summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2019-02-05 10:04:44 -0800
committerDaniel J Walsh <dwalsh@redhat.com>2019-02-06 05:52:39 -0800
commit1dd7bd0d0f6b581f26642e61e05984fe7eee5a7f (patch)
treeb42917afd4a40d237a75ef254562b7b5451eaee1 /docs
parentd321c5d942f85b56852532edfd225dcdd591f817 (diff)
downloadpodman-1dd7bd0d0f6b581f26642e61e05984fe7eee5a7f.tar.gz
podman-1dd7bd0d0f6b581f26642e61e05984fe7eee5a7f.tar.bz2
podman-1dd7bd0d0f6b581f26642e61e05984fe7eee5a7f.zip
Add documentation on running systemd on SELinux systems
Lots of users are attempting to run systemd within a container. They are being blocked from running SELinux systems since they need the container_manage_cgroup which is not enabled by default. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'docs')
-rw-r--r--docs/podman-create.1.md8
-rw-r--r--docs/podman-run.1.md8
2 files changed, 14 insertions, 2 deletions
diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md
index 178542f0d..98b1a2a17 100644
--- a/docs/podman-create.1.md
+++ b/docs/podman-create.1.md
@@ -610,6 +610,12 @@ It will also set the default stop signal to SIGRTMIN+3.
This allow systemd to run in a confined container without any modifications.
+Note: On `SELinux` systems, systemd attempts to write to the cgroup
+file system. Containers writing to the cgroup file system are denied by default.
+The `container_manage_cgroup` boolean must be enabled for this to be allowed on an SELinux separated system.
+
+`setsebool -P container_manage_cgroup true`
+
**--tmpfs**=[] Create a tmpfs mount
Mount a temporary filesystem (`tmpfs`) mount into a container, for example:
@@ -804,7 +810,7 @@ WantedBy=multi-user.target
**/etc/subgid**
## SEE ALSO
-subgid(5), subuid(5), libpod.conf(5), systemd.unit(5)
+subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8)
## HISTORY
October 2017, converted from Docker documentation to podman by Dan Walsh for podman <dwalsh@redhat.com>
diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md
index 8b96ea6d9..828ae96a8 100644
--- a/docs/podman-run.1.md
+++ b/docs/podman-run.1.md
@@ -612,6 +612,12 @@ It will also set the default stop signal to SIGRTMIN+3.
This allow systemd to run in a confined container without any modifications.
+Note: On `SELinux` systems, systemd attempts to write to the cgroup
+file system. Containers writing to the cgroup file system are denied by default.
+The `container_manage_cgroup` boolean must be enabled for this to be allowed on an SELinux separated system.
+
+`setsebool -P container_manage_cgroup true`
+
**--tmpfs**=[] Create a tmpfs mount
Mount a temporary filesystem (`tmpfs`) mount into a container, for example:
@@ -1096,7 +1102,7 @@ WantedBy=multi-user.target
**/etc/subgid**
## SEE ALSO
-subgid(5), subuid(5), libpod.conf(5), systemd.unit(5)
+subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8)
## HISTORY
September 2018, updated by Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>