docker를 통해 cassandra를 구동하는데

csql을 찾지 못해서 헤매는걸 해결하지 못함... 

일단 시간도 없고 귀찮아서 setenforce 0로 하고 다음기회에..


[링크 : https://github.com/instaclustr/cassandra-docker]


+

2019.03.22


찾아보니 이런 에러발생

type=AVC msg=audit(1553061777.728:1930): avc:  denied  { open } for  pid=23358 comm="python" path="/cql/create-keyspace.cql" dev="dm-0" ino=35212277 scontext=system_u:system_r:container_t:s0:c203,c1009 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1 


이건 어떻게 해결해야 한다냐....

일단은 ll -alZ를 통해서 컨텍스를 보니 아래와 같고

tcontext의 내용과 동일하다.

-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 cql/create-keyspace.cql 


centos 7에서 확인해보니 container_t 라는건 안보이고 다른걸로 이름을 지어주어야 하나..

# cat /etc/selinux/targeted/contexts/lxc_contexts

process = "system_u:system_r:svirt_lxc_net_t:s0"

content = "system_u:object_r:virt_var_lib_t:s0"

file = "system_u:object_r:svirt_sandbox_file_t:s0"

sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"

sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"

sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"

[링크 : https://prefetch.net/blog/2017/09/30/using-docker-volumes-on-selinux-enabled-servers/]


검색하다 보니 이런게 있었던거 같은데..

# chcon -Rt svirt_sandbox_file_t /var/db

[링크 : https://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/]


+

2019.04.29

If a file is labeled svirt_sandbox_file_t, then by default all containers can read it. But if the containers write into a directory that has svirt_sandbox_file_t ownership, they write using their own category (which in this case is "c186,c641). If you start the same container twice, it will get a new category the second time ( a different category than it had the first time). The category system isolates containers from one another. 


[링크 : https://access.redhat.com/.../docker_selinux_security_policy]

'프로그램 사용 > docker' 카테고리의 다른 글

docker-compose up/down 주의사항  (0) 2019.03.24
docker 컨테이너 자동시작  (0) 2019.03.21
docker cassandra selinux  (0) 2019.03.20
centos docker compose iptable error  (0) 2019.03.20
docker inspect  (0) 2019.02.28
docker 복원하기  (2) 2019.02.27
Posted by 구차니

댓글을 달아 주세요