Cannot mount collection directory under SELinux (Fedora)
arjenpdevries opened this issue · comments
docker.errors.APIError: 400 Client Error: Bad Request ("OCI runtime create failed: container_linux.go:345: starting container process caused "process_linux.go:424: container init caused \"rootfs_linux.go:58: mounting \\\"/run/media/arjen/a-drive/data/TREC\\\" to rootfs \\\"/var/lib/docker/296608.296608/overlay2/ffaf10b0699ae25141b9d69c7510d48ef186596a35485bf40d2ba6ba105983ba/merged\\\" at \\\"/input/collections/robust04\\\" caused \\\"stat /run/media/arjen/a-drive/data/TREC: permission denied\\\"\"": unknown")
but
[arjen@apc jig]$ stat /run/media/arjen/a-drive/data/TREC
File: /run/media/arjen/a-drive/data/TREC
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 831h/2097d Inode: 296747010 Links: 10
Access: (0755/drwxr-xr-x) Uid: ( 1000/ arjen) Gid: ( 1004/ ir)
Context: unconfined_u:object_r:unlabeled_t:s0
Access: 2019-06-14 08:36:21.721380207 +0200
Modify: 2019-05-23 14:31:43.594185235 +0200
Change: 2019-05-23 14:31:43.594185235 +0200
Birth: -
I guess it is an SELinux caused problem due to a missing trailing :z or :Z in the docker volume mount command?
Explored a little more, but today is the wrong day for more work on this issue.
It is clear that SELinux is the culprit causing the error.
I have not resolved the problem yet, but can diagnose - not sure that the jig code has to be adapted.
This works:
docker run --rm -it --name devtest -v /export/data:/data:z busybox
This does not:
docker run --rm -it --name devtest -v /run/media/arjen/a-drive:/data:z busybox
Apparently, the auto-mounted drive with the collection has different settings, maybe need a chcon command, TBD.