I have a tiny storage device mounted as root FS in my VM running Fedora Rawhide. I want to use this machine as docker host for few services.
I have also different device available here and mounted as /bigone.
So my concept is to add:
into options of etc/sysconfig/docker file.
This works just fine and docker runs with a custom root dir:
[[email protected] ~]$ docker info /// Security Options: seccomp Profile: default selinux Kernel Version: 5.3.0-0.rc3.git1.1.fc31.x86_64 Operating System: Fedora 31 (Server Edition) OSType: linux Architecture: x86_64 CPUs: 6 Total Memory: 7.747GiB /// Docker Root Dir: /bigone/opt/docker ///
Now when I try to run any container that is using volumes I get Permission denied in my face. For instance:
[[email protected] ~]$ docker run -u root --rm -p 8080:8080 -p 50000:50000 -v jenkins-data:/var/jenkins_home:z -v /var/run/docker.sock:/var/run/docker.sock:z jenkinsci/blueocean Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: Permission denied Error relocating /sbin/tini: RELRO protection failed: Permission denied
As you can see I try to run it with :z which is described as “relabel selinux crap blah blah blah yuo will be happy blah blah blah”. Unfortunately label is not assignedwith custom root.
Two things make it working:
- removing -g parameter from startup command (definately NOGO)
- this causes all docker crap to move into /var/lib/docker and suddenly docker-run is able to assign proper labels for volume folders
ls -ladZ /var/lib/docker/volumes/jenkins-data/ drwxr-xr-x. 3 root root system_u:object_r:container_var_lib_t:s0 19 Aug 12 21:57 /var/lib/docker/volumes/jenkins-data/
- sudo setenforce 0
- this causes container to run properly but selinux reports error in journal and label is not there in volumes
ls -ladZ /bigone/opt/docker/volumes/jenkins-data/ drwxr-xr-x. 3 root root system_u:object_r:unlabeled_t:s0 27 Aug 12 20:40 /bigone/opt/docker/volumes/jenkins-data/
So the question is: what do I miss to run docker in custom location with selinux enabled?