: https://github.com/projectatomic/nulecule/tree/master/examples I would love to see a central repo for any Nulecule / Atomic Apps. For users, if they're pulling a pre-made app it should live on Docker Hub. So they'd just need "sudo atomic run fedora/kolab" or similar to grab it. (I suppose Fedora could have its own registry for containers, but not sure we want to / are ready to go there.) Best, jzb -- Joe Brockmeier | Community Team, OSAS j...@redhat.com | http://community.redhat.com/ Twitter: @jzb | http://dissociatedpress.net/ signature.asc Description: OpenPGP digital signature ___ cloud mailing list cloud@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
selinux denials when starting docker in F23
Hey guys anybody seen these when starting docker-1.8.2-5.gitcb216be.fc23.x86_64: ``` Oct 08 18:55:47 cloudhost.localdomain audit[1513]: AVC avc: denied { read } for pid=1513 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 ``` Nevertheless the docker daemon is up and running but if I start a container and then force remove it I see: ``` Error deleting container: Error response from daemon: Cannot destroy container 710f834e316946a422a00fb3470b895b387519ecb01a5b195cc818b9764f82a7: Failed to set container state to RemovalInProgress: Status is already RemovalInProgress ``` and this is in the journal: ``` Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ``` ___ cloud mailing list cloud@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: selinux denials when starting docker in F23
On 10/08/2015 03:06 PM, Dusty Mabe wrote: Hey guys anybody seen these when starting docker-1.8.2-5.gitcb216be.fc23.x86_64: ``` Oct 08 18:55:47 cloudhost.localdomain audit[1513]: AVC avc: denied { read } for pid=1513 comm="iptables" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 ``` Nevertheless the docker daemon is up and running but if I start a container and then force remove it I see: ``` Error deleting container: Error response from daemon: Cannot destroy container 710f834e316946a422a00fb3470b895b387519ecb01a5b195cc818b9764f82a7: Failed to set container state to RemovalInProgress: Status is already RemovalInProgress ``` and this is in the journal: ``` Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Oct 08 19:04:31 cloudhost.localdomain audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ``` Also (on a separate machine - this time the f23 cloud vagrant box) - I am seeing this when I run `docker run -it --rm busybox /bin/sh`: ``` [root@f23 ~]# docker run -it --rm busybox /bin/sh permission denied Error response from daemon: Cannot start container 48f491260754d82c292f0d52154cb9fc45f8dede1a9bdc9adbe9a465406671e5: [8] System error: permission denied ``` and from the journal: ``` Oct 08 19:19:01 f23 audit[998]: AVC avc: denied { transition } for pid=998 comm="exe" path="/bin/sh" dev="dm-3" ino=33555457 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c581,c843 tclass=process permissive=0 ``` ___ cloud mailing list cloud@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Becoming comaintainer for Fedora-Dockerfiles
On Thu, Oct 08, 2015 at 09:09:11AM -0400, Joe Brockmeier wrote: > So - we're currently keeping working examples here: > https://github.com/projectatomic/nulecule/tree/master/examples > I would love to see a central repo for any Nulecule / Atomic Apps. I *think* that in our first pass, layered images will all be produced by installing packages. So maybe each nulecule becomes an RPM? That seems like a lot of overhead. (But hey, when you've got a hammer) Alternately, maybe the Dockerfiles dist-git could have (well, have a lookaside cache to) source tarballs that aren't in RPM. Maybe that's already in the works in the upstream, but I don't know if we're ready for it. > For users, if they're pulling a pre-made app it should live on Docker > Hub. So they'd just need "sudo atomic run fedora/kolab" or similar to > grab it. Yeah, I don't want to put users in the position of thinking they have to build them themselves, for sure. > (I suppose Fedora could have its own registry for containers, but not > sure we want to / are ready to go there.) The releng team working on this is talking about that as a possible target for F24. -- Matthew MillerFedora Project Leader ___ cloud mailing list cloud@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: selinux denials when starting docker in F23
On Thu, Oct 08, 2015 at 03:06:09PM -0400, Dusty Mabe wrote: > Hey guys anybody seen these when starting > docker-1.8.2-5.gitcb216be.fc23.x86_64: Uh oh. File that as a freeze exception bug, quick? -- Matthew MillerFedora Project Leader ___ cloud mailing list cloud@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct