Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-4795

The CA mount is missing the Selinux flag for podman based repomirror containers

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • documentation
    • None

      In the manual repomirror setup https://access.redhat.com/documentation/en-us/red_hat_quay/3.7/html-single/deploy_red_hat_quay_for_proof-of-concept_non-production_purposes/index#mirroring-worker the user is asked to start the repomirror container like this if Quay is deployed using a self-signed cert

      $ sudo podman run -d --name mirroring-worker \
  -v $QUAY/config:/conf/stack:Z \
  -v /root/ca.crt:/etc/pki/ca-trust/source/anchors/ca.crt \
  registry.redhat.io/quay/quay-rhel8:v3.7.10 repomirror

      This will not work because the SELinux rules will deny reads of the repo mirror container in the /root directory of the host. The :Z flag needs to be appended to the volume mount like so:

      $ sudo podman run -d --name mirroring-worker \
  -v $QUAY/config:/conf/stack:Z \
  -v /root/ca.crt:/etc/pki/ca-trust/source/anchors/ca.crt:Z \
  registry.redhat.io/quay/quay-rhel8:v3.7.10 repomirror

              rhn-support-stevsmit Steven Smith
              DanielMesser Daniel Messer
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: