[Container-tools] vagrant-sshfs vs. Docker/SELinux
Dusty Mabe
dusty at dustymabe.com
Tue Apr 12 20:07:14 UTC 2016
On 04/12/2016 03:02 PM, Daniel J Walsh wrote:
>
>
> On 04/11/2016 06:33 PM, Dusty Mabe wrote:
>>
>> On 04/11/2016 10:37 AM, Daniel J Walsh wrote:
>>>
>>> On 04/11/2016 10:25 AM, Tomáš Nožička wrote:
>>>> Hi,
>>>>
>>>> I have been playing with vagrant-sshfs to build persistent storage for
>>>> docker registry inside ADB box but I have encountered SELinux issue.
>>>>
>>>> Steps to reproduce:
>>>> $ Add sshfs folder into Vagrantfile
>>>> config.vm.synced_folder "/home/tnozicka/tmp/registry-data",
>>>> "/var/lib/registry", type: "sshfs"
>>>> $ vagrant up
>>>> $ vagrant ssh
>>>> $ docker run -it --rm -v /var/lib/registry:/var/lib/registry centos:7
>>>> bash -c 'mkdir /var/lib/registry/new-dir'
>>>> (fails [and should] since /var/lib/registry does not have the right
>>>> SELinux context)
>>>>
>>>> $ docker run -it --rm -v /var/lib/registry:/var/lib/registry:Z
>>>> centos:7 bash -c 'mkdir /var/lib/registry/new-dir'
>>>> (FAILS with: Error response from daemon: operation not supported)
>>>>
>>>> The later one (:Z) works for ordinary folders, but it is failing with
>>>> the one mounted by sshfs :( I tried to fix SELinux with:
>>>> $ sudo chcon -Rt svirt_sandbox_file_t /var/lib/registry
>>>> chcon: failed to change context of ‘docker’ to
>>>> ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
>>>> chcon: failed to change context of ‘/var/lib/registry’ to
>>>> ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
>>>>
>>>> but without success. Does anybody have any ideas how to get sshfs and
>>>> Docker/SELinux working together?
>>>>
>>>> Everything works after running:
>>>> $ sudo setenforce 0
>>>> inside ADB so it is almost definitely SELinux related issue.
>>>>
>>>>
>>>> Thanks,
>>>> Tomas Nozicka
>>>>
>>>>
>>>> [1] - http://www.projectatomic.io/blog/2015/06/using-volumes-with-docke
>>>> r-can-cause-problems-with-selinux/
>>>>
>>>> _______________________________________________
>>>> Container-tools mailing list
>>>> Container-tools at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/container-tools
>>> What AVC's are you seeing. The problem is sshfs does not support
>>> SELinux labels, so you
>>> can not set them to share within the container. We could attempt to
>>> mount the
>>> sshfs with a context mount, if sshfs works that way.
>>>
>>> mount ... context="system_u:object_r:svirt_sandbox_file_t:s0"
>> Something like this was added some time ago but there is no release
>> with it included as of yet:
>>
>> https://github.com/libfuse/libfuse/commit/c52cafc81ced83fbd5cc7edf4ef5f7cb57b82729
> Looks like it is implemented. So mounting a fuse file system with sshfs
> with context="system_u:object_r:svirt_sandbox_file_t:s0:c1,c2"
> is supposed to work.
Well.. It has been implemented but not released, which is why it
doesn't work in CentOS/Fedora. It is a pretty small patch if we wanted
to carry it for now.
On a side note `setsebool -P virt_sandbox_use_fusefs 1` works so maybe
I'll modify the vagrant-sshfs plugin to do that when performing these
mounts.
Dusty
More information about the Container-tools
mailing list