On Sat, Jun 2, 2018 at 2:02 PM arnaud gaboury <arnaud.gabo...@gmail.com> wrote:
> On Fri, Jun 1, 2018 at 10:36 PM Daniel Walsh <dwa...@redhat.com> wrote: > >> On 06/01/2018 04:31 PM, arnaud gaboury wrote: >> >> >> >> On Fri, Jun 1, 2018 at 9:49 PM Daniel Walsh <dwa...@redhat.com> wrote: >> >>> On 06/01/2018 01:52 PM, arnaud gaboury wrote: >>> >>> >>> >>> On Fri, Jun 1, 2018 at 7:46 PM Daniel Walsh <dwa...@redhat.com> wrote: >>> >>>> On 06/01/2018 01:44 PM, arnaud gaboury wrote: >>>> >>>> >>>> >>>> On Fri, Jun 1, 2018 at 7:12 PM Daniel Walsh <dwa...@redhat.com> wrote: >>>> >>>>> On 06/01/2018 01:08 PM, arnaud gaboury wrote: >>>>> >>>>> >>>>> >>>>> On Fri, Jun 1, 2018 at 6:53 PM Daniel Walsh <dwa...@redhat.com> wrote: >>>>> >>>>>> On 06/01/2018 12:33 PM, arnaud gaboury wrote: >>>>>> >>>>>> >>>>>> >>>>>> On Fri, Jun 1, 2018 at 6:25 PM arnaud gaboury < >>>>>> arnaud.gabo...@gmail.com> wrote: >>>>>> >>>>>>> On Fri, Jun 1, 2018 at 6:19 PM Daniel Walsh <dwa...@redhat.com> >>>>>>> wrote: >>>>>>> >>>>>>>> On 06/01/2018 12:07 PM, arnaud gaboury wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Jun 1, 2018 at 5:04 PM Daniel Walsh <dwa...@redhat.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> On 06/01/2018 10:58 AM, arnaud gaboury wrote: >>>>>>>>> > I am switching from fedora server to Atomic. >>>>>>>>> > >>>>>>>>> > In the old world, my "/etc/sysconfig/docker" file had the >>>>>>>>> content: >>>>>>>>> > OPTIONS="--selinux-enable" >>>>>>>>> > Now, after running the script container-storage-setup to create >>>>>>>>> a thin >>>>>>>>> > pool volume, the file with options is now >>>>>>>>> > "/etc/sysconfig/docker-storage" and has the following content: >>>>>>>>> > --------------------- >>>>>>>>> > DOCKER_STORAGE_OPTIONS="--storage-driver devicemapper >>>>>>>>> --storage-opt >>>>>>>>> > dm.fs=xfs --storage-opt >>>>>>>>> > dm.thinpooldev=/dev/mapper/vg--docker-docker--pool --storage-opt >>>>>>>>> > dm.use_deferred_removal=true --storage-opt >>>>>>>>> dm.use_deferred_deletion=true " >>>>>>>>> > --------------------- >>>>>>>>> > >>>>>>>>> > Nothing about SELinux. Is it expected? Shall I write this option >>>>>>>>> > somewhere else? >>>>>>>>> > >>>>>>>>> > Thank you. >>>>>>>>> >>>>>>>>> I think it should have that flag. If you run a container what does >>>>>>>>> cat >>>>>>>>> /proc/self/attr/current show? >>>>>>>>> >>>>>>>> >>>>>>>> ------------------------ >>>>>>>> # docker run hello-world >>>>>>>> ......... >>>>>>>> # cat /proc/self/attr/current >>>>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023# >>>>>>>> ---------------------------- >>>>>>>> >>>>>>>> Should have been more clear >>>>>>>> >>>>>>>> docker run fedora cat /proc/self/attr/current >>>>>>>> >>>>>>> What does this command show? >>>>>> >>>>>> Of course I would prefer >>>>>>>> >>>>>>>> podman run fedora cat /proc/self/attr/current >>>>>>>> >>>>>>> >>>>>>> I didn't know this command...so many new stuff to learn ! >>>>>>> >>>>>> >>>>>> ------------------ >>>>>> % man podman >>>>>> No manual entry for podman >>>>>> -------------------- >>>>>> >>>>>> :-( snif >>>>>> >>>>>> >>>>>>> Thats weird. >>>>>> >>>>>> rpm -q podman >>>>>> podman-0.5.4-1.git1f2e2a2.fc28.x86_64 >>>>>> >>>>>> Their should be man pages. You doing this on atomic host? >>>>>> >>>>> >>>>> YES. >>>>> >>>>> Atomic host excludes man pages. >>>>> You can read lots of docs on podman at >>>>> https://github.com/projectatomic/libpod/ >>>>> >>>>> Man pages are here >>>>> https://github.com/projectatomic/libpod/blob/master/commands.md >>>>> >>>>> You never showed me the output of the docker command. >>>>> >>>> >>> Sorry for this confusion >>> >>> ---------------------------- >>> root@control2➤➤ ~ # docker run fedora cat /proc/self/attr/current >>> Unable to find image 'fedora:latest' locally >>> latest: Pulling from library/fedora >>> e71c36a80ba9: Pull complete >>> Digest: >>> sha256:7ae08e5637170eb47c01e315b6e64e0d48c6200d2942c695d0bee61b38c65b39 >>> Status: Downloaded newer image for fedora:latest >>> system_u:system_r:spc_t:s0# >>> >>> Ok that indicates SELinux is disabled in the daemon. Adding back the >>> --selinux-enabled will fix this issue. >>> >> >> where? In /etc/sysconfig/docker? Or is there a new config file in Atomic >> to set this option? >> >> Still in /etc/sysconfig/docker, then restart docker service and the >> docker run line should show you container_t rather then spc_t. >> > > ----------------------------------- > # cat /etc/sysconfig/docker > OPTIONS='--selinux-enable' > # systemctl start docker > # docker run fedora cat /proc/self/attr/current > ....... > system_u:system_r:spc_t:s0# > ------------------------- > > doesn't work. > # systemctl edit docker.service [Service] Execstart= ExecStart=/usr/bin/dockerd --selinux-enabled # systemctl restart docker # docker run fedora cat /proc/self/attr/current system_u:system_r:container_t:s0:c81,c142# As a temporary worka > > > > >> >> >>> Lokesh, Franticek, the docker we are shipping on atomic host does not >>> have SELinux enabled? >>> >>> >>> -------------------------------------------- >>> >>>> >>>> I did in one previous email (06:25) >>>> >>>> --------------------------------- >>>> # podman run fedora cat /proc/self/attr/current >>>> Trying to pull docker.io/fedora:latest...Getting image source >>>> signatures >>>> Copying blob >>>> sha256:e71c36a80ba912dd7a5a9f2f2d6136c148afa19bc7d024bd616b74a0bc7a2774 >>>> 82.57 MB / 82.57 MB >>>> [=====================================================] 20s >>>> Copying config >>>> sha256:cc510acfcd701a409014118d5f417f0022520802a26c650866b8a9594d75f3a7 >>>> 2.29 KB / 2.29 KB >>>> [========================================================] 0s >>>> Writing manifest to image destination >>>> Storing signatures >>>> system_u:system_r:container_t:s0:c377,c551# >>>> --------------------------------------------- >>>> >>>> Thats the output of podman, I need docker. >>>> >>> >>> >>
