To me, its still root in the container.  There is a UID:GID tied to 1005, which I can’t identity from the id command, nor has an entry under /etc/passwd or /etc/group. 

 

Nexus has 200 for UID and GID within the container.

 

Thanks

 

 

 

From: Leon N <leon9923@gmail.com>
Sent: Wednesday, October 6, 2021 9:08 PM
To: dwalsh@redhat.com
Cc: Miller, Christopher (NE) <Christopher.Miller@gd-ms.com>; podman mailing list <podman@lists.podman.io>
Subject: Re: [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host

 

External E-mail --- CAUTION: This email originated from outside GDMS. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

I'm not sure why, but I feel like your container is using its own user, which is why when you gave --user 0 it worked, since I see those files are owned by root, any chance the user inside the container is nexus or is it still root?

 

 

On Thu, 7 Oct, 2021, 01:36 Daniel Walsh, <dwalsh@redhat.com> wrote:

On 10/6/21 15:32, Christopher.Miller@gd-ms.com wrote:

 

 

Well…this is embarrassing and want to be honest.  Checked the host and SELinux is disabled.

 

# sudo semanage fcontext -a -e /var/lib/containners/storage /data/storage

ValueError: Equivalence class for /data/storage already exists

 

# sudo restorecon -R -v /data/storage

 

Still not sure why see ? for the files/directories when using ls -alZ against them. 

 

I guess that is what ls shows when SELinux is disabled. I never disable it... :^)

So must be some other reason your containers are blowing up.  Did you try running with --privileged?

Do they work with Docker?

 

 

 

From: Daniel Walsh <dwalsh@redhat.com>
Sent: Wednesday, October 6, 2021 12:46 PM
To: Miller, Christopher (NE) <Christopher.Miller@gd-ms.com>; Leon N <leon9923@gmail.com>
Cc: podman mailing list <podman@lists.podman.io>
Subject: Re: [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host

 

External E-mail --- CAUTION: This email originated from outside GDMS. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

On 10/6/21 12:23, Christopher.Miller@gd-ms.com wrote:

 

Just so I understand. 

 

I created a generic directory /data/storage for the Nexus container to write to.  So it sounds like the default storage for containers is /var/lib/containers/storage?  And should be placing container storage here? 

 

Thanks

Correct.  I believe the issue you are having is in the podman storage, not inside of the container.

 

 

 

 

From: Daniel Walsh <dwalsh@redhat.com>
Sent: Wednesday, October 6, 2021 12:07 PM
To: Miller, Christopher (NE) <Christopher.Miller@gd-ms.com>; Leon N <leon9923@gmail.com>
Cc: podman mailing list <podman@lists.podman.io>
Subject: Re: [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host

 

External E-mail --- CAUTION: This email originated from outside GDMS. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

If you move the location of storage to a different directlry you need to set the SELinux labels.

 

# semanage fcontext -a -e /var/lib/containers/storage /storage

# restorecon -R -v /storage

 

Probably should add something like this to the storage.conf and to the man page.

 

On 10/6/21 11:28, Christopher.Miller@gd-ms.com wrote:

 

From the host, xfs file system for /opt/nexus and /data/storage

 

From the container, noticed that /storage is xfs but /opt/sonatype shows overlay (I’m reading up on overlay now)

 

 

 

 

usera@hosta /]$ cat /etc/redhat-release ; podman info

 

Red Hat Enterprise Linux release 8.1 (Ootpa)

host:

  BuildahVersion: 1.9.0

  Conmon:

    package: podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64

    path: /usr/libexec/podman/conmon

    version: 'conmon version 2.0.1-dev, commit: unknown'

  Distribution:

    distribution: '"rhel"'

    version: "8.1"

  MemFree: 260805922816

  MemTotal: 270091517952

  OCIRuntime:

    package: runc-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.x86_64

    path: /usr/bin/runc

    version: 'runc version spec: 1.0.1-dev'

  SwapFree: 8589930496

  SwapTotal: 8589930496

  arch: amd64

  cpus: 56

  hostname: hosta

  kernel: 4.18.0-147.5.1.el8_1.x86_64

  os: linux

  rootless: true

  uptime: 116h 31m 31.21s (Approximately 4.83 days)

registries:

  blocked: null

  insecure: null

  search:

  - hosta.XXX.enclave:8090

  - registry.redhat.io

  - registry.access.redhat.com

  - quay.io

  - docker.io

store:

  ConfigFile: /home/usera/.config/containers/storage.conf

  ContainerStore:

    number: 0

  GraphDriverName: overlay

  GraphOptions:

  - overlay.mount_program=/usr/bin/fuse-overlayfs

  GraphRoot: /home/usera/.local/share/containers/storage

  GraphStatus:

    Backing Filesystem: xfs

    Native Overlay Diff: "false"

    Supports d_type: "true"

    Using metacopy: "false"

  ImageStore:

    number: 7

  RunRoot: /run/user/2229

  VolumePath: /home/usera/.local/share/containers/storage/volumes

 

 

 

 

From: Daniel Walsh <dwalsh@redhat.com>
Sent: Wednesday, October 6, 2021 11:05 AM
To: Miller, Christopher (NE) <Christopher.Miller@gd-ms.com>; Leon N <leon9923@gmail.com>
Cc: podman mailing list <podman@lists.podman.io>
Subject: Re: [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host

 

External E-mail --- CAUTION: This email originated from outside GDMS. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

What Filesystem is stored on /opt an d/nexus-data

 

Did you install storage in a different path then /var/lib/containers/storage.

 

I guess attaching podman info output would help.

 

On 10/6/21 10:50, Christopher.Miller@gd-ms.com wrote:

 

Here is my SELinux output both from the host and container.  I’m getting a lot “?” characters on the host, when I think I should be seeing the user, role and type label defined.  I’ve googled around based on those results and not finding anything. 

 

I’ve tried to restorecon -R -v on those volumes and nothing changed. 

 

 

 

 

Volume Mounts

 

host: /opt/nexus

container: /nexus-data

 

host: /data/storage

container: /storage

 

 

From the host

 

 

[usera@hosta /]$ sudo ls -alZ /opt/nexus

[sudo] password for usera:

total 24

drwxr-x---   15   755 nexus ?                           254 Oct  5 14:48 .

drwxr-xr-x.  13 nexus nexus system_u:object_r:usr_t:s0  214 Oct  4 10:13 ..

drwxr-xr-x    3 root  root  ?                            21 Oct  4 10:37 blobs

drwxr-xr-x  323 root  root  ?                          8192 Oct  5 14:48 cache

drwxr-xr-x    6 root  root  ?                           113 Oct  4 10:37 db

drwxr-xr-x    3 root  root  ?                            36 Oct  4 11:11 elasticsearch

drwxr-xr-x    3 root  root  ?                            45 Oct  5 14:30 etc

drwxr-xr-x    2 root  root  ?                             6 Oct  4 10:36 generated-bundles

drwxr-xr-x    2 root  root  ?                            33 Oct  4 10:36 instances

drwxr-xr-x    3 root  root  ?                            19 Oct  4 10:36 javaprefs

-rw-r--r--    1 root  root  ?                             1 Oct  5 14:48 karaf.pid

drwxr-xr-x    3 root  root  ?                            18 Oct  4 10:37 keystores

-rw-r--r--    1 root  root  ?                            14 Oct  5 14:48 lock

drwxr-xr-x    4 root  root  ?                           220 Oct  5 20:00 log

drwxr-xr-x    2 root  root  ?                             6 Oct  4 10:37 orient

-rw-r--r--    1 root  root  ?                             5 Oct  5 14:48 port

drwxr-xr-x    2 root  root  ?                             6 Oct  4 10:37 restore-from-backup

drwxr-xr-x    8 root  root  ?                           261 Oct  5 14:48 tmp

 

[usera@hosta /]$ sudo ls -alZ /data/storage

total 24

drwxr-xr-x 2   200   200 ?  172 Oct  5 13:00 .

drwxr-x--- 3 nexus nexus ?   21 Aug 26 13:41 ..

-rw-r----- 1 root  root  ? 1992 Oct  5 13:00 ISSUINGCA-CORP_intermediate_cert.cer

-rw-r--r-- 1 root  root  ? 6582 Oct  5 13:03 nexus-hosta.enclave.jks

-rw-r--r-- 1 root  root  ? 1221 Oct  5 12:42 nexus-hosta.enclave.pem

-rw-r----- 1 root  root  ? 2532 Oct  5 13:00 nexus-hosta_server_crt.cer

-rw-r----- 1 root  root  ? 1302 Oct  5 13:00 ROOTCA-CORP.cer

 

 

 

From the container

 

[root@6ca25b429eb1 /]# sestatus

bash: sestatus: command not found

 

[root@6ca25b429eb1 /]# whereis selinux

selinux: /etc/selinux /usr/libexec/selinux

 

[root@6ca25b429eb1 /]# ls -al /etc/selinux

total 4

drwxr-xr-x 1 root root    6 Oct  6 13:49 .

drwxr-xr-x 1 root root   21 Mar  4  2021 ..

-rw-r--r-- 1 root root 2425 Jun 29  2020 semanage.conf

[root@6ca25b429eb1 /]# ls -alZ /nexus-data

 

total 24

drwxr-x---  15  755 1005 ?  254 Oct  5 18:48 .

drwxr-xr-x   1 root root ?   77 Oct  5 14:12 ..

drwxr-xr-x   3 root root ?   21 Oct  4 14:37 blobs

drwxr-xr-x 323 root root ? 8192 Oct  5 18:48 cache

drwxr-xr-x   6 root root ?  113 Oct  4 14:37 db

drwxr-xr-x   3 root root ?   36 Oct  4 15:11 elasticsearch

drwxr-xr-x   3 root root ?   45 Oct  5 18:30 etc

drwxr-xr-x   2 root root ?    6 Oct  4 14:36 generated-bundles

drwxr-xr-x   2 root root ?   33 Oct  4 14:36 instances

drwxr-xr-x   3 root root ?   19 Oct  4 14:36 javaprefs

-rw-r--r--   1 root root ?    1 Oct  5 18:48 karaf.pid

drwxr-xr-x   3 root root ?   18 Oct  4 14:37 keystores

-rw-r--r--   1 root root ?   14 Oct  5 18:48 lock

drwxr-xr-x   4 root root ?  220 Oct  6 00:00 log

drwxr-xr-x   2 root root ?    6 Oct  4 14:37 orient

-rw-r--r--   1 root root ?    5 Oct  5 18:48 port

drwxr-xr-x   2 root root ?    6 Oct  4 14:37 restore-from-backup

drwxr-xr-x   8 root root ?  261 Oct  5 18:48 tmp

 

[root@6ca25b429eb1 /]# ls -laZ /storage

total 24

drwxr-xr-x 2 nexus nexus ?  172 Oct  5 17:00 .

drwxr-xr-x 1 root  root  ?   77 Oct  5 14:12 ..

-rw-r----- 1 root  root  ? 1992 Oct  5 17:00 ISSUINGCA-CORP_intermediate_cert.cer

-rw-r----- 1 root  root  ? 1302 Oct  5 17:00 ROOTCA-CORP.cer

-rw-r--r-- 1 root  root  ? 6582 Oct  5 17:03 nexus-hosta.enclave.jks

-rw-r--r-- 1 root  root  ? 1221 Oct  5 16:42 nexus-hosta.enclave.pem

-rw-r----- 1 root  root  ? 2532 Oct  5 17:00 nexus-hosta_server_crt.cer

 

 

 

Thanks again

 

 

From: Leon N <leon9923@gmail.com>
Sent: Wednesday, October 6, 2021 8:29 AM
To: Miller, Christopher (NE) <Christopher.Miller@gd-ms.com>
Cc: dwalsh@redhat.com; podman mailing list <podman@lists.podman.io>
Subject: Re: [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host

 

External E-mail --- CAUTION: This email originated from outside GDMS. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

Hey,

 

These would be run on the host

 

You can also change the restorecon parameters to restore the contexts for the storage you mounted

 

 

sudo restorecon -R -v <path to storage>

 

Doing

ls -laZ on the storage you mount in the container,  will also give everyone here insights on the selinux contexts

 

Regards,

Leon

On Wed, 6 Oct, 2021, 17:43 Christopher.Miller@gd-ms.com, <Christopher.Miller@gd-ms.com> wrote:

 

Sorry I’m not clear where I want to run these commands, on the host or the container?

 

thanks

 

 

From: Daniel Walsh <dwalsh@redhat.com>
Sent: Tuesday, October 5, 2021 7:10 PM
To: podman@lists.podman.io
Subject: [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host

 

I am guessing this is an SELinux issue.  Perhaps sudo restorecon -R -v /var/lib/containers

Might fix it.

 

You can run `sudo ausearch -m avc -ts recent`

After it fails to see if SELinux is involved. 

 

_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io