这是我用来启动容器的命令:
podman run -d --name busybox-top -v ./src:/dest:Z busybox top
错误:
Error: sd-bus call: Permission denied: OCI permission denied
我的用户主目录(该用户不是根)中没有目录.config/
。
我确实有.local/share/containers
:
drwx------. 10 jn jn 4096 Oct 8 22:16 .
drwx------. 3 jn jn 4096 Oct 8 19:42 ..
drwx------. 2 jn jn 4096 Oct 8 22:16 cache
drwx------. 2 jn jn 4096 Oct 8 19:42 libpod
drwx------. 2 jn jn 4096 Oct 8 19:42 mounts
drwx------. 9 jn jn 4096 Oct 9 17:39 overlay
drwx------. 6 jn jn 4096 Oct 9 17:39 overlay-containers
drwx------. 4 jn jn 4096 Oct 9 07:23 overlay-images
drwx------. 2 jn jn 4096 Oct 9 17:39 overlay-layers
-rw-r--r--. 1 jn jn 64 Oct 9 17:40 storage.lock
drwx------. 2 jn jn 4096 Oct 8 19:42 tmp
-rw-r--r--. 1 jn jn 0 Oct 8 19:42 userns.lock
我ls -la /run/user/1000/
有:
total 0
drwx------. 10 jn jn 220 Oct 9 17:39 .
drwxr-xr-x. 4 root root 80 Oct 9 15:42 ..
srw-rw-rw-. 1 jn jn 0 Oct 9 15:40 bus
drwx------. 2 jn jn 40 Oct 9 15:46 containers
drwx------. 2 jn jn 40 Oct 9 17:39 crun
drwx------. 3 jn jn 60 Oct 9 15:46 dbus-1
drwx------. 2 jn jn 140 Oct 9 15:40 gnupg
drwx-----T. 2 jn jn 40 Oct 9 15:46 libpod
drwxr-xr-x. 2 jn jn 40 Oct 9 17:39 netns
drwxr-xr-x. 2 jn jn 60 Oct 9 15:40 podman
drwxr-xr-x. 4 jn jn 120 Oct 9 15:40 systemd
lsb 信息:
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 11 (bullseye)
Release: 11
Codename: bullseye
系统:
systemd 247 (247.3-7+deb11u1)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified
podman 版本 3.0.1
SELinux 状态:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
名称:
uname -v
#1 SMP Debian 5.10.140-1 (2022-09-02)
$XDG_RUNTIME_DIR
是空的。但我的用户似乎正在使用/run/user/1000/
。
我使用以下命令登录我的用户帐户:su --login jn
我以前也用过这个:loginctl enable-linger 1000
解决其他一些问题。
更新
为了:cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
我想知道这是否与以下情况有关:
# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
sddm xdm s0-s0 *
在 RedHat 文档中我没有看到sddm
但我确实看到了system_u
。
也许我需要使用 SELinuxsystem_u
甚至来映射 systemd 的用户user_u
。
Podman 信息:
host:
arch: amd64
buildahVersion: 1.19.6
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: 'conmon: /usr/bin/conmon'
path: /usr/bin/conmon
version: 'conmon version 2.0.25, commit: unknown'
cpus: 1
distribution:
distribution: debian
version: "11"
eventLogger: journald
hostname: localhost
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
kernel: 5.10.0-18-amd64
linkmode: dynamic
memFree: 1513025536
memTotal: 2079420416
ociRuntime:
name: crun
package: 'crun: /usr/bin/crun'
path: /usr/bin/crun
version: |-
crun version 0.17
commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
os: linux
remoteSocket:
exists: true
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
selinuxEnabled: true
slirp4netns:
executable: /usr/bin/slirp4netns
package: 'slirp4netns: /usr/bin/slirp4netns'
version: |-
slirp4netns version 1.0.1
commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
libslirp: 4.4.0
swapFree: 536866816
swapTotal: 536866816
uptime: 14h 57m 56.81s (Approximately 0.58 days)
registries:
search:
- docker.io
- quay.io
- registry.fedoraproject.org
- registry.access.redhat.com
store:
configFile: /home/jn/.config/containers/storage.conf
containerStore:
number: 3
paused: 0
running: 0
stopped: 3
graphDriverName: overlay
graphOptions:
overlay.mount_program:
Executable: /usr/bin/fuse-overlayfs
Package: 'fuse-overlayfs: /usr/bin/fuse-overlayfs'
Version: |-
fusermount3 version: 3.10.3
fuse-overlayfs: version 1.4
FUSE library version 3.10.3
using FUSE kernel interface version 7.31
graphRoot: /home/jn/.local/share/containers/storage
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "false"
imageStore:
number: 2
runRoot: /tmp/podman-run-1000/containers
volumePath: /home/jn/.local/share/containers/storage/volumes
version:
APIVersion: 3.0.0
Built: 0
BuiltTime: Thu Jan 1 00:00:00 1970
GitCommit: ""
GoVersion: go1.15.15
OsArch: linux/amd64
Version: 3.0.1
从journalctl
:
Oct 10 07:10:54 localhost systemd[470]: selinux: avc: denied { start } for auid=0 uid=1000 gid=1000 cmdline="podman run --rm -d --name busybox-top -v ./src:/dest:Z busybox top" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 10 07:10:54 localhost podman[4755]: 2022-10-10 07:10:54.68733996 +0000 UTC m=+0.044280381 container create 78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99 (image=docker.io/library/busybox:latest, name=busybox-top)
Oct 10 07:10:54 localhost systemd[470]: selinux: avc: denied { start } for auid=0 uid=1000 gid=1000 cmdline="podman run --rm -d --name busybox-top -v ./src:/dest:Z busybox top" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 10 07:10:54 localhost systemd[470]: selinux: avc: denied { start } for auid=0 uid=1000 gid=1000 cmdline="/usr/bin/crun --systemd-cgroup --log-format=json --log /tmp/podman-run-1000/containers/overlay-containers/78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99/userdata/oci-log create --bundle /home/jn/.local/share/containers/storage/overlay-containers/78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99/userdata --pid-file /tmp/podman-run-1000/containers/overlay-containers/78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99/userdata/pidfile 78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 10 07:10:54 localhost systemd[470]: selinux: avc: denied { start } for auid=0 uid=1000 gid=1000 cmdline="/usr/bin/podman --root /home/jn/.local/share/containers/storage --runroot /tmp/podman-run-1000/containers --log-level warning --cgroup-manager systemd --tmpdir /tmp/run-1000/libpod/tmp --runtime crun --storage-driver overlay --storage-opt overlay.mount_program=/usr/bin/fuse-overlayfs --events-backend journald container cleanup --rm 78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 10 07:10:54 localhost podman[4778]: 2022-10-10 07:10:54.76797772 +0000 UTC m=+0.047471111 container remove 78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99 (image=docker.io/library/busybox:latest, name=busybox-top)
更新2
$XDG_RUNTIME_DIR
:
jn@localhost:~$ echo $XDG_RUNTIME_DIR
/run/user/1000
$DBUS_SESSION_BUS_ADDRESS
:
jn@localhost:~$ echo $DBUS_SESSION_BUS_ADDRESS
unix:path=/run/user/1000/bus
jn@localhost:/run/user/1000$ ls -Zl
total 0
srw-rw-rw-. 1 jn jn unconfined_u:object_r:session_dbusd_runtime_t:s0 0 Oct 10 18:21 bus
drwx------. 2 jn jn unconfined_u:object_r:user_tmp_t:s0 40 Oct 10 18:25 containers
drwx------. 3 jn jn unconfined_u:object_r:user_tmp_t:s0 60 Oct 10 21:49 crun
drwx------. 3 jn jn unconfined_u:object_r:user_tmp_t:s0 60 Oct 10 18:25 dbus-1
drwx------. 2 jn jn unconfined_u:object_r:gpg_runtime_t:s0 140 Oct 10 18:21 gnupg
drwx-----T. 2 jn jn unconfined_u:object_r:user_tmp_t:s0 40 Oct 10 18:25 libpod
drwxr-xr-x. 2 jn jn unconfined_u:object_r:user_tmp_t:s0 60 Oct 10 21:49 netns
drwxr-xr-x. 2 jn jn unconfined_u:object_r:user_tmp_t:s0 60 Oct 10 18:21 podman
drwxr-xr-x. 5 jn jn unconfined_u:object_r:systemd_user_runtime_t:s0 140 Oct 10 20:53 systemd
也许我需要给予波德曼访问标签:session_dbusd_runtime_t
甚至systemd_user_runtime_t
?