On Fri, Jun 1, 2018 at 10:36 PM Daniel Walsh <dwa...@redhat.com> wrote:
> On 06/01/2018 04:31 PM, arnaud gaboury wrote: > > > > On Fri, Jun 1, 2018 at 9:49 PM Daniel Walsh <dwa...@redhat.com> wrote: > >> On 06/01/2018 01:52 PM, arnaud gaboury wrote: >> >> >> >> On Fri, Jun 1, 2018 at 7:46 PM Daniel Walsh <dwa...@redhat.com> wrote: >> >>> On 06/01/2018 01:44 PM, arnaud gaboury wrote: >>> >>> >>> >>> On Fri, Jun 1, 2018 at 7:12 PM Daniel Walsh <dwa...@redhat.com> wrote: >>> >>>> On 06/01/2018 01:08 PM, arnaud gaboury wrote: >>>> >>>> >>>> >>>> On Fri, Jun 1, 2018 at 6:53 PM Daniel Walsh <dwa...@redhat.com> wrote: >>>> >>>>> On 06/01/2018 12:33 PM, arnaud gaboury wrote: >>>>> >>>>> >>>>> >>>>> On Fri, Jun 1, 2018 at 6:25 PM arnaud gaboury < >>>>> arnaud.gabo...@gmail.com> wrote: >>>>> >>>>>> On Fri, Jun 1, 2018 at 6:19 PM Daniel Walsh <dwa...@redhat.com> >>>>>> wrote: >>>>>> >>>>>>> On 06/01/2018 12:07 PM, arnaud gaboury wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, Jun 1, 2018 at 5:04 PM Daniel Walsh <dwa...@redhat.com> >>>>>>> wrote: >>>>>>> >>>>>>>> On 06/01/2018 10:58 AM, arnaud gaboury wrote: >>>>>>>> > I am switching from fedora server to Atomic. >>>>>>>> > >>>>>>>> > In the old world, my "/etc/sysconfig/docker" file had the content: >>>>>>>> > OPTIONS="--selinux-enable" >>>>>>>> > Now, after running the script container-storage-setup to create a >>>>>>>> thin >>>>>>>> > pool volume, the file with options is now >>>>>>>> > "/etc/sysconfig/docker-storage" and has the following content: >>>>>>>> > --------------------- >>>>>>>> > DOCKER_STORAGE_OPTIONS="--storage-driver devicemapper >>>>>>>> --storage-opt >>>>>>>> > dm.fs=xfs --storage-opt >>>>>>>> > dm.thinpooldev=/dev/mapper/vg--docker-docker--pool --storage-opt >>>>>>>> > dm.use_deferred_removal=true --storage-opt >>>>>>>> dm.use_deferred_deletion=true " >>>>>>>> > --------------------- >>>>>>>> > >>>>>>>> > Nothing about SELinux. Is it expected? Shall I write this option >>>>>>>> > somewhere else? >>>>>>>> > >>>>>>>> > Thank you. >>>>>>>> >>>>>>>> I think it should have that flag. If you run a container what does >>>>>>>> cat >>>>>>>> /proc/self/attr/current show? >>>>>>>> >>>>>>> >>>>>>> ------------------------ >>>>>>> # docker run hello-world >>>>>>> ......... >>>>>>> # cat /proc/self/attr/current >>>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023# >>>>>>> ---------------------------- >>>>>>> >>>>>>> Should have been more clear >>>>>>> >>>>>>> docker run fedora cat /proc/self/attr/current >>>>>>> >>>>>> What does this command show? >>>>> >>>>> Of course I would prefer >>>>>>> >>>>>>> podman run fedora cat /proc/self/attr/current >>>>>>> >>>>>> >>>>>> I didn't know this command...so many new stuff to learn ! >>>>>> >>>>> >>>>> ------------------ >>>>> % man podman >>>>> No manual entry for podman >>>>> -------------------- >>>>> >>>>> :-( snif >>>>> >>>>> >>>>>> Thats weird. >>>>> >>>>> rpm -q podman >>>>> podman-0.5.4-1.git1f2e2a2.fc28.x86_64 >>>>> >>>>> Their should be man pages. You doing this on atomic host? >>>>> >>>> >>>> YES. >>>> >>>> Atomic host excludes man pages. >>>> You can read lots of docs on podman at >>>> https://github.com/projectatomic/libpod/ >>>> >>>> Man pages are here >>>> https://github.com/projectatomic/libpod/blob/master/commands.md >>>> >>>> You never showed me the output of the docker command. >>>> >>> >> Sorry for this confusion >> >> ---------------------------- >> root@control2➤➤ ~ # docker run fedora cat /proc/self/attr/current >> Unable to find image 'fedora:latest' locally >> latest: Pulling from library/fedora >> e71c36a80ba9: Pull complete >> Digest: >> sha256:7ae08e5637170eb47c01e315b6e64e0d48c6200d2942c695d0bee61b38c65b39 >> Status: Downloaded newer image for fedora:latest >> system_u:system_r:spc_t:s0# >> >> Ok that indicates SELinux is disabled in the daemon. Adding back the >> --selinux-enabled will fix this issue. >> > > where? In /etc/sysconfig/docker? Or is there a new config file in Atomic > to set this option? > > Still in /etc/sysconfig/docker, then restart docker service and the docker > run line should show you container_t rather then spc_t. > ----------------------------------- # cat /etc/sysconfig/docker OPTIONS='--selinux-enable' # systemctl start docker # docker run fedora cat /proc/self/attr/current ....... system_u:system_r:spc_t:s0# ------------------------- doesn't work. > > >> Lokesh, Franticek, the docker we are shipping on atomic host does not >> have SELinux enabled? >> >> >> -------------------------------------------- >> >>> >>> I did in one previous email (06:25) >>> >>> --------------------------------- >>> # podman run fedora cat /proc/self/attr/current >>> Trying to pull docker.io/fedora:latest...Getting image source signatures >>> Copying blob >>> sha256:e71c36a80ba912dd7a5a9f2f2d6136c148afa19bc7d024bd616b74a0bc7a2774 >>> 82.57 MB / 82.57 MB >>> [=====================================================] 20s >>> Copying config >>> sha256:cc510acfcd701a409014118d5f417f0022520802a26c650866b8a9594d75f3a7 >>> 2.29 KB / 2.29 KB >>> [========================================================] 0s >>> Writing manifest to image destination >>> Storing signatures >>> system_u:system_r:container_t:s0:c377,c551# >>> --------------------------------------------- >>> >>> Thats the output of podman, I need docker. >>> >> >> >
