After seeing how to bind mount storage, you're probably wondering,
“How can I store data from a container on a NFS mounted device?”
There are 2 ways to accomplish this properly with selinux:
1.) There is a selinux boolean: virt_sandbox_use_nfs
To check the status of this boolean, you can run:
getsebool virt_sandbox_use_nfs
If the status of the boolean is off, then you can turn it on by
running:
setsebool -PV virt_sandbox_use_nfs on #Persistent and Verbose on
Errors
Now run getsebool virt_sandbox_use_nfs again to verify it's now on.
When bind mounting storage on the NFS mount, you will now need to
drop the :z and :Z options.
This now allows the containers to be able to access any
of the docker host's mounted NFS volumes when directed to.
2.) Setting the appropriate selinux file context as a mount option.
This is accomplished by adding the selinux context required for
docker container data to the /etc/fstab NFS mount options.
vi /etc/fstab and find the appropriate NFS mount. Append to the
entry's options: context=”system_u:object_r:svirt_sandbox_file_t”
and save the fstab.
Unless you are running a NFS v4.2 server and NFS v4.2 client you will
need to drop the :z and :Z options from your docker run command. NFS
v4.2 supports contexts properly and can properly store the file
contexts.
Method 2 is considered more secure, since you are allowing possible
access to only a specified NFS volume rather than all of them as seen
in method 1.
No comments:
Post a Comment