search

vmware-archive / vsphere-storage-for-docker

vSphere Storage for Docker
https://vmware.github.io/vsphere-storage-for-docker
Apache License 2.0
251 stars 95 forks source link

permission issues with vfile shared volume when selinux is enabled #2094

Open lowshoe opened 5 years ago

lowshoe commented 5 years ago

trying to access a vfile shared volume with selinux enabled on the host gives a "permission denied" error:

Host Details

OS

[root@myhost ~]# hostnamectl
   Static hostname: myhostname
         Icon name: computer-vm
           Chassis: vm
        Machine ID: c50c255dc9744165a5a9055c03c786ae
           Boot ID: bddc446070d6416298236b0dc64a3fdd
    Virtualization: vmware
  Operating System: Oracle Linux Server 7.6
       CPE OS Name: cpe:/o:oracle:linux:7:6:server
            Kernel: Linux 4.14.35-1844.1.3.el7uek.x86_64
      Architecture: x86-64

SELinux

[root@myhost ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

Docker

[root@myhost ~]# docker --version
Docker version 18.09.1-ol, build c3ab8a8

Steps to repoduce

  1. install the vfile plugin and create a shared volume with the vfile plugin: docker volume create --driver=vfile --name=SharedVol -o size=1gb
  2. start a container with the new created shared volume: 
    
docker run --rm -it -v SharedVol:/mnt/myvol --name centos centos

[root@1800173fe001 /]# mount | grep myvol //127.0.0.1/vfileshare on /mnt/myvol type cifs (rw,relatime,vers=3.0,cache=strict,username=vfile,domain=,uid=0,noforceuid,gid=0,noforcegid,addr=127.0.0.1,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)

[root@1800173fe001 /]# ls -lZ /mnt/ drwxr-xr-x. root root system_u:object_r:cifs_t:s0 myvol

# Result
When trying to access the mounted volume inside the container  i get a "permission denied" error:

[root@1800173fe001 /]# ls -l /mnt/myvol/ ls: cannot open directory /mnt/myvol/: Permission denied

these are the relevant log entries on the host:

Feb 12 14:01:20 myhost kernel: vmw_pvscsi: msg type: 0x0 - MSG RING: 25/24 (5) Feb 12 14:01:20 myhost kernel: vmw_pvscsi: msg: device added at scsi0:1:0 Feb 12 14:01:20 myhost kernel: scsi 1:0:1:0: Direct-Access VMware Virtual disk 1.0 PQ: 0 ANSI: 2 Feb 12 14:01:20 myhost kernel: sd 1:0:1:0: [sdb] 2097152 512-byte logical blocks: (1.07 GB/1.00 GiB) Feb 12 14:01:20 myhost kernel: sd 1:0:1:0: [sdb] Write Protect is off Feb 12 14:01:20 myhost kernel: sd 1:0:1:0: [sdb] Mode Sense: 61 00 00 00 Feb 12 14:01:20 myhost kernel: sd 1:0:1:0: [sdb] Cache data unavailable Feb 12 14:01:20 myhost kernel: sd 1:0:1:0: [sdb] Assuming drive cache: write through Feb 12 14:01:20 myhost kernel: sd 1:0:1:0: Attached scsi generic sg2 type 0 Feb 12 14:01:20 myhost kernel: sd 1:0:1:0: [sdb] Attached SCSI disk Feb 12 14:01:20 myhost kernel: EXT4-fs (sdb): mounted filesystem with ordered data mode. Opts: (null) Feb 12 14:01:20 myhost containerd[22745]: time="2019-02-12T14:01:20.556771966+01:00" level=info msg="shim containerd-shim started" address="/containerd-shim/moby/d41d0c6686a06d5d53a3eb3d3a9891c066efb626feed43b70f9749706fa25f9d/shim.sock" debug=false pi$=7908 Feb 12 14:01:20 myhost kernel: SELinux: mount invalid. Same superblock, different security settings for (dev mqueue, type mqueue) Feb 12 14:01:21 myhost kernel: eth0: renamed from veth30402e9 Feb 12 14:01:21 myhost kernel: br0: port 3(veth7) entered blocking state Feb 12 14:01:21 myhost kernel: br0: port 3(veth7) entered forwarding state Feb 12 14:01:21 myhost kernel: eth1: renamed from vethac09d6f Feb 12 14:01:21 myhost kernel: docker_gwbridge: port 2(vethb835037) entered blocking state Feb 12 14:01:21 myhost kernel: docker_gwbridge: port 2(vethb835037) entered forwarding state Feb 12 14:01:21 myhost NetworkManager[5189]: [1549976481.5088] device (vethb835037): carrier: link connected Feb 12 14:01:22 myhost firewalld[5186]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -m ipvs --ipvs -d 10.255.0.0/16 -j SNAT --to-source 10.255.0.2' failed: iptables: No chain/target/match by that name. Feb 12 14:01:26 myhost kernel: CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-2 Feb 12 14:01:26 myhost containerd[22745]: time="2019-02-12T14:01:26.594717105+01:00" level=info msg="shim containerd-shim started" address="/containerd-shim/moby/7374022a3d91158f74e4e4a192b6c933a69e518623c015cf3ab959d1c0163052/shim.sock" debug=false pid =8103myhost Feb 12 14:01:26 myhost kernel: SELinux: mount invalid. Same superblock, different security settings for (dev mqueue, type mqueue)


when disabling SELinux on the host, everything is working as expected.