I'm not sure why, but I feel like your container is using its own user, which is why when you gave --user 0 it worked, since I see those files are owned by root, any chance the user inside the container is nexus or is it still root?

On Thu, 7 Oct, 2021, 01:36 Daniel Walsh, <dwalsh@redhat.com> wrote:
On 10/6/21 15:32, Christopher.Miller@gd-ms.com wrote:



Well…this is embarrassing and want to be honest.  Checked the host and SELinux is disabled.


# sudo semanage fcontext -a -e /var/lib/containners/storage /data/storage

ValueError: Equivalence class for /data/storage already exists


# sudo restorecon -R -v /data/storage


Still not sure why see ? for the files/directories when using ls -alZ against them. 


I guess that is what ls shows when SELinux is disabled. I never disable it... :^)

So must be some other reason your containers are blowing up.  Did you try running with --privileged?

Do they work with Docker?




From: Daniel Walsh <dwalsh@redhat.com>
Sent: Wednesday, October 6, 2021 12:46 PM
To: Miller, Christopher (NE) <Christopher.Miller@gd-ms.com>; Leon N <leon9923@gmail.com>
Cc: podman mailing list <podman@lists.podman.io>
Subject: Re: [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host


External E-mail --- CAUTION: This email originated from outside GDMS. Do not click links or open attachments unless you recognize the sender and know the content is safe.


On 10/6/21 12:23, Christopher.Miller@gd-ms.com wrote:


Just so I understand. 


I created a generic directory /data/storage for the Nexus container to write to.  So it sounds like the default storage for containers is /var/lib/containers/storage?  And should be placing container storage here? 



Correct.  I believe the issue you are having is in the podman storage, not inside of the container.





From: Daniel Walsh <dwalsh@redhat.com>
Sent: Wednesday, October 6, 2021 12:07 PM
To: Miller, Christopher (NE) <Christopher.Miller@gd-ms.com>; Leon N <leon9923@gmail.com>
Cc: podman mailing list <podman@lists.podman.io>
Subject: Re: [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host


External E-mail --- CAUTION: This email originated from outside GDMS. Do not click links or open attachments unless you recognize the sender and know the content is safe.


If you move the location of storage to a different directlry you need to set the SELinux labels.


# semanage fcontext -a -e /var/lib/containers/storage /storage

# restorecon -R -v /storage


Probably should add something like this to the storage.conf and to the man page.


On 10/6/21 11:28, Christopher.Miller@gd-ms.com wrote:


From the host, xfs file system for /opt/nexus and /data/storage


From the container, noticed that /storage is xfs but /opt/sonatype shows overlay (I’m reading up on overlay now)





usera@hosta /]$ cat /etc/redhat-release ; podman info


Red Hat Enterprise Linux release 8.1 (Ootpa)


  BuildahVersion: 1.9.0


    package: podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64

    path: /usr/libexec/podman/conmon

    version: 'conmon version 2.0.1-dev, commit: unknown'


    distribution: '"rhel"'

    version: "8.1"

  MemFree: 260805922816

  MemTotal: 270091517952


    package: runc-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.x86_64

    path: /usr/bin/runc

    version: 'runc version spec: 1.0.1-dev'

  SwapFree: 8589930496

  SwapTotal: 8589930496

  arch: amd64

  cpus: 56

  hostname: hosta

  kernel: 4.18.0-147.5.1.el8_1.x86_64

  os: linux

  rootless: true

  uptime: 116h 31m 31.21s (Approximately 4.83 days)


  blocked: null

  insecure: null


  - hosta.XXX.enclave:8090

  - registry.redhat.io

  - registry.access.redhat.com

  - quay.io

  - docker.io


  ConfigFile: /home/usera/.config/containers/storage.conf


    number: 0

  GraphDriverName: overlay


  - overlay.mount_program=/usr/bin/fuse-overlayfs

  GraphRoot: /home/usera/.local/share/containers/storage


    Backing Filesystem: xfs

    Native Overlay Diff: "false"

    Supports d_type: "true"

    Using metacopy: "false"


    number: 7

  RunRoot: /run/user/2229

  VolumePath: /home/usera/.local/share/containers/storage/volumes





From: Daniel Walsh <dwalsh@redhat.com>
Sent: Wednesday, October 6, 2021 11:05 AM
To: Miller, Christopher (NE) <Christopher.Miller@gd-ms.com>; Leon N <leon9923@gmail.com>
Cc: podman mailing list <podman@lists.podman.io>
Subject: Re: [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host


External E-mail --- CAUTION: This email originated from outside GDMS. Do not click links or open attachments unless you recognize the sender and know the content is safe.


What Filesystem is stored on /opt an d/nexus-data


Did you install storage in a different path then /var/lib/containers/storage.


I guess attaching podman info output would help.


On 10/6/21 10:50, Christopher.Miller@gd-ms.com wrote:


Here is my SELinux output both from the host and container.  I’m getting a lot “?” characters on the host, when I think I should be seeing the user, role and type label defined.  I’ve googled around based on those results and not finding anything. 


I’ve tried to restorecon -R -v on those volumes and nothing changed. 





Volume Mounts


host: /opt/nexus

container: /nexus-data


host: /data/storage

container: /storage



From the host



[usera@hosta /]$ sudo ls -alZ /opt/nexus

[sudo] password for usera:

total 24

drwxr-x---   15   755 nexus ?                           254 Oct  5 14:48 .

drwxr-xr-x.  13 nexus nexus system_u:object_r:usr_t:s0  214 Oct  4 10:13 ..

drwxr-xr-x    3 root  root  ?                            21 Oct  4 10:37 blobs

drwxr-xr-x  323 root  root  ?                          8192 Oct  5 14:48 cache

drwxr-xr-x    6 root  root  ?                           113 Oct  4 10:37 db

drwxr-xr-x    3 root  root  ?                            36 Oct  4 11:11 elasticsearch

drwxr-xr-x    3 root  root  ?                            45 Oct  5 14:30 etc

drwxr-xr-x    2 root  root  ?                             6 Oct  4 10:36 generated-bundles

drwxr-xr-x    2 root  root  ?                            33 Oct  4 10:36 instances

drwxr-xr-x    3 root  root  ?                            19 Oct  4 10:36 javaprefs

-rw-r--r--    1 root  root  ?                             1 Oct  5 14:48 karaf.pid

drwxr-xr-x    3 root  root  ?                            18 Oct  4 10:37 keystores

-rw-r--r--    1 root  root  ?                            14 Oct  5 14:48 lock

drwxr-xr-x    4 root  root  ?                           220 Oct  5 20:00 log

drwxr-xr-x    2 root  root  ?                             6 Oct  4 10:37 orient

-rw-r--r--    1 root  root  ?                             5 Oct  5 14:48 port

drwxr-xr-x    2 root  root  ?                             6 Oct  4 10:37 restore-from-backup

drwxr-xr-x    8 root  root  ?                           261 Oct  5 14:48 tmp


[usera@hosta /]$ sudo ls -alZ /data/storage

total 24

drwxr-xr-x 2   200   200 ?  172 Oct  5 13:00 .

drwxr-x--- 3 nexus nexus ?   21 Aug 26 13:41 ..

-rw-r----- 1 root  root  ? 1992 Oct  5 13:00 ISSUINGCA-CORP_intermediate_cert.cer

-rw-r--r-- 1 root  root  ? 6582 Oct  5 13:03 nexus-hosta.enclave.jks

-rw-r--r-- 1 root  root  ? 1221 Oct  5 12:42 nexus-hosta.enclave.pem

-rw-r----- 1 root  root  ? 2532 Oct  5 13:00 nexus-hosta_server_crt.cer

-rw-r----- 1 root  root  ? 1302 Oct  5 13:00 ROOTCA-CORP.cer




From the container


[root@6ca25b429eb1 /]# sestatus

bash: sestatus: command not found


[root@6ca25b429eb1 /]# whereis selinux

selinux: /etc/selinux /usr/libexec/selinux


[root@6ca25b429eb1 /]# ls -al /etc/selinux

total 4

drwxr-xr-x 1 root root    6 Oct  6 13:49 .

drwxr-xr-x 1 root root   21 Mar  4  2021 ..

-rw-r--r-- 1 root root 2425 Jun 29  2020 semanage.conf

[root@6ca25b429eb1 /]# ls -alZ /nexus-data


total 24

drwxr-x---  15  755 1005 ?  254 Oct  5 18:48 .

drwxr-xr-x   1 root root ?   77 Oct  5 14:12 ..

drwxr-xr-x   3 root root ?   21 Oct  4 14:37 blobs

drwxr-xr-x 323 root root ? 8192 Oct  5 18:48 cache

drwxr-xr-x   6 root root ?  113 Oct  4 14:37 db

drwxr-xr-x   3 root root ?   36 Oct  4 15:11 elasticsearch

drwxr-xr-x   3 root root ?   45 Oct  5 18:30 etc

drwxr-xr-x   2 root root ?    6 Oct  4 14:36 generated-bundles

drwxr-xr-x   2 root root ?   33 Oct  4 14:36 instances

drwxr-xr-x   3 root root ?   19 Oct  4 14:36 javaprefs

-rw-r--r--   1 root root ?    1 Oct  5 18:48 karaf.pid

drwxr-xr-x   3 root root ?   18 Oct  4 14:37 keystores

-rw-r--r--   1 root root ?   14 Oct  5 18:48 lock

drwxr-xr-x   4 root root ?  220 Oct  6 00:00 log

drwxr-xr-x   2 root root ?    6 Oct  4 14:37 orient

-rw-r--r--   1 root root ?    5 Oct  5 18:48 port

drwxr-xr-x   2 root root ?    6 Oct  4 14:37 restore-from-backup

drwxr-xr-x   8 root root ?  261 Oct  5 18:48 tmp


[root@6ca25b429eb1 /]# ls -laZ /storage

total 24

drwxr-xr-x 2 nexus nexus ?  172 Oct  5 17:00 .

drwxr-xr-x 1 root  root  ?   77 Oct  5 14:12 ..

-rw-r----- 1 root  root  ? 1992 Oct  5 17:00 ISSUINGCA-CORP_intermediate_cert.cer

-rw-r----- 1 root  root  ? 1302 Oct  5 17:00 ROOTCA-CORP.cer

-rw-r--r-- 1 root  root  ? 6582 Oct  5 17:03 nexus-hosta.enclave.jks

-rw-r--r-- 1 root  root  ? 1221 Oct  5 16:42 nexus-hosta.enclave.pem

-rw-r----- 1 root  root  ? 2532 Oct  5 17:00 nexus-hosta_server_crt.cer




Thanks again



From: Leon N <leon9923@gmail.com>
Sent: Wednesday, October 6, 2021 8:29 AM
To: Miller, Christopher (NE) <Christopher.Miller@gd-ms.com>
Cc: dwalsh@redhat.com; podman mailing list <podman@lists.podman.io>
Subject: Re: [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host


External E-mail --- CAUTION: This email originated from outside GDMS. Do not click links or open attachments unless you recognize the sender and know the content is safe.




These would be run on the host


You can also change the restorecon parameters to restore the contexts for the storage you mounted



sudo restorecon -R -v <path to storage>



ls -laZ on the storage you mount in the container,  will also give everyone here insights on the selinux contexts




On Wed, 6 Oct, 2021, 17:43 Christopher.Miller@gd-ms.com, <Christopher.Miller@gd-ms.com> wrote:


Sorry I’m not clear where I want to run these commands, on the host or the container?





From: Daniel Walsh <dwalsh@redhat.com>
Sent: Tuesday, October 5, 2021 7:10 PM
To: podman@lists.podman.io
Subject: [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host


I am guessing this is an SELinux issue.  Perhaps sudo restorecon -R -v /var/lib/containers

Might fix it.


You can run `sudo ausearch -m avc -ts recent`

After it fails to see if SELinux is involved. 


Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io