It's A Binary World 2.0

Attempting a podman play on another VM

The podman saga continues. The podman equivalent of a docker-compose.yml can be created from a pod with the following command: 

podman generate kube (name of pod) > (filename).yaml

So I did that with the pod that I’d created with an SELinux context. Now it was time to try it on another Fedora 31 VM to see if it would work. To be on the safe side, I started off creating the phpIPAM folder, chowning it to nobody and chmoding it to 777.

Then I ran:

# podman play kube phpIPAM-withSELinux.yaml

That triggered it to grab the images from Docker Hub. As per usual, the CPU spiked like crazy as it did Podman things. Not sure if this is due to the VM, Podman not having a daemon, something else…. But just something to note. At the end it printed out:

Pod:
 2ced947e3fc08af6d183ceee1b306f66dfb282d6451ec435b8cffa2bdbed0789
 Containers:
 a08eba25b78c8c36e3de9fe773cb23c7688748a4ed20116d4dfa2877d96e562e
 7c30526d35f9f7308c6582afba0fb4ad3bbeaddc40d85d87f251c2b9a9e5ced9

Interestingly, it doesn’t appear that I had to punch a hole through the firewall this time. Perhaps that was just a consequence of me not knowing exactly what was happening on my first attempts with Podman.

Unfortunately, the SELinux :Z attribute doesn’t appear to have come over. That makes sense as when I did a diff with the previous yaml I’d created, I didn’t see anything about that. First let me try the setsebool command.

# setsebool -P container_manage_cgroup true

So now I want to try one of the other commands I found while trying to figure out the SELinux issue.

# chcon -Rt svirt_sandbox_file_t phpipam/

Then I rebooted the container. This does not appear to be enough to get it working. The SELinux page had some solutions it wanted me to type. So I try those.

After doing:

# ausearch -c 'chown' --raw | audit2allow -M my-chown # semodule -X 300 -i my-chown.pp
# semodule -i my-chown.pp

It appears to actually run the phpIPAM install. And I got to a login page!

I think I’m ready to start converting all my docker-compose files to podman play yaml files and start migrating things on my main server.

Eric Mesa

,