구차니의 잡동사니 모음

Stops containers and removes containers, networks, volumes, and images created by up.

By default, the only things removed are:

• Containers for services defined in the Compose file
• Networks defined in the networks section of the Compose file
• The default network, if one is used

Networks and volumes defined as external are never removed. 

$ docker run -dit --restart unless-stopped redis 

restart

no is the default restart policy, and it doesn’t restart a container under any circumstance. When always is specified, the container always restarts. The on-failure policy restarts a container if the exit code indicates an on-failure error.

  - restart: no
  - restart: always 

  - restart: on-failure 

version: '2'

services:

  web:

    image: nginx

    restart: always 

type=AVC msg=audit(1553061777.728:1930): avc:  denied  { open } for  pid=23358 comm="python" path="/cql/create-keyspace.cql" dev="dm-0" ino=35212277 scontext=system_u:system_r:container_t:s0:c203,c1009 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1 

-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 cql/create-keyspace.cql 

# cat /etc/selinux/targeted/contexts/lxc_contexts

process = "system_u:system_r:svirt_lxc_net_t:s0"

content = "system_u:object_r:virt_var_lib_t:s0"

file = "system_u:object_r:svirt_sandbox_file_t:s0"

sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"

sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"

sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"

# chcon -Rt svirt_sandbox_file_t /var/db

If a file is labeled svirt_sandbox_file_t, then by default all containers can read it. But if the containers write into a directory that has svirt_sandbox_file_t ownership, they write using their own category (which in this case is "c186,c641). If you start the same container twice, it will get a new category the second time ( a different category than it had the first time). The category system isolates containers from one another. 

Creating network "docker_default" with the default driver

ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule:  (iptables failed: iptables --wait -t nat -I DOCKER -i br-7d5a8bad2e77 -j RETURN: iptables: No chain/target/match by that name.

 (exit status 1)) 

[Unit]

Description=Docker Application Container Engine

Documentation=http://docs.docker.com

After=network.target

Wants=docker-storage-setup.service

Requires=docker-cleanup.timer 

After=network.target docker.socket

Requires=network.target docker.socket 

 ALTER ROLE "asunotest" WITH LOGIN;

# cat /var/log/audit/audit.log | grep nginx | grep denied

type=AVC msg=audit(1553041491.494:21600): avc:  denied  { name_connect } for  pid=17240 comm="nginx" dest=3000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket permissive=0

# cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M swnginx

******************** IMPORTANT ***********************

To make this policy package active, execute:

semodule -i swnginx.pp

# semodule -i swnginx.pp