问题
podman运行镜像,端口映射、卷映射无误,但在运行访问测试容器内http接口报错403.
查阅系统日志,存在多处容器相关的selinux访问被拒绝错误,sealert提示需要为几个进程的对象添加临时规则。
考虑是否为selinux问题,禁用se后解决,启用se后复现。
容器运行时增加--pivileged选项也可正常运行无报错。
分析
根据podman手册解释,在进行卷映射时,podman默认不更改宿主机的卷及文件的安全上下文标签,从而将导致容器访问宿主机文件时被se拦截报错。
解决
-v 路径后增加:Z 标签,手动指定podman更改宿主机的卷及文件的安全上下文标签
bash
podman run -v host-dir:container-dir:Z
参考链接
Labeling systems like SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By default, Podman does not change the labels set by the OS.
To change a label in the container context, add either of two suffixes :z or :Z to the volume mount. These suffixes tell Podman to relabel file objects on the shared volumes. The z option tells Podman that two or more containers share the volume content. As a result, Podman labels the content with a shared content label. Shared volume labels allow all containers to read/write content. The Z option tells Podman to label the content with a private unshared label Only the current container can use a private volume. Relabeling walks the file system under the volume and changes the label on each file, if the volume has thousands of inodes, this process takes a long time, delaying the start of the container. If the volume was previously relabeled with the
z
option, Podman is optimized to not relabel a second time. If files are moved into the volume, then the labels can be manually change with thechcon -R container_file_t PATH
command.