diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2019-02-05 10:04:44 -0800 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2019-02-06 05:52:39 -0800 |
commit | 1dd7bd0d0f6b581f26642e61e05984fe7eee5a7f (patch) | |
tree | b42917afd4a40d237a75ef254562b7b5451eaee1 /docs | |
parent | d321c5d942f85b56852532edfd225dcdd591f817 (diff) | |
download | podman-1dd7bd0d0f6b581f26642e61e05984fe7eee5a7f.tar.gz podman-1dd7bd0d0f6b581f26642e61e05984fe7eee5a7f.tar.bz2 podman-1dd7bd0d0f6b581f26642e61e05984fe7eee5a7f.zip |
Add documentation on running systemd on SELinux systems
Lots of users are attempting to run systemd within a container. They are
being blocked from running SELinux systems since they need the
container_manage_cgroup which is not enabled by default.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'docs')
-rw-r--r-- | docs/podman-create.1.md | 8 | ||||
-rw-r--r-- | docs/podman-run.1.md | 8 |
2 files changed, 14 insertions, 2 deletions
diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md index 178542f0d..98b1a2a17 100644 --- a/docs/podman-create.1.md +++ b/docs/podman-create.1.md @@ -610,6 +610,12 @@ It will also set the default stop signal to SIGRTMIN+3. This allow systemd to run in a confined container without any modifications. +Note: On `SELinux` systems, systemd attempts to write to the cgroup +file system. Containers writing to the cgroup file system are denied by default. +The `container_manage_cgroup` boolean must be enabled for this to be allowed on an SELinux separated system. + +`setsebool -P container_manage_cgroup true` + **--tmpfs**=[] Create a tmpfs mount Mount a temporary filesystem (`tmpfs`) mount into a container, for example: @@ -804,7 +810,7 @@ WantedBy=multi-user.target **/etc/subgid** ## SEE ALSO -subgid(5), subuid(5), libpod.conf(5), systemd.unit(5) +subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8) ## HISTORY October 2017, converted from Docker documentation to podman by Dan Walsh for podman <dwalsh@redhat.com> diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md index 8b96ea6d9..828ae96a8 100644 --- a/docs/podman-run.1.md +++ b/docs/podman-run.1.md @@ -612,6 +612,12 @@ It will also set the default stop signal to SIGRTMIN+3. This allow systemd to run in a confined container without any modifications. +Note: On `SELinux` systems, systemd attempts to write to the cgroup +file system. Containers writing to the cgroup file system are denied by default. +The `container_manage_cgroup` boolean must be enabled for this to be allowed on an SELinux separated system. + +`setsebool -P container_manage_cgroup true` + **--tmpfs**=[] Create a tmpfs mount Mount a temporary filesystem (`tmpfs`) mount into a container, for example: @@ -1096,7 +1102,7 @@ WantedBy=multi-user.target **/etc/subgid** ## SEE ALSO -subgid(5), subuid(5), libpod.conf(5), systemd.unit(5) +subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8) ## HISTORY September 2018, updated by Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> |