docker中selinux和usernamespace不能共存?
我在/etc/sysconfig/docker有下面的内容
# /etc/sysconfig/docker # Modify these options if you want to change the way the docker daemon runs OPTIONS='--selinux-enabled --userns-remap=default --log-opt=max-size=10M --log-opt=max-file=30' DOCKER_CERT_PATH=/etc/docker # Enable insecure registry communication by appending the registry URL # to the INSECURE_REGISTRY variable below and uncommenting it # INSECURE_REGISTRY='--insecure-registry ' # On SELinux System, if you remove the --selinux-enabled option, you # also need to turn on the docker_transition_unconfined boolean. # setsebool -P docker_transition_unconfined # Location used for temporary files, such as those created by # docker load and build operations. Default is /var/lib/docker/tmp # Can be overriden by setting the following environment variable. # DOCKER_TMPDIR=/var/tmp # Controls the /etc/cron.daily/docker-logrotate cron job status. # To disable, uncomment the line below. # LOGROTATE=false # Allow creation of core dumps GOTRACEBACK=crash
但是我不能用这个configuration运行任何容器
[root@server ~]# docker run -ti hello-world docker: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:359: container init caused \"rootfs_linux.go:54: mounting \\\"mqueue\\\" to rootfs \\\"/var/lib/docker/231072.231072/overlay2/ac28bae7fd341860112089d08b04e54aeeb8b85304be9455c8705ff6d883c4ac/merged\\\" at \\\"/dev/mqueue\\\" caused \\\"operation not permitted\\\"\"".
但是,当我从/etc/sysconfig/docker --selinux-enabled删除--selinux-enabled ,那么它工作得很好
[root@server ~]# docker run -ti hello-world Unable to find image 'hello-world:latest' locally latest: Pulling from library/hello-world 5b0f327be733: Pull complete Digest: sha256:07d5f7800dfe37b8c2196c7b1c524c33808ce2e0f74e7aa00e603295ca9a0972 Status: Downloaded newer image for hello-world:latest Hello from Docker! This message shows that your installation appears to be working correctly. To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. 2. The Docker daemon pulled the "hello-world" image from the Docker Hub. 3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading. 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal. To try something more ambitious, you can run an Ubuntu container with: $ docker run -it ubuntu bash Share images, automate workflows, and more with a free Docker ID: https://cloud.docker.com/ For more examples and ideas, visit: https://docs.docker.com/engine/userguide/
这些标签不能共存吗?
docker版本
[root@server ~]# docker -v Docker version 17.03.1-ce, build 276fd32
selinux版本
[root@server ~]# rpm -qa | grep selinux libselinux-python-2.5-11.el7.x86_64 libselinux-2.5-11.el7.i686 selinux-policy-3.13.1-166.0.2.el7_4.4.noarch libselinux-2.5-11.el7.x86_64 selinux-policy-targeted-3.13.1-166.0.2.el7_4.4.noarch libselinux-utils-2.5-11.el7.x86_64