问题:
有人可以向我解释为什么在守护进程模式下运行容器而不是交互模式下应用 selinux 规则吗?
用例:
我正在运行一个支持 nvidia-gpu 的 docker 容器。
当我尝试以交互模式运行它时,一切正常:
docker run -ti --runtime=nvidia --user jovyan -p 81:8888 hub-nbk-gpu:stable nvidia-smi
Thu Aug 30 14:07:53 2018
+-----------------------------------------------------------------------------+
| NVIDIA-SMI 396.26 Driver Version: 396.26 |
|-------------------------------+----------------------+----------------------+
| GPU Name Persistence-M| Bus-Id Disp.A | Volatile Uncorr. ECC |
| Fan Temp Perf Pwr:Usage/Cap| Memory-Usage | GPU-Util Compute M. |
|===============================+======================+======================|
| 0 Tesla P100-PCIE... Off | 00000000:00:1F.0 Off | 0 |
| N/A 32C P0 28W / 250W | 0MiB / 16280MiB | 0% Default |
+-------------------------------+----------------------+----------------------+
+-----------------------------------------------------------------------------+
| Processes: GPU Memory |
| GPU PID Type Process name Usage |
|=============================================================================|
| No running processes found |
+-----------------------------------------------------------------------------+
但是当我想在守护进程模式下运行它时,selinux 似乎阻止了它:
docker run -d --runtime=nvidia --user jovyan -p 81:8888 hub-nbk-gpu:stable
4ad334909bb963aa29d63c0929f79a3beb0ce015685d1a5835dda4137cbff367
docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "permission denied": unknown.
当然,如果我禁用 selinux 一切正常:
getenforce
Enforcing
sudo setenforce 0
getenforce
Permissive
docker run -d --runtime=nvidia --user jovyan -p 81:8888 hub-nbk-gpu:stable
83fd5ca737523c8757005ce80999c52081c23360b3deb9603e8d86eb357aa64a