Bug #42511
closedceph-daemon fails when selinux is enabled
0%
Description
if you setenforce 0, everything is great. otherwise, however, you get an error like
2019-10-28T03:21:10.741 INFO:tasks.workunit.client.0.smithi180.stderr:Error: relabel failed "/dev": SELinux relabeling of /dev is not allowed
when trying to start a container that passes through /dev. a minimal reproducer (with ceph-daemon):
- wget/curl ceph-daemon from master
- sudo ./ceph-daemon shell
With podman a minimal reproducer is
/bin/podman run -it --net=host --privileged -v /dev:/dev:z --entrypoint bash ceph/daemon-base
Updated by Sage Weil over 4 years ago
this also fails,
/bin/podman run -it --net=host --privileged -v /dev:/dev:z --entrypoint bash centos
Updated by Sage Weil over 4 years ago
- revert https://github.com/ceph/ceph/pull/31269 when this is fixed ***
Updated by Boris Ranto over 4 years ago
What is this used/needed for? Having :z for /dev is not a great idea. Relabelling devices for use in containers in the main system would probably just result in many more issues.
You can just run
/bin/podman run -it --net=host --privileged -v /dev:/dev --entrypoint bash ceph/daemon-base
and that should give you a running container, SELinux might block access to some devices inside the container though. It may be a better idea to use the --device parameter to podman to include only the devices that you need inside the container.
Updated by Sage Weil over 4 years ago
Boris Ranto wrote:
What is this used/needed for? Having :z for /dev is not a great idea. Relabelling devices for use in containers in the main system would probably just result in many more issues.
You can just run
/bin/podman run -it --net=host --privileged -v /dev:/dev --entrypoint bash ceph/daemon-base
and that should give you a running container, SELinux might block access to some devices inside the container though. It may be a better idea to use the --device parameter to podman to include only the devices that you need inside the container.
Aha! Okay, I just added the :z because i saw it somewhere else, without knowing what it means.
Can you help me understand if and where we need :z for any of these volume pass-throughs? I think they fall into a few categories:
1. temporary files in /tmp that i'm mapping to various paths inside the container, like
- /tmp/othertempname
- /etc/ceph/ceph.conf
- /etc/ceph/ceph.keyring
do these need relabeling in order for the container processes to access them?
2. the actual daemon state in /var/lib/ceph, like
- /var/lib/ceph/$uuid/mon.foo to /var/lib/ceph/mon/ceph-foo
3. system directories like
- /sys
- /run/udev
- /dev
My guess is: yes, no, no?
Updated by Sage Weil over 4 years ago
- Status changed from 12 to Fix Under Review
- Pull request ID set to 31321
Updated by Sage Weil over 4 years ago
- Status changed from Fix Under Review to Resolved