Can't run cronjob inside container
Closed this issue · 4 comments
docker info
Client:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Docker Buildx (Docker Inc., v0.8.1-docker)
scan: Docker Scan (Docker Inc., v0.17.0)
Server:
Containers: 2
Running: 1
Paused: 0
Stopped: 1
Images: 5
Server Version: 20.10.14
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
runc version: v1.1.2-0-ga916309
init version: de40ad0
Security Options:
seccomp
Profile: default
Kernel Version: 3.10.0-1062.12.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.638GiB
Name: fortisoar.localhost
ID: UY4R:6C4A:VJQ6:WHHU:5CBZ:FNIH:J4LI:ZTKY:CYGP:XNSS:AN2S:IQK7
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
rpm -qa | grep container
containerd.io-1.6.6-3.1.el7.x86_64
container-selinux-2.119.1-1.c57a6f9.el7.noarch
- Docker image is built from CentOS centos:7.8.2003 using packer
- Docker host is CentOS Linux release 7.7.1908 (Core)
- Kernel version is
rpm -qa | grep kernel
kernel-3.10.0-957.el7.x86_64
kernel-headers-3.10.0-1062.12.1.el7.x86_64
kernel-tools-libs-3.10.0-1062.12.1.el7.x86_64
kernel-tools-3.10.0-1062.12.1.el7.x86_64
kernel-devel-3.10.0-1062.12.1.el7.x86_64
kernel-3.10.0-1062.12.1.el7.x86_64
Inside the container, i see below logs in /var/log/cron
Jun 20 03:27:01 localhost crond[108]: ((null)) Unauthorized SELinux context=system_u:unconfined_r:unconfined_t:s0
file_context=system_u:object_r:container_share_t:s0 (/etc/crontab)
Jun 20 03:27:01 localhost crond[108]: ((null)) SELinux in permissive mode, continuing (/etc/crontab)
Jun 20 03:27:01 localhost crond[108]: ((null)) Unauthorized SELinux context=system_u:unconfined_r:unconfined_t:s0 file_context=system_u:object_r:container_share_t:s0 (/etc/cron.d/0hourly)
Jun 20 03:27:01 localhost crond[108]: ((null)) SELinux in permissive mode, continuing (/etc/cron.d/0hourly)
Jun 20 03:27:02 localhost crond[3568]: (system) NULL security context for user, but SELinux in permissive mode, continuing ()
Jun 20 03:27:02 localhost CROND[3572]: (my-user) CMD (python /opt/my_package/bin/myscript.py --from-cron &> /dev/null)
Starting container as:
docker run -d -ti --tmpfs /tmp --tmpfs /run --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro --shm-size=2g --stop-signal SIGRTMIN+3 --stop-timeout 60 /usr/sbin/init
crond SELinux context inside container:
ps -efZ | grep crond
system_u:system_r:spc_t:s0 root 108 1 0 03:24 ? 00:00:00 /usr/sbin/crond -n
This is not an issue container-selinux or Docker. The problem is there is an information leak into the container to attempt to do SELinux activity. If you remove selinux-policy package from your container image, it might work correctly.
We can continue the conversation here, but I am going to close the issue.
Thanks it worked after remove selinux-policy package.