opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-10-19 04:03:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add documentation on running systemd on SELinux systems

Browse Source 
Lots of users are attempting to run systemd within a container.  They are
being blocked from running SELinux systems since they need the
container_manage_cgroup which is not enabled by default.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2019-02-05 10:04:44 -08:00
parent d321c5d942
commit 1dd7bd0d0f
3 changed files with 32 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/podman-create.1.md
View File

@ -610,6 +610,12 @@ It will also set the default stop signal to SIGRTMIN+3.
This allow systemd to run in a confined container without any modifications. This allow systemd to run in a confined container without any modifications.
Note: On `SELinux` systems, systemd attempts to write to the cgroup
file system. Containers writing to the cgroup file system are denied by default.
The `container_manage_cgroup` boolean must be enabled for this to be allowed on an SELinux separated system.
`setsebool -P container_manage_cgroup true`
**--tmpfs**=[] Create a tmpfs mount **--tmpfs**=[] Create a tmpfs mount
Mount a temporary filesystem (`tmpfs`) mount into a container, for example: Mount a temporary filesystem (`tmpfs`) mount into a container, for example:
@ -804,7 +810,7 @@ WantedBy=multi-user.target
**/etc/subgid** **/etc/subgid**
## SEE ALSO ## SEE ALSO
subgid(5), subuid(5), libpod.conf(5), systemd.unit(5) subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8)
## HISTORY ## HISTORY
October 2017, converted from Docker documentation to podman by Dan Walsh for podman <dwalsh@redhat.com> October 2017, converted from Docker documentation to podman by Dan Walsh for podman <dwalsh@redhat.com>

8
docs/podman-run.1.md
View File

@ -612,6 +612,12 @@ It will also set the default stop signal to SIGRTMIN+3.
This allow systemd to run in a confined container without any modifications. This allow systemd to run in a confined container without any modifications.
Note: On `SELinux` systems, systemd attempts to write to the cgroup
file system. Containers writing to the cgroup file system are denied by default.
The `container_manage_cgroup` boolean must be enabled for this to be allowed on an SELinux separated system.
`setsebool -P container_manage_cgroup true`
**--tmpfs**=[] Create a tmpfs mount **--tmpfs**=[] Create a tmpfs mount
Mount a temporary filesystem (`tmpfs`) mount into a container, for example: Mount a temporary filesystem (`tmpfs`) mount into a container, for example:
@ -1096,7 +1102,7 @@ WantedBy=multi-user.target
**/etc/subgid** **/etc/subgid**
## SEE ALSO ## SEE ALSO
subgid(5), subuid(5), libpod.conf(5), systemd.unit(5) subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8)
## HISTORY ## HISTORY
September 2018, updated by Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> September 2018, updated by Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>

18
troubleshooting.md
View File

@ -173,3 +173,21 @@ cat ~/.config/containers/storage.conf
[storage.options] [storage.options]
mount_program = "/bin/fuse-overlayfs" mount_program = "/bin/fuse-overlayfs"
``` ```
### 8) Permission denied when running systemd within a Podman container
When running systemd as PID 1 inside of a container on an SELinux
separated machine, it needs to write to the cgroup file system.
#### Symptom
Systemd gets permission denied when attempting to write to the cgroup file
system, and AVC messages start to show up in the audit.log file or journal on
the system.
#### Solution
SELinux provides a boolean `container_manage_cgroup`, which allows container
processes to write to the cgroup file system. Turn on this boolean, on SELinux separated systems, to allow systemd to run properly in the container.
`setsebool -P container_manage_cgroup true`