Fedora: Improve Docker build environment compatibility #3737
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The problem is that in SELinux enforcing distributions, access to
`docker.sock` is restricted in containers even if DAC permissions
supposedly allow access. This causes endless log lines when invoking
`docker-compose up` similar to the following:
time="2023-09-18T04:10:56Z" level=error msg="Failed to retrieve information of the docker client and server host: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version\": dial unix /var/run/docker.sock: connect: permission denied" providerName=docker
The solution is to run the Traefik container in privileged mode. See
https://stackoverflow.com/a/30368817/1198896.
Before this patch running `ls` inside the `photoprism_1` container returned EACCES.
|
I've just pushed an additional patch since I encountered more SELinux problems. We now run the main container in privileged mode too, to work around similar problems. |
|
Are you actually running Docker on Fedora or Podman, which is more common on Red Hat-based distributions? I know Podman often requires more permissions, especially if you use ports < 1024. |
|
I started running rootless Podman. However I ran into lots of issues with that (port 80 being privileged was one, but the biggest was that there is no The bug fixed here happened with Docker running fully outside a Toolbox/Podman container. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The problem is that in SELinux enforcing distributions, access to
docker.sockis restricted in containers even if DAC permissions supposedly allow access. This causes endless log lines when invokingdocker-compose upsimilar to the following:The solution is to run the Traefik container in privileged mode. See https://stackoverflow.com/a/30368817/1198896.
Acceptance Criteria:
(I'm just checking boxes here for CI purposes even though almost all of these are N/A since this is a dev environment change.)