我喜欢使用 steamcmd 作为我的服务器用户的无根 dockercontainer。但 steamcmd 通常应以普通用户身份安装在 /opt/steam/steamcmd/steamcmd.sh 下
我创建了一个自定义 steamcmd.sh,它使用 steamcmd arks 运行 docker/podman 容器,并将调用者用户 ID 传递给环境。
我将默认的入口点脚本替换为自定义入口点脚本,即 /opt/steam/steamcmd/steamcmd.docker.sh (steamuser)
当我以 root 身份运行容器时,一切正常,但是当我使用服务器用户尝试时,我收到“错误:错误统计文件/opt/steam/steamcmd/steamcmd.docker.sh
:权限被拒绝:OCI 权限被拒绝”
我的 selinux 在主机上处于宽松状态。所以我检查日志,它给了我以下消息:
Mai 06 02:13:48 host setroubleshoot[81420]: SELinux is preventing steamcmd.replace from read access on the file steamcmd.docker.sh.
If you believe that steamcmd.replac should be allowed read access on the steamcmd.docker.sh file by default.
# ausearch -c 'steamcmd.replace' --raw | audit2allow -M my-steamcmdreplace
# semodule -X 300 -i my-steamcmdreplace.pp
我生成了该文件,它显示以下内容:
module my-steamcmdreplace 1.0;
require {
type container_t;
type etc_t;
class file entrypoint;
}
#============= container_t ==============
allow container_t etc_t:file entrypoint;
第二条 selinux 消息是
Mai 05 01:30:29 host setroubleshoot[3763945]: SELinux is preventing /bin/dash from entrypoint access on the file /usr/bin/steamcmd.replace.
If you believe that dash should be allowed entrypoint access on the steamcmd.replace file by default.
我添加了模块,但没有任何变化 - 所以我尝试使用 udica 来生成容器策略 - 但它仅适用于正在运行的容器 - 所以我使用了从根运行的容器。
我将规则手动添加到 udica 生成的模块中,其中包含以下内容:
(block steamcmd
(blockinherit container)
(allow process process ( capability ( chown dac_override fowner fsetid kill net_bind_service setfcap setgid setpcap setuid sys_chroot )))
(allow process usr_t ( dir ( getattr ioctl lock open read search )))
(allow process usr_t ( file ( getattr ioctl lock open read )))
(allow process usr_t ( sock_file ( getattr open read )))
(allow process usr_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write )))
(allow process usr_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write )))
(allow process usr_t ( sock_file ( append getattr open read write )))
(allow container_t etc_t (file (entrypoint)))
)
从 serveruser 运行该容器的命令是:
podman run --network=host --dns 8.8.8.8 --security-opt label=type:steamcmd.process -t --rm --entrypoint 'steamcmd.replace' --name steamcmd -v /opt/steam/steamcmd/steamcmd.docker.sh:/usr/bin/steamcmd.replace:z -v .:/data docker.io/steamcmd/steamcmd:latest +force_install_dir /data validate
这是什么原因呢?