11:14 a.m.
https://github.com/containers/storage/pull/1038
On 10/6/21 11:28, Christopher.Miller(a)gd-ms.com wrote:
From the host, xfs file system for /opt/nexus and /data/storage
From the container, noticed that /storage is xfs but /opt/sonatype
shows overlay (I’m reading up on overlay now)
usera@hosta /]$ cat /etc/redhat-release ; podman info
Red Hat Enterprise Linux release 8.1 (Ootpa)
host:
BuildahVersion: 1.9.0
Conmon:
package: podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64
path: /usr/libexec/podman/conmon
version: 'conmon version 2.0.1-dev, commit: unknown'
Distribution:
distribution: '"rhel"'
version: "8.1"
MemFree: 260805922816
MemTotal: 270091517952
OCIRuntime:
package: runc-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.x86_64
path: /usr/bin/runc
version: 'runc version spec: 1.0.1-dev'
SwapFree: 8589930496
SwapTotal: 8589930496
arch: amd64
cpus: 56
hostname: hosta
kernel: 4.18.0-147.5.1.el8_1.x86_64
os: linux
rootless: true
uptime: 116h 31m 31.21s (Approximately 4.83 days)
registries:
blocked: null
insecure: null
search:
- hosta.XXX.enclave:8090
- registry.redhat.io
- registry.access.redhat.com
- quay.io
- docker.io
store:
ConfigFile: /home/usera/.config/containers/storage.conf
ContainerStore:
number: 0
GraphDriverName: overlay
GraphOptions:
- overlay.mount_program=/usr/bin/fuse-overlayfs
GraphRoot: /home/usera/.local/share/containers/storage
GraphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "false"
ImageStore:
number: 7
RunRoot: /run/user/2229
VolumePath: /home/usera/.local/share/containers/storage/volumes
*From:* Daniel Walsh <dwalsh(a)redhat.com>
*Sent:* Wednesday, October 6, 2021 11:05 AM
*To:* Miller, Christopher (NE) <Christopher.Miller(a)gd-ms.com>; Leon N
<leon9923(a)gmail.com>
*Cc:* podman mailing list <podman(a)lists.podman.io>
*Subject:* Re: [Podman] Re: permissions issues to host filesystem when
running rootless Vs rootful and question on opening port on container/host
*External E-mail *--- CAUTION: This email originated from outside
GDMS. Do not click links or open attachments unless you recognize the
sender and know the content is safe.
What Filesystem is stored on /opt an d/nexus-data
Did you install storage in a different path then
/var/lib/containers/storage.
I guess attaching podman info output would help.
On 10/6/21 10:50, Christopher.Miller(a)gd-ms.com wrote:
Here is my SELinux output both from the host and container. I’m
getting a lot “?” characters on the host, when I think I should be
seeing the user, role and type label defined. I’ve googled around
based on those results and not finding anything.
I’ve tried to restorecon -R -v on those volumes and nothing changed.
Volume Mounts
host: /opt/nexus
container: /nexus-data
host: /data/storage
container: /storage
From the host
[usera@hosta /]$ sudo ls -alZ /opt/nexus
[sudo] password for usera:
total 24
drwxr-x--- 15 755 nexus ? 254 Oct 5
14:48 .
drwxr-xr-x. 13 nexus nexus system_u:object_r:usr_t:s0 214 Oct 4
10:13 ..
drwxr-xr-x 3 root root ? 21 Oct 4
10:37 blobs
drwxr-xr-x 323 root root ? 8192 Oct 5
14:48 cache
drwxr-xr-x 6 root root ? 113 Oct 4
10:37 db
drwxr-xr-x 3 root root ? 36 Oct 4
11:11 elasticsearch
drwxr-xr-x 3 root root ? 45 Oct 5 14:30 etc
drwxr-xr-x 2 root root ? 6 Oct 4
10:36 generated-bundles
drwxr-xr-x 2 root root ? 33 Oct 4
10:36 instances
drwxr-xr-x 3 root root ? 19 Oct 4
10:36 javaprefs
-rw-r--r-- 1 root root ? 1 Oct 5
14:48 karaf.pid
drwxr-xr-x 3 root root ? 18 Oct 4
10:37 keystores
-rw-r--r-- 1 root root ? 14 Oct 5
14:48 lock
drwxr-xr-x 4 root root ? 220 Oct 5
20:00 log
drwxr-xr-x 2 root root ? 6 Oct 4
10:37 orient
-rw-r--r-- 1 root root ? 5 Oct 5
14:48 port
drwxr-xr-x 2 root root ? 6 Oct 4
10:37 restore-from-backup
drwxr-xr-x 8 root root ? 261 Oct 5
14:48 tmp
[usera@hosta /]$ sudo ls -alZ /data/storage
total 24
drwxr-xr-x 2 200 200 ? 172 Oct 5 13:00 .
drwxr-x--- 3 nexus nexus ? 21 Aug 26 13:41 ..
-rw-r----- 1 root root ? 1992 Oct 5 13:00
ISSUINGCA-CORP_intermediate_cert.cer
-rw-r--r-- 1 root root ? 6582 Oct 5 13:03 nexus-hosta.enclave.jks
-rw-r--r-- 1 root root ? 1221 Oct 5 12:42 nexus-hosta.enclave.pem
-rw-r----- 1 root root ? 2532 Oct 5 13:00
nexus-hosta_server_crt.cer
-rw-r----- 1 root root ? 1302 Oct 5 13:00 ROOTCA-CORP.cer
From the container
[root@6ca25b429eb1 /]# sestatus
bash: sestatus: command not found
[root@6ca25b429eb1 /]# whereis selinux
selinux: /etc/selinux /usr/libexec/selinux
[root@6ca25b429eb1 /]# ls -al /etc/selinux
total 4
drwxr-xr-x 1 root root 6 Oct 6 13:49 .
drwxr-xr-x 1 root root 21 Mar 4 2021 ..
-rw-r--r-- 1 root root 2425 Jun 29 2020 semanage.conf
[root@6ca25b429eb1 /]# ls -alZ /nexus-data
total 24
drwxr-x--- 15 755 1005 ? 254 Oct 5 18:48 .
drwxr-xr-x 1 root root ? 77 Oct 5 14:12 ..
drwxr-xr-x 3 root root ? 21 Oct 4 14:37 blobs
drwxr-xr-x 323 root root ? 8192 Oct 5 18:48 cache
drwxr-xr-x 6 root root ? 113 Oct 4 14:37 db
drwxr-xr-x 3 root root ? 36 Oct 4 15:11 elasticsearch
drwxr-xr-x 3 root root ? 45 Oct 5 18:30 etc
drwxr-xr-x 2 root root ? 6 Oct 4 14:36 generated-bundles
drwxr-xr-x 2 root root ? 33 Oct 4 14:36 instances
drwxr-xr-x 3 root root ? 19 Oct 4 14:36 javaprefs
-rw-r--r-- 1 root root ? 1 Oct 5 18:48 karaf.pid
drwxr-xr-x 3 root root ? 18 Oct 4 14:37 keystores
-rw-r--r-- 1 root root ? 14 Oct 5 18:48 lock
drwxr-xr-x 4 root root ? 220 Oct 6 00:00 log
drwxr-xr-x 2 root root ? 6 Oct 4 14:37 orient
-rw-r--r-- 1 root root ? 5 Oct 5 18:48 port
drwxr-xr-x 2 root root ? 6 Oct 4 14:37 restore-from-backup
drwxr-xr-x 8 root root ? 261 Oct 5 18:48 tmp
[root@6ca25b429eb1 /]# ls -laZ /storage
total 24
drwxr-xr-x 2 nexus nexus ? 172 Oct 5 17:00 .
drwxr-xr-x 1 root root ? 77 Oct 5 14:12 ..
-rw-r----- 1 root root ? 1992 Oct 5 17:00
ISSUINGCA-CORP_intermediate_cert.cer
-rw-r----- 1 root root ? 1302 Oct 5 17:00 ROOTCA-CORP.cer
-rw-r--r-- 1 root root ? 6582 Oct 5 17:03 nexus-hosta.enclave.jks
-rw-r--r-- 1 root root ? 1221 Oct 5 16:42 nexus-hosta.enclave.pem
-rw-r----- 1 root root ? 2532 Oct 5 17:00
nexus-hosta_server_crt.cer
Thanks again
*From:* Leon N <leon9923(a)gmail.com> <mailto:leon9923@gmail.com>
*Sent:* Wednesday, October 6, 2021 8:29 AM
*To:* Miller, Christopher (NE) <Christopher.Miller(a)gd-ms.com>
<mailto:Christopher.Miller@gd-ms.com>
*Cc:* dwalsh(a)redhat.com; podman mailing list
<podman(a)lists.podman.io> <mailto:podman@lists.podman.io>
*Subject:* Re: [Podman] Re: permissions issues to host filesystem
when running rootless Vs rootful and question on opening port on
container/host
*External E-mail *--- CAUTION: This email originated from outside
GDMS. Do not click links or open attachments unless you recognize
the sender and know the content is safe.
Hey,
These would be run on the host
You can also change the restorecon parameters to restore the
contexts for the storage you mounted
sudo restorecon -R -v <path to storage>
Doing
ls -laZ on the storage you mount in the container, will also give
everyone here insights on the selinux contexts
Regards,
Leon
On Wed, 6 Oct, 2021, 17:43 Christopher.Miller(a)gd-ms.com,
<Christopher.Miller(a)gd-ms.com> wrote:
Sorry I’m not clear where I want to run these commands, on the
host or the container?
thanks
*From:* Daniel Walsh <dwalsh(a)redhat.com>
*Sent:* Tuesday, October 5, 2021 7:10 PM
*To:* podman(a)lists.podman.io
*Subject:* [Podman] Re: permissions issues to host filesystem
when running rootless Vs rootful and question on opening port
on container/host
I am guessing this is an SELinux issue. Perhaps sudo
restorecon -R -v /var/lib/containers
Might fix it.
You can run `sudo ausearch -m avc -ts recent`
After it fails to see if SELinux is involved.
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io