I want to set up a custom directory to store container data created with Podman. How can I change the file type (and its content) of the directory to the context type used by Podman? On systems running SELinux, all processes and files are marked in a way that represents security-related information. If you try to create a container with data stored in a directory other than /var/lib/containers, you will get permission denied.
I will demonstrate on CentOS 8 server. Let us put SELinux in Enforcecing mode.
$ sudo setenforce 1 $ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
Install the Container tool that provides podman.
sudo dnf module install container-tools
Let’s confirm that podman is working as expected by running the helloworld container.
$ podman run --rm hello-world Trying to pull docker.io/library/hello-world... Getting image source signatures Copying blob 0e03bdcc26d7 done Copying config bf756fb1ae done Writing manifest to image destination Storing signatures Hello from Docker! This message shows that your installation appears to be working correctly. To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. 2. The Docker daemon pulled the "hello-world" image from the Docker Hub. (amd64) 3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading. 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal. To try something more ambitious, you can run an Ubuntu container with: $ docker run -it ubuntu bash Share images, automate workflows, and more with a free Docker ID: https://hub.docker.com/ For more examples and ideas, visit: https://docs.docker.com/get-started/
Confirm the current root directory setting of the container.
$ podman info | grep -i root rootless: false GraphRoot: /var/lib/containers/storage RunRoot: /var/run/containers/storage
Let’s create a custom directory for storing data.
sudo mkdir -p /data/containers
Update the settings and change the directory to the directory created above.
$ sudo vi /etc/containers/storage.conf # Primary Read/Write location of container storage #graphroot = "/var/lib/containers/storage" graphroot = "/data/containers"
Try to run a container.
# podman run --rm -it ubuntu bash Getting image source signatures Copying blob 0f3630e5ff08 done Copying blob d72e567cc804 done Copying blob b6a83d81d1f4 done Copying config 9140108b62 done Writing manifest to image destination Storing signatures bash: error while loading shared libraries: libc.so.6: cannot change memory protections
From the output I got the error message:
bash: error while loading shared libraries: libc.so.6: cannot change memory protections
Let’s set the correct SELinux label for the directory /Data/container Then try again.
sudo semanage fcontext -a -e /var/lib/containers /data/containers sudo restorecon -R -vv /data/containers
If you cannot find the semanage command, use the following command to install it.
sudo yum install policycoreutils-python-utils -y
Confirm the SELinux context type.
$ ls -dZ /data/containers/ unconfined_u:object_r:container_var_lib_t:s0 /data/containers/
Confirm whether the type is set to container_var_lib_t.
Re-run the container:
# podman run --rm -it ubuntu bash [email protected]:/# cat /etc/os-release NAME="Ubuntu" VERSION="20.04.1 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.1 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal [email protected]:/# exit exit
The container has started successfully.
More articles about Podman:
Expose the OpenShift internal registry from the outside and log in with Docker/Podman CLI
Run Podman Windows Server 2019 and WSL2 on Windows 10
How to run Docker/Podman containers as system services