local-sdf-1 container won't start when selinux is enforcing
rothgar opened this issue · 0 comments
rothgar commented
What happened?
I was getting an error when running si start
Error:
0: docker api: error 500 Internal Server Error - Cannot link to a non running container: /local-sdf-1 AS /local-web-1/sdf
1: error 500 Internal Server Error - Cannot link to a non running container: /local-sdf-1 AS /local-web-1/sdf
The container logs it says
Error:
0: file not found: /run/sdf/jwt_signing_public_key.pem
Location:
<unknown>
I verified the container mount and saw that the mount exists
"Type": "bind",
"Source": "/home/jgarr/.local/share/SI/jwt_signing_public_key.pem",
"Destination": "/run/sdf/jwt_signing_public_key.pem",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
The file exists in my home directory but I realized this machine has selinux in enforcing mode
ls -Zl /home/jgarr/.local/share/SI/jwt_signing_public_key.pem
-rw-r--r--. 1 jgarr jgarr unconfined_u:object_r:data_home_t:s0 799 Aug 16 21:43 /home/jgarr/.local/share/SI/jwt_signing_public_key.pem
I set selinux to permissive and restarted the containers and it worked
How can we reproduce this?
Run si start
on a system with selinux enabled.
Operating system
Linux
Architecture
x86_64 / amd64
What browsers are you seeing the problem on?
Chrome
Code of Conduct
- I agree to follow this project's Code of Conduct
Additional context
I know the fix is to add :Z
to the volume here
si/lib/si-cli/src/cmd/start.rs
Lines 387 to 389 in 7c15b74