unable to mount /var/run/docker.sock

[visualex]

[core@fedor ~]$ rpm-ostree status
State: idle
Deployments:
● ostree://fedora:fedora/x86_64/coreos/testing
                   Version: 32.20200715.2.2 (2020-07-16T23:28:30Z)
                    Commit: b911874d6a927d4025c534d10c24da80d3706e1f04aa541e10e2799f34274690
              GPGSignature: Valid signature by 97A1AE57C3A2372CCA3A4ABA6C13026D12C944D0

when moving logs from containers to ELK we use logspout,
the idea is that the global service mounts the docker.sock in swarm:

volumes:
      - /var/run/docker.sock:/var/run/docker.sock

On the original CoreOS there was no issue:

core@coreos ~ $ ls -al /var/run/docker.sock
srw-rw----. 1 root docker 0 Jul 27 01:25 /var/run/docker.sock

but the same on Fedora CoreOS

[core@fedor ~]$ ls -al /var/run/docker.sock
srw-rw----. 1 root docker 0 Jul 27 01:25 /var/run/docker.sock

does not work,

the container outputs:

# logspout v3.2.6-custom by gliderlabs
# adapters: raw udp tcp multiline logstash
# options : persist:/mnt/routes
# jobs    : routes http[]:80 pump
# routes  :
#   ADAPTER		ADDRESS		CONTAINERS	SOURCES	OPTIONS
#   multiline+logstash	192.168.0.3:5000			map[]
2020/07/28 12:10:46 pump ended: Get http://unix.sock/containers/json?: dial unix /var/run/docker.sock: connect: permission denied

what permissions are required here?
thanks

[dustymabe]

One good first thing to check is SELinux. If you put SELinux in permissive mode (setenforce 0) does it work?

[Siosm]

https://danwalsh.livejournal.com/78373.html could help here.

[visualex]

setenforce 0 works,
since docker swarm does not have --privileged or --security-opt
flags for services, whats the best way to make sure Fedora CoreOS is started with SELinux in permissive mode?
Thanks again

[travier]

You should edit /etc/selinux/config and set SELINUX=disabled (or change it at first boot via Igntion). Permissive mode is only there for development or debug.

In your case I don't understand why you could not run the initial container with --privileged. Could you give us a little more details?

[travier]

See also the suggestions from portainer/portainer#849 & https://github.com/dpw/selinux-dockersock

[dustymabe]

@visualex - can we close this out? Are you unblocked?

[visualex]

Hi! whats the best way to do it via ignition, could you provide an example please?
After that I think we can close this yes.
Thank you!

[travier]

whats the best way to do it via ignition, could you provide an example please?

Which option did you choose? Did you get it working with SELinux?

[visualex]

@travier yes, I used your advice here: #585 (comment)
how can I provide this in a yaml ignition file, whats the best approach?
thank you

[travier]

If you added the --privileged flag to a podman or docker invocation then you should add this to the unit you're using to start the container.
If you want to disable SELinux on first boot via Ignition (not recommended, you should really try other options before):

systemd:
  units:
  - name: kargs-setup.service
    enabled: true
    contents: |
      [Unit]
      Description=Setup additional kernel arguments on first boot
      ConditionFirstBoot=true
      Wants=basic.target
      Before=multi-user.target
      [Service]
      Type=oneshot
      ExecStart=/usr/bin/rpm-ostree kargs --append selinux=0 --reboot
      [Install]
      WantedBy=basic.target

[visualex]

awesome, thanks!