diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2019-03-07 14:42:36 -0500 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2019-03-08 16:07:59 -0500 |
commit | 550f9b1f6f0311034fbc265257e196dfc9e52b61 (patch) | |
tree | 5cfeba4a8dc4bbdc4575cb87a93fa5958acf48b4 | |
parent | 008aaf7468bf6987a5b6c0b9eb63cf9a2972f7d1 (diff) | |
download | podman-550f9b1f6f0311034fbc265257e196dfc9e52b61.tar.gz podman-550f9b1f6f0311034fbc265257e196dfc9e52b61.tar.bz2 podman-550f9b1f6f0311034fbc265257e196dfc9e52b61.zip |
Add troublshoot information about SELinux labeling of containers/storage
We have some bug reports about people moving containers storage to new
directories and this troubleshooter should help them fix this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
-rw-r--r-- | troubleshooting.md | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/troubleshooting.md b/troubleshooting.md index 24a1dc6cb..33434cdbb 100644 --- a/troubleshooting.md +++ b/troubleshooting.md @@ -254,3 +254,42 @@ grep johndoe /etc/subuid /etc/subgid /etc/subuid:johndoe:200000:1001 /etc/subgid:johndoe:200000:1001 ``` + +### 11) Changing the location of the Graphroot leads to permission denied + +When I change the graphroot storage location in storage.conf, the next time I +run podman I get an error like: + +``` +# podman run -p 5000:5000 -it centos bash + +bash: error while loading shared libraries: /lib64/libc.so.6: cannot apply additional memory protection after relocation: Permission denied +``` + +For example, the admin sets up a spare disk to be mounted at `/src/containers`, +and points storage.conf at this directory. + + +#### Symptom + +SELinux blocks containers from using random locations for overlay storage. +These directories need to be labeled with the same labels as if the content was +under /var/lib/containers/storage. + +#### Solution + +Tell SELinux about the new containers storage by setting up an equivalence record. +This tells SELinux to label content under the new path, as if it was stored +under `/var/lib/containers/storage`. + +``` +semanage fcontext -a -e /var/lib/containers /srv/containers +restorecon -R -v /src/containers +``` + +The semanage command above tells SELinux to setup the default labeling of +`/srv/containers` to match `/var/lib/containers`. The `restorecon` command +tells SELinux to apply the labels to the actual content. + +Now all new content created in these directories will automatically be created +with the correct label. |