Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Docker and SELinux

DZone's Guide to

Docker and SELinux

SELinux is a double-edged sword — it makes your systems more secure, but can make development more of a pain. Here, Kris looks at a recent problem with Docker on SELinux, and his solution.

· DevOps Zone ·
Free Resource

Discover how quick and easy it is to secure secrets, so you can get back to doing what you love. Try Conjur, a free open source security service for developers.

We're increasingly using Docker to build packages, a fresh chroot in which we prepare a number of packages, builds typically for ruby (rvm) , or python (virtualenv) or node where the language ecosystem fails on us and FPM the whole tree as a working artifact.

An example of such a build is my work on packaging Dashing:  https://github.com/KrisBuytaert/build-dashing

Now part of that build is running the actual build script in docker with a local volume mounted inside the container — this is your typical -v=/home/src/dashing-docker/package-scripts:/scripts parameter.

Earlier this week, however, I was stuck on a box where that combo did not want to work as expected. Docker clearly mounted the local volume, as it could execute the script in the directory, but for some reason it didn't want to write in the mounted volume.

$ docker run -v=/home/src/dashing-docker/package-scripts:/scripts dashing/rvm /scripts/packagervm
Usage of loopback devices is strongly discouraged for production use. 
Either use `--storage-opt dm.thinpooldev` or use 
`--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
corefines: Your Ruby doesn't support refinements, so I'll fake them 
using plain monkey-patching (not scoped!).
/usr/local/share/gems/gems/corefines-1.9.0/lib/corefines/support/fake_refinements.rb:26: 
warning: Refinements are experimental, and the behavior may change in 
future versions of Ruby!
/usr/share/ruby/fileutils.rb:1381:in 
`initialize': Permission denied - rvm-1.27.0-1.x86_64.rpm (Errno::EACCES)

So what was I doing wrong? Did the Docker params change, did I invert the order of the params, did I mistype them...? I added debugging to the script, (ls, chmod, etc.) and I couldn't seem to read or modify the directory. So I asked a coworker to take a look.

He did — he wondered if this wasn't SELinux.

And he was right! From my logs:

Apr 23 21:47:00 mine23.inuits.eu audit[9570]: AVC avc: denied 
{ write } for pid=9570 comm="fpm" name="package-scripts" dev="dm-2" 
ino=368957 scontext=system_u:system_r:svirt_lxc_net_t:s0:c47,c929 
tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Apr 23 21:47:02 mine23.inuits.eu python3[9597]: SELinux is preventing 
fpm from write access on the directory 
/home/src/dashing-docker/package-scripts.

So while I was looking for errors in Docker, it was just my selinux set to enforce acting up and me not noticing it.

The quick way to verify obvisously was to setenforce 0 and trigger the build again. However, that is not a long term fix. But this is:

$ semanage fcontext -a -t cgroup_t '/home/src/dashing-docker/package-scripts'
$ restorecon -v '/home/src/dashing-docker/package-scripts'

That solves the problem!

Related Refcard:

Conjur is a free open source security service built by DevOps engineers. With integrations with all your favorite tools and an easy way to secure secrets, it's a no brainer. Come check it out!

Topics:
docker ,selinux

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}