On Sat, Jun 2, 2018 at 2:24 PM arnaud gaboury <arnaud.gabo...@gmail.com> wrote:
> On Sat, Jun 2, 2018 at 2:02 PM arnaud gaboury <arnaud.gabo...@gmail.com> > wrote: > >> On Fri, Jun 1, 2018 at 10:36 PM Daniel Walsh <dwa...@redhat.com> wrote: >> >>> On 06/01/2018 04:31 PM, arnaud gaboury wrote: >>> >>> >>> >>> On Fri, Jun 1, 2018 at 9:49 PM Daniel Walsh <dwa...@redhat.com> wrote: >>> >>>> On 06/01/2018 01:52 PM, arnaud gaboury wrote: >>>> >>>> >>>> >>>> On Fri, Jun 1, 2018 at 7:46 PM Daniel Walsh <dwa...@redhat.com> wrote: >>>> >>>>> On 06/01/2018 01:44 PM, arnaud gaboury wrote: >>>>> >>>>> >>>>> >>>>> On Fri, Jun 1, 2018 at 7:12 PM Daniel Walsh <dwa...@redhat.com> wrote: >>>>> >>>>>> On 06/01/2018 01:08 PM, arnaud gaboury wrote: >>>>>> >>>>>> >>>>>> >>>>>> On Fri, Jun 1, 2018 at 6:53 PM Daniel Walsh <dwa...@redhat.com> >>>>>> wrote: >>>>>> >>>>>>> On 06/01/2018 12:33 PM, arnaud gaboury wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, Jun 1, 2018 at 6:25 PM arnaud gaboury < >>>>>>> arnaud.gabo...@gmail.com> wrote: >>>>>>> >>>>>>>> On Fri, Jun 1, 2018 at 6:19 PM Daniel Walsh <dwa...@redhat.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> On 06/01/2018 12:07 PM, arnaud gaboury wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Fri, Jun 1, 2018 at 5:04 PM Daniel Walsh <dwa...@redhat.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> On 06/01/2018 10:58 AM, arnaud gaboury wrote: >>>>>>>>>> > I am switching from fedora server to Atomic. >>>>>>>>>> > >>>>>>>>>> > In the old world, my "/etc/sysconfig/docker" file had the >>>>>>>>>> content: >>>>>>>>>> > OPTIONS="--selinux-enable" >>>>>>>>>> > Now, after running the script container-storage-setup to create >>>>>>>>>> a thin >>>>>>>>>> > pool volume, the file with options is now >>>>>>>>>> > "/etc/sysconfig/docker-storage" and has the following content: >>>>>>>>>> > --------------------- >>>>>>>>>> > DOCKER_STORAGE_OPTIONS="--storage-driver devicemapper >>>>>>>>>> --storage-opt >>>>>>>>>> > dm.fs=xfs --storage-opt >>>>>>>>>> > dm.thinpooldev=/dev/mapper/vg--docker-docker--pool >>>>>>>>>> --storage-opt >>>>>>>>>> > dm.use_deferred_removal=true --storage-opt >>>>>>>>>> dm.use_deferred_deletion=true " >>>>>>>>>> > --------------------- >>>>>>>>>> > >>>>>>>>>> > Nothing about SELinux. Is it expected? Shall I write this >>>>>>>>>> option >>>>>>>>>> > somewhere else? >>>>>>>>>> > >>>>>>>>>> > Thank you. >>>>>>>>>> >>>>>>>>>> I think it should have that flag. If you run a container what >>>>>>>>>> does cat >>>>>>>>>> /proc/self/attr/current show? >>>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------ >>>>>>>>> # docker run hello-world >>>>>>>>> ......... >>>>>>>>> # cat /proc/self/attr/current >>>>>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023# >>>>>>>>> ---------------------------- >>>>>>>>> >>>>>>>>> Should have been more clear >>>>>>>>> >>>>>>>>> docker run fedora cat /proc/self/attr/current >>>>>>>>> >>>>>>>> What does this command show? >>>>>>> >>>>>>> Of course I would prefer >>>>>>>>> >>>>>>>>> podman run fedora cat /proc/self/attr/current >>>>>>>>> >>>>>>>> >>>>>>>> I didn't know this command...so many new stuff to learn ! >>>>>>>> >>>>>>> >>>>>>> ------------------ >>>>>>> % man podman >>>>>>> No manual entry for podman >>>>>>> -------------------- >>>>>>> >>>>>>> :-( snif >>>>>>> >>>>>>> >>>>>>>> Thats weird. >>>>>>> >>>>>>> rpm -q podman >>>>>>> podman-0.5.4-1.git1f2e2a2.fc28.x86_64 >>>>>>> >>>>>>> Their should be man pages. You doing this on atomic host? >>>>>>> >>>>>> >>>>>> YES. >>>>>> >>>>>> Atomic host excludes man pages. >>>>>> You can read lots of docs on podman at >>>>>> https://github.com/projectatomic/libpod/ >>>>>> >>>>>> Man pages are here >>>>>> https://github.com/projectatomic/libpod/blob/master/commands.md >>>>>> >>>>>> You never showed me the output of the docker command. >>>>>> >>>>> >>>> Sorry for this confusion >>>> >>>> ---------------------------- >>>> root@control2➤➤ ~ # docker run fedora cat /proc/self/attr/current >>>> Unable to find image 'fedora:latest' locally >>>> latest: Pulling from library/fedora >>>> e71c36a80ba9: Pull complete >>>> Digest: >>>> sha256:7ae08e5637170eb47c01e315b6e64e0d48c6200d2942c695d0bee61b38c65b39 >>>> Status: Downloaded newer image for fedora:latest >>>> system_u:system_r:spc_t:s0# >>>> >>>> Ok that indicates SELinux is disabled in the daemon. Adding back the >>>> --selinux-enabled will fix this issue. >>>> >>> >>> where? In /etc/sysconfig/docker? Or is there a new config file in >>> Atomic to set this option? >>> >>> Still in /etc/sysconfig/docker, then restart docker service and the >>> docker run line should show you container_t rather then spc_t. >>> >> >> ----------------------------------- >> # cat /etc/sysconfig/docker >> OPTIONS='--selinux-enable' >> # systemctl start docker >> # docker run fedora cat /proc/self/attr/current >> ....... >> system_u:system_r:spc_t:s0# >> ------------------------- >> >> doesn't work. >> > > # systemctl edit docker.service > [Service] > Execstart= > ExecStart=/usr/bin/dockerd --selinux-enabled > # systemctl restart docker > # docker run fedora cat /proc/self/attr/current > system_u:system_r:container_t:s0:c81,c142# > > As a temporary worka > Sorry for the missing last part, email was sent too early # systemctl edit docker.service [Service] Execstart= ExecStart=/usr/bin/dockerd --selinux-enabled # systemctl restart docker # docker run fedora cat /proc/self/attr/current system_u:system_r:container_t:s0:c81,c142# As a temporary workaround, that's fine. But it seems docker doesn't take into account the /etc/sysconfig/docker file, or something like that. On another machine, fedora 28, with same docker-ce version, it works fine. >> >> >> >>> >>> >>>> Lokesh, Franticek, the docker we are shipping on atomic host does not >>>> have SELinux enabled? >>>> >>>> >>>> -------------------------------------------- >>>> >>>>> >>>>> I did in one previous email (06:25) >>>>> >>>>> --------------------------------- >>>>> # podman run fedora cat /proc/self/attr/current >>>>> Trying to pull docker.io/fedora:latest...Getting image source >>>>> signatures >>>>> Copying blob >>>>> sha256:e71c36a80ba912dd7a5a9f2f2d6136c148afa19bc7d024bd616b74a0bc7a2774 >>>>> 82.57 MB / 82.57 MB >>>>> [=====================================================] 20s >>>>> Copying config >>>>> sha256:cc510acfcd701a409014118d5f417f0022520802a26c650866b8a9594d75f3a7 >>>>> 2.29 KB / 2.29 KB >>>>> [========================================================] 0s >>>>> Writing manifest to image destination >>>>> Storing signatures >>>>> system_u:system_r:container_t:s0:c377,c551# >>>>> --------------------------------------------- >>>>> >>>>> Thats the output of podman, I need docker. >>>>> >>>> >>>> >>>
