Docker now is standing at the core part of cloud
computing, and is deemed to be the next big technique of cloud computing, it’s
changing the game.
When I recently start to experience docker and also try to use it as a
light-weight virtual machine though this isn’t the recommended way to using
docker.
Why?.
This image has supervisor as its entry process which monitored by docker, and
supervisor will start sshd at container startup. So if everything goes right, I
can login to the container through ssh.
First, I start a container like below
As expected, I can login through ssh by connecting localhost:12345, as I can get
this port mapping by docker ps or docker port.
However, when I try to login from ssh, it failed like below.
So I restart a container with /bin/bash as its entry process to figure out what
caused this error.
And then start sshd manually.
From another console, login again and I found below output from sshd in docker
container.
At the first glance, it’s related by SELinux, and I checked the docker host
SELinux status like below.
Yes, it’s enabled and in permissive state. So how about disable SELinux? The
answer is yes, I can login to docker container through ssh with SELinux
disabled on docker host.
So this is a bug about Docker and SELinux integration? Not really. There are a
lot of words says SELinux support for Docker is in the plan, so we can expected
it doesn’t work in short coming.
As I dive into a little deep.
why ssh login try to get user’s SELinux context?
why it doesn’t figure out it’s in docker container, has no SELinux runtime
filesystem mounted, no SELinux context for files?
As I follow this clue and read some code of the specific libselinux version
installed in my docker image. That is libselinux-2.0.94-5.3.el6.x86_64. I
found below code is doing the runtime check of SELinux status.
The aove code does loosely check, although neither /sys/fs/selinux nor /selinux
mounted, it fall through to only check the kernel part, since Docker is reuse
the host kernel, so it always get SELinux enabled. However, the whole docker
image filesystem has no SELinux context and no SELinux context rules loaded, so
a wrong check will cause many problems, like the above one.
The good news is this is fixed in the new libselinux, e.g. version 2.2.2, it
does below strict check.
So I can deploy this version of selinux and its dependencies to my docker image
and get ssh works fine with SELinux enabled on docker host. Though it’s a little
complicated compare with just disable SELinux on docker host.