这篇文章记录一下SELinux对于GitLab的一个影响示例。
现象
使用如下docker-compose.yml启动GitLab服务
[root@host131 gitlab]# cat docker-compose.yml
version: '2'
services:
# Version Control service: Gitlab
gitlab:
image: gitlab/gitlab-ce:12.10.5-ce.0
ports:
- "32001:80"
- "30022:22"
- "30443:443"
volumes:
- ./log/:/var/log/gitlab
- ./data/:/var/opt/gitlab
- ./conf/:/etc/gitlab
restart: "no"
[root@host131 gitlab]#
启动时出现如下问题
[root@host131 gitlab]# docker-compose up
Starting gitlab_gitlab_1 ... done
Attaching to gitlab_gitlab_1
gitlab_1 | Thank you for using GitLab Docker Image!
gitlab_1 | Current version: gitlab-ce=12.10.5-ce.0
gitlab_1 |
gitlab_1 | Configure GitLab for your system by editing /etc/gitlab/gitlab.rb file
gitlab_1 | And restart this container to reload settings.
gitlab_1 | To do it use docker exec:
gitlab_1 |
gitlab_1 | docker exec -it gitlab vim /etc/gitlab/gitlab.rb
gitlab_1 | docker restart gitlab
gitlab_1 |
gitlab_1 | For a comprehensive list of configuration options please see the Omnibus GitLab readme
gitlab_1 | https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md
gitlab_1 |
gitlab_1 | If this container fails to start due to permission problems try to fix it by executing:
gitlab_1 |
gitlab_1 | docker exec -it gitlab update-permissions
gitlab_1 | docker restart gitlab
gitlab_1 |
gitlab_1 | Cleaning stale PIDs & sockets
gitlab_1 | Installing gitlab.rb config...
gitlab_1 | cp: cannot create regular file '/etc/gitlab/gitlab.rb': Permission denied
gitlab_gitlab_1 exited with code 1
[root@host131 gitlab]#
原因
[root@host131 gitlab]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
[root@host131 gitlab]#
对应
- 修改SELINUX
[root@host131 gitlab]# sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
[root@host131 gitlab]#
[root@host131 gitlab]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: disabled
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
[root@host131 gitlab]#
- 重启使SELINUX修改生效
[root@host131 gitlab]# reboot
Shared connection to 127.0.0.1 closed.
liumiaocn:gitlab liumiao$
- 重启后状态再确认
[root@host131 gitlab]# sestatus
SELinux status: disabled
[root@host131 gitlab]#
注:SELINUX的相关介绍可参看 https://blog.csdn.net/liumiaocn/article/details/103294064/
结果确认
- 启动GitLab服务
[root@host131 gitlab]# docker-compose up -d
Creating network "gitlab_default" with the default driver
Creating gitlab_gitlab_1 ... done
[root@host131 gitlab]#
- 确认GitLab服务状态
[root@host131 gitlab]# docker-compose ps
Name Command State Ports
--------------------------------------------------------------------------------------------------------------------------------
gitlab_gitlab_1 /assets/wrapper Up (health: starting) 0.0.0.0:30022->22/tcp, 0.0.0.0:30443->443/tcp, 0.0.0.0:32001->80/tcp
[root@host131 gitlab]#
可以看到已经进入到starting的阶段了,不再是执行后就直接退出了
注:本文记录了SELINUX对容器启动的影响的示例,对应的方法是直接关闭SELINUX,并没有给出再启动SELINUX的情况下如何设定。