On Sun, Jun 3, 2018 at 12:31 PM Daniel Walsh <dwa...@redhat.com> wrote:
> On 06/02/2018 12:29 PM, arnaud gaboury wrote: > > > > On Sat, Jun 2, 2018 at 4:21 PM Colin Walters <walt...@verbum.org> wrote: > >> >> >> On Sat, Jun 2, 2018, at 8:30 AM, arnaud gaboury wrote: >> > >> > # systemctl edit docker.service >> > [Service] >> > Execstart= >> > ExecStart=/usr/bin/dockerd --selinux-enabled >> > # systemctl restart docker >> > # docker run fedora cat /proc/self/attr/current >> > system_u:system_r:container_t:s0:c81,c142# >> >> See: >> /usr/lib/systemd/system/docker.service >> You need all that stuff in the default ExecStart= to have the config >> files work. >> > > I am confused between /etc/sysconfig/docker and /etc/docker/daemon.json. > It seems to me there is some redundancy. As a note, I run Arch and the > /etc/sysconfig has been removed since long. > After some tests: > > -------------------------------------- > 1- no /etc/docker/daemon.json, no /etc/sysconfig/docker, no docker.service > override > # docker run fedora cat /proc/self/attr/current > system_u:system_r:spc_t:s0# > 2- no /etc/docker/daemon.json, no /etc/sysconfig/docker, docker.service > override > # docker run fedora cat /proc/self/attr/current > system_u:system_r:container_t:s0:c499,c950# > 3- /etc/docker/daemon.json, no /etc/sysconfig/docker, no docker.service > override > # docker run fedora cat /proc/self/attr/current > system_u:system_r:container_t:s0:c471,c600# > 4- no /etc/docker/daemon.json, /etc/sysconfig/docker, no docker.service > override > # docker run fedora cat /proc/self/attr/current > system_u:system_r:spc_t:s0# > --------------------------------------------- > > As you can see, some settings will not work. As for my "test", solution 3 > (/etc/docker/daemon.json, no /etc/sysconfig/docker, no docker.service > override) is the one I will use. > > > Ok you can add the selinux-enabled field to /etc/docker/daemon.json > (Although I am not aware of the syntax.) I thought you were doing this > testing with the Projectatomic/docker. It looks like you are working with > the upstream docker-ce, which I am sad to say seems to not enable selinux > by default at least on Arch. > No, there is a misunderstood. My home box is an Arch and this distro has removed the /etc/sysconfig directory since a while now. Nothing to do with docker. Btw, Arch is not SELinux compatible. I just wanted to point this directory is quite useless and can be removed. My servers are for now Fedora28 , but I plan to install Atomic on all my Kubernetes cluster nodes. Before going further, I am currently playing with one VM with Atomic. Here are the rpm I used to install docker-ce: docker-ce-17.03.2.ce-1.el7.centos.x86_64.rpm docker-ce-selinux-17.03.2.ce-1.el7.centos.noarch.rpm I couldn't find 17.03 for Fedora on Docker page. I was able to create a working Kubernetes cluster with 17.12, maybe shall I use it indeed. ----------------------------------------------- # dnf list docker-ce --showduplicates | sort -r docker-ce.x86_64 18.03.1.ce-1.fc27 docker-ce-stable docker-ce.x86_64 18.03.0.ce-1.fc27 docker-ce-stable docker-ce.x86_64 17.12.1.ce-1.fc27 docker-ce-stable docker-ce.x86_64 17.12.0.ce-1.fc27 docker-ce-stable docker-ce.x86_64 17.12.0.ce-1.fc27 @docker-ce-stable docker-ce.x86_64 17.12.0.ce-1.fc27 @docker-ce-stable ----------------------------------------- So to close this thread, I added the selinux option in my /etc/docker/daemon.json as it seems to me the best place compared to service file or /etc/sysconfig/docker.
