为Podman自定义graphroot目录设置SELinux上下文标签

我想建立一个自定义目录来存储Podman创建的容器的数据,如何将目录的文件类型(及其内容)更改为Podman使用的上下文类型? 在运行SELinux的系统上,所有进程和文件都用表示安全相关信息的方式标记。 如果您尝试使用存储在/ var / lib / containers以外的目录中的数据创建一个容器,那么权限将被拒绝。

我们将在CentOS 8服务器上进行演示。 将SELinux置于强制模式。

$ sudo setenforce 1
$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

安装提供podman的容器工具。

sudo dnf module install container-tools

通过运行helloworld容器,确保podman能够按预期工作。

$ podman run --rm hello-world

Trying to pull docker.io/library/hello-world...
Getting image source signatures
Copying blob 0e03bdcc26d7 done
Copying config bf756fb1ae done
Writing manifest to image destination
Storing signatures

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

检查容器的当前根目录设置。

$ podman info | grep -i root
  rootless: false
  GraphRoot: /var/lib/containers/storage
  RunRoot: /var/run/containers/storage

让我们创建一个自定义目录来存储数据。

sudo mkdir -p /data/containers

更新设置并将目录更改为上面创建的目录。

$ sudo vi /etc/containers/storage.conf
# Primary Read/Write location of container storage
#graphroot = "/var/lib/containers/storage"
graphroot = "/data/containers"

尝试运行容器。

# podman run --rm -it  ubuntu bash
Getting image source signatures
Copying blob 0f3630e5ff08 done
Copying blob d72e567cc804 done
Copying blob b6a83d81d1f4 done
Copying config 9140108b62 done
Writing manifest to image destination
Storing signatures
bash: error while loading shared libraries: libc.so.6: cannot change memory protections

从输出中,我收到一条错误消息。

bash: error while loading shared libraries: libc.so.6: cannot change memory protections

为您的目录设置正确的SELinux标签 /数据/容器 然后再试一次。

sudo semanage fcontext -a -e /var/lib/containers /data/containers
sudo restorecon -R -vv /data/containers

如果找不到semanage命令,请使用以下命令进行安装。

sudo yum install policycoreutils-python-utils -y

检查SELinux上下文类型。

$ ls -dZ /data/containers/
unconfined_u:object_r:container_var_lib_t:s0 /data/containers/

检查类型是否设置为 container_var_lib_t..

重新运行容器。

# podman run --rm -it  ubuntu bash
[email protected]:/# cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.1 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.1 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
[email protected]:/# exit
exit

容器已成功启动。

有关Podman的其他文章:

将OpenShift内部注册表发布到外界,并使用Docker / Podman CLI登录

在Windows 10上运行Podman | Windows Server 2019 with WSL2

如何将Docker / Podman容器作为Systemd服务运行

Sidebar