Open jboero opened 7 years ago
Note @johnmccabe has pointed out this works in enforcing selinux with --privileged flag.
Thanks @jboero, we'll update the docs - regarding the lack of communication in the event of failure theres some work ongoing to address that at the moment (off the back of the API version mismatch updates).
@jboero if you get a chance can you share the output you get with the --debug
flag also set
nvm, set it up here
[root@t7ad0yz0nuk83h6 ~]# docker run --rm -v /var/run/docker.sock:/var/run/docker.sock puppet/lumogon scan --debug
[lumogon] 2017/06/07 15:03:13.716271 [Analytics] Initializing Google Analytics: scan
[lumogon] 2017/06/07 15:03:13.716319 [Docker Adapter] Creating container runtime client: Docker
[lumogon] 2017/06/07 15:03:13.717037 [Scheduler] Creating scheduler
[lumogon] 2017/06/07 15:03:13.717075 [Docker Adapter] Creating container runtime client: Docker
[lumogon] 2017/06/07 15:03:13.717081 [Scheduler] Running
[lumogon] 2017/06/07 15:03:13.717100 [Scheduler] Creating context with timeout [60]
[lumogon] 2017/06/07 15:03:13.717349 [Analytics] Submitting event to Google Analytics
[lumogon] 2017/06/07 15:03:13.718508 [Docker Adapter] Error listing running containers: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.27/containers/json?limit=0: dial unix /var/run/docker.sock: connect: permission denied
[lumogon] 2017/06/07 15:03:13.718537 [Targets] Unable to list containers, error: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.27/containers/json?limit=0: dial unix /var/run/docker.sock: connect: permission denied
Unable to normalise target containers: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.27/containers/json?limit=0: dial unix /var/run/docker.sock: connect: permission denied.
Exiting...[root@t7ad0yz0nuk83h6 ~]# docker run --rm -v /var/run/docker.sock:/var/run/docker.sock puppet/lumogon version
Client:
Version: 20170524205424-0.2.0-27-ge10ec0d
Git commit: e10ec0df4c031da28e3972915ffd868731af4ce6
Built: 2017-05-24 08:54:24 UTC
For whatever it's worth, SELinux bind mounts with Docker often work by appending the poorly-documented :z
option to the target. However, -v /var/run/docker.sock:/var/run/docker.sock:z
also doesn't work. Lumogon exits silently, and even turning on scan --debug
results in a lack of useful information. In my case, on RHEL 7.4 with SELinux I don't even get a "permission denied" error.
No error and no output with setenforce=1 SELinux on Fedora 25. Anybody else success with SELinux? Targeted/enforcing mode.