I want to set custom directory to store containers’ data created with Podman, how can I change the directory’s file type (along with its contents) to context type used by Podman?. On systems running SELinux, all processes and files are labeled in a way that represents security-relevant information. If you try create a container with data stored in a directory other than /var/lib/containers you will get permission denied.
I’ll demonstrate this on a CentOS 8 server. Let’s put SELinux in Enforcing mode.
$ sudo setenforce 1 $ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
Install Container tools which provides podman.
sudo dnf module install container-tools
Let’s confirm podman is working as we would expect by running helloworld container.
$ podman run --rm hello-world Trying to pull docker.io/library/hello-world... Getting image source signatures Copying blob 0e03bdcc26d7 done Copying config bf756fb1ae done Writing manifest to image destination Storing signatures Hello from Docker! This message shows that your installation appears to be working correctly. To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. 2. The Docker daemon pulled the "hello-world" image from the Docker Hub. (amd64) 3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading. 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal. To try something more ambitious, you can run an Ubuntu container with: $ docker run -it ubuntu bash Share images, automate workflows, and more with a free Docker ID: https://hub.docker.com/ For more examples and ideas, visit: https://docs.docker.com/get-started/
Confirm current root directory setting for the containers.
$ podman info | grep -i root rootless: false GraphRoot: /var/lib/containers/storage RunRoot: /var/run/containers/storage
Let’s create custom directory for storing the data.
sudo mkdir -p /data/containers
Update the setting and change the directory to one created above.
$ sudo vi /etc/containers/storage.conf # Primary Read/Write location of container storage #graphroot = "/var/lib/containers/storage" graphroot = "/data/containers"
Try run a container.
# podman run --rm -it ubuntu bash Getting image source signatures Copying blob 0f3630e5ff08 done Copying blob d72e567cc804 done Copying blob b6a83d81d1f4 done Copying config 9140108b62 done Writing manifest to image destination Storing signatures bash: error while loading shared libraries: libc.so.6: cannot change memory protections
From the output I got the error message:
bash: error while loading shared libraries: libc.so.6: cannot change memory protections
Let us set correct SELinux Labels for the directory /data/containers then retry.
sudo semanage fcontext -a -e /var/lib/containers /data/containers sudo restorecon -R -vv /data/containers
If semanage command is not found install with the commands below.
sudo yum install policycoreutils-python-utils -y
Confirm SELinux context type.
$ ls -dZ /data/containers/ unconfined_u:object_r:container_var_lib_t:s0 /data/containers/
Confirm if type has been set to container_var_lib_t.
Rerun the container:
# podman run --rm -it ubuntu bash [email protected]:/# cat /etc/os-release NAME="Ubuntu" VERSION="20.04.1 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.1 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal [email protected]:/# exit exit
The container was started successfully.
More articles on Podman: