diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2019-02-07 03:35:57 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-02-07 03:35:57 +0100 |
| commit | f250745fe07fd5e9487b651b4071464c83196738 (patch) | |
| tree | 292e20d56f18cbe4d15e03cc546cf3b961e1ee87 | |
| parent | dab590d13eddf705f1a088e4a1afceaf0f15bfbb (diff) | |
| parent | 1dd7bd0d0f6b581f26642e61e05984fe7eee5a7f (diff) | |
| download | podman-f250745fe07fd5e9487b651b4071464c83196738.tar.gz podman-f250745fe07fd5e9487b651b4071464c83196738.tar.bz2 podman-f250745fe07fd5e9487b651b4071464c83196738.zip | |
Merge pull request #2269 from rhatdan/selinux
Add documentation on running systemd on SELinux systems
| -rw-r--r-- | docs/podman-create.1.md | 8 | ||||
| -rw-r--r-- | docs/podman-run.1.md | 8 | ||||
| -rw-r--r-- | troubleshooting.md | 18 |
3 files changed, 32 insertions, 2 deletions
diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md index 178542f0d..98b1a2a17 100644 --- a/docs/podman-create.1.md +++ b/docs/podman-create.1.md @@ -610,6 +610,12 @@ It will also set the default stop signal to SIGRTMIN+3. This allow systemd to run in a confined container without any modifications. +Note: On `SELinux` systems, systemd attempts to write to the cgroup +file system. Containers writing to the cgroup file system are denied by default. +The `container_manage_cgroup` boolean must be enabled for this to be allowed on an SELinux separated system. + +`setsebool -P container_manage_cgroup true` + **--tmpfs**=[] Create a tmpfs mount Mount a temporary filesystem (`tmpfs`) mount into a container, for example: @@ -804,7 +810,7 @@ WantedBy=multi-user.target **/etc/subgid** ## SEE ALSO -subgid(5), subuid(5), libpod.conf(5), systemd.unit(5) +subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8) ## HISTORY October 2017, converted from Docker documentation to podman by Dan Walsh for podman <dwalsh@redhat.com> diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md index 8b96ea6d9..828ae96a8 100644 --- a/docs/podman-run.1.md +++ b/docs/podman-run.1.md @@ -612,6 +612,12 @@ It will also set the default stop signal to SIGRTMIN+3. This allow systemd to run in a confined container without any modifications. +Note: On `SELinux` systems, systemd attempts to write to the cgroup +file system. Containers writing to the cgroup file system are denied by default. +The `container_manage_cgroup` boolean must be enabled for this to be allowed on an SELinux separated system. + +`setsebool -P container_manage_cgroup true` + **--tmpfs**=[] Create a tmpfs mount Mount a temporary filesystem (`tmpfs`) mount into a container, for example: @@ -1096,7 +1102,7 @@ WantedBy=multi-user.target **/etc/subgid** ## SEE ALSO -subgid(5), subuid(5), libpod.conf(5), systemd.unit(5) +subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8) ## HISTORY September 2018, updated by Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> diff --git a/troubleshooting.md b/troubleshooting.md index d210d85df..3f66b56ef 100644 --- a/troubleshooting.md +++ b/troubleshooting.md @@ -173,3 +173,21 @@ cat ~/.config/containers/storage.conf [storage.options] mount_program = "/bin/fuse-overlayfs" ``` + +### 8) Permission denied when running systemd within a Podman container + +When running systemd as PID 1 inside of a container on an SELinux +separated machine, it needs to write to the cgroup file system. + +#### Symptom + +Systemd gets permission denied when attempting to write to the cgroup file +system, and AVC messages start to show up in the audit.log file or journal on +the system. + +#### Solution + +SELinux provides a boolean `container_manage_cgroup`, which allows container +processes to write to the cgroup file system. Turn on this boolean, on SELinux separated systems, to allow systemd to run properly in the container. + +`setsebool -P container_manage_cgroup true` |