Add documentation on running systemd on SELinux systems #2269
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
@TomSweeneyRedHat PTAL |
docs/podman-create.1.md
Outdated
| @@ -610,6 +610,13 @@ It will also set the default stop signal to SIGRTMIN+3. | |||
|
|
|||
| This allow systemd to run in a confined container without any modifications. | |||
|
|
|||
| Note: On `SELinux` systems, systemd attempts to write to the cgroup | |||
| file system. Containers writing to the cgroup file system is denied by default. | |||
There was a problem hiding this comment.
s/is denied/are denied/
docs/podman-create.1.md
Outdated
| @@ -610,6 +610,13 @@ It will also set the default stop signal to SIGRTMIN+3. | |||
|
|
|||
| This allow systemd to run in a confined container without any modifications. | |||
|
|
|||
| Note: On `SELinux` systems, systemd attempts to write to the cgroup | |||
| file system. Containers writing to the cgroup file system is denied by default. | |||
| You need to turn on the container_manage_cgroup boolean, on SELinux separated | |||
There was a problem hiding this comment.
Suggest: "To allow systemd to have access, use the setsebool utility to set the 'container_manage_cgroup' variable to 1."
docs/podman-create.1.md
Outdated
| You need to turn on the container_manage_cgroup boolean, on SELinux separated | ||
| system, to allow this access. | ||
|
|
||
| `setsebool -P container_manage_cgroup 1` |
There was a problem hiding this comment.
Probably ought to add setsebool (8) to our list of man pages at the bottom of this and any other page referencing it.
| system, to allow this access. | ||
|
|
||
| `setsebool -P container_manage_cgroup 1` | ||
|
|
There was a problem hiding this comment.
See prior comments please.
troubleshooting.md
Outdated
|
|
||
| #### Symptom | ||
|
|
||
| Systemd getse permission denied when attempting to write to the cgroup file |
troubleshooting.md
Outdated
| SELinux provides a Boolean, `container_manage_cgroup`, that allows container | ||
| processes to write to the cgroup file system. You need to turn on this boolean, on SELinux separated systems. | ||
|
|
||
| `setsebool -P container_manage_cgroup 1` |
There was a problem hiding this comment.
I find it's strange that this is a bool that gets set to 1 and not true. But shrug.
There was a problem hiding this comment.
True will work.
These all work
sh-4.4# setsebool -P container_manage_cgroup true
sh-4.4# setsebool -P container_manage_cgroup on
sh-4.4# setsebool -P container_manage_cgroup 1
Just typing 1 is the easiest. :^)
|
/retest |
rhatdan
force-pushed
the
selinux
branch
2 times, most recently
from
661721f
to
da86c52
Compare
|
@TomSweeneyRedHat Reworked to remove the |
docs/podman-create.1.md
Outdated
| @@ -610,6 +610,12 @@ It will also set the default stop signal to SIGRTMIN+3. | |||
|
|
|||
| This allow systemd to run in a confined container without any modifications. | |||
|
|
|||
| Note: On `SELinux` systems, systemd attempts to write to the cgroup | |||
| file system. Containers writing to the cgroup file system are denied by default. | |||
| The `container_manage_cgroup` boolean must be enabled for this to be allowed on SELinux separated system. | |||
There was a problem hiding this comment.
nit of 'a' nit: s/on SELinux separated/on a SELinux separated/
There was a problem hiding this comment.
FIxed to allowed on an SELinux...
docs/podman-run.1.md
Outdated
| @@ -612,6 +612,12 @@ It will also set the default stop signal to SIGRTMIN+3. | |||
|
|
|||
| This allow systemd to run in a confined container without any modifications. | |||
|
|
|||
| Note: On `SELinux` systems, systemd attempts to write to the cgroup | |||
| file system. Containers writing to the cgroup file system are denied by default. | |||
| The `container_manage_cgroup` boolean must be enabled for this to be allowed on SELinux separated system. | |||
There was a problem hiding this comment.
FIxed to allowed on an SELinux...
troubleshooting.md
Outdated
| #### Solution | ||
|
|
||
| SELinux provides a boolean, `container_manage_cgroup`, which allows container | ||
| processes to write to the cgroup file system. Turn on this boolean, on SELinux separated systems, to allow systemd to run properlay in the container. |
There was a problem hiding this comment.
I don't think you need the first comma after 'boolean', but regardless, please change 'properlay' to 'properly' (I think I found your missing 'a'!)
Lots of users are attempting to run systemd within a container. They are being blocked from running SELinux systems since they need the container_manage_cgroup which is not enabled by default. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
/retest |
|
@giuseppe @umohnani8 @mheon @baude @vrothberg Someone please give us a /lgtm |
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
Lots of users are attempting to run systemd within a container. They are
being blocked from running SELinux systems since they need the
container_manage_cgroup which is not enabled by default.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com