在 FCOS 中使用 SELinux 访问 docker.socket
Access to docker.socket using SELinux in FCOS
简介
你好,
一周以来,我一直在尝试设置 FCOS (Fedora CoreOS) 和 运行 Docker Swarm 以及 SELinux(这是我第一次使用 SELinux)
容器 运行 很棒,但是当我尝试使用 /var/run/docker.socket 时,我总是得到 permission denied
portainer_agent.0.k9c6uqifwohk@localhost | 2020/03/14 13:24:11 [ERROR] [main,docker] [message: Unable to retrieve information from Docker] [error: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info: dial unix /var/run/docker.sock: connect: permission denied]
我已经尝试禁用 SELinux (setenforce 0) 以确保问题来自 SELinux,
信息
docker.socket
srw-rw----. 1 root docker system_u:object_r:container_var_run_t:s0 0 Mar 14 13:14 /var/run/docker.sock
这里有一个docker-compose.yaml我用来测试
version: '3.2'
services:
agent:
image: portainer/agent
volumes:
- /var/run/docker.sock:/var/run/docker.sock:z
- /var/lib/docker/volumes:/var/lib/docker/volumes:z
networks:
- agent_network
deploy:
mode: global
placement:
constraints: [node.platform.os == linux]
networks:
agent_network:
driver: overlay
attachable: true
感谢您的帮助!
与 CL(容器 Linux)不同,FCOS(Fedora CoreOS)随附 SELinux "targeted" 策略设置为 "enforced"。如果您期望与 CL 中的行为相同,您应该在 /etc/selinux/config.
中设置 "SELINUX=permissive"
这是 CL /etc/selinux/config:
# This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
SELINUXTYPE=mcs
这里是 FCOS /etc/selinux/config:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
我终于成功了,使用 this GitHub
中的 dockersock.te
这里是我在安装脚本中使用的函数:
function fix_socket_permission()
{
echo "Downloading docker socket policy"
sudo rpm-ostree install policycoreutils-python-utils
echo "Need reboot"
# need to reboot
curl https://raw.githubusercontent.com/dpw/selinux-dockersock/master/dockersock.te -o /tmp/dockersock.te
echo "Applying policy to system"
checkmodule -M -m -o dockersock.mod /tmp/dockersock.te
semodule_package -o dockersock.pp -m dockersock.mod
sudo semodule -i dockersock.pp
rm -rf /tmp/dockersock.te
}
简介
你好,
一周以来,我一直在尝试设置 FCOS (Fedora CoreOS) 和 运行 Docker Swarm 以及 SELinux(这是我第一次使用 SELinux)
容器 运行 很棒,但是当我尝试使用 /var/run/docker.socket 时,我总是得到 permission denied
portainer_agent.0.k9c6uqifwohk@localhost | 2020/03/14 13:24:11 [ERROR] [main,docker] [message: Unable to retrieve information from Docker] [error: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info: dial unix /var/run/docker.sock: connect: permission denied]
我已经尝试禁用 SELinux (setenforce 0) 以确保问题来自 SELinux,
信息
docker.socket
srw-rw----. 1 root docker system_u:object_r:container_var_run_t:s0 0 Mar 14 13:14 /var/run/docker.sock
这里有一个docker-compose.yaml我用来测试
version: '3.2'
services:
agent:
image: portainer/agent
volumes:
- /var/run/docker.sock:/var/run/docker.sock:z
- /var/lib/docker/volumes:/var/lib/docker/volumes:z
networks:
- agent_network
deploy:
mode: global
placement:
constraints: [node.platform.os == linux]
networks:
agent_network:
driver: overlay
attachable: true
感谢您的帮助!
与 CL(容器 Linux)不同,FCOS(Fedora CoreOS)随附 SELinux "targeted" 策略设置为 "enforced"。如果您期望与 CL 中的行为相同,您应该在 /etc/selinux/config.
中设置 "SELINUX=permissive"这是 CL /etc/selinux/config:
# This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
SELINUXTYPE=mcs
这里是 FCOS /etc/selinux/config:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
我终于成功了,使用 this GitHub
中的 dockersock.te这里是我在安装脚本中使用的函数:
function fix_socket_permission()
{
echo "Downloading docker socket policy"
sudo rpm-ostree install policycoreutils-python-utils
echo "Need reboot"
# need to reboot
curl https://raw.githubusercontent.com/dpw/selinux-dockersock/master/dockersock.te -o /tmp/dockersock.te
echo "Applying policy to system"
checkmodule -M -m -o dockersock.mod /tmp/dockersock.te
semodule_package -o dockersock.pp -m dockersock.mod
sudo semodule -i dockersock.pp
rm -rf /tmp/dockersock.te
}