为什么以守护程序模式(-d)运行的docker会被拒绝权限(selinux),而不是以交互方式(-ti)

时间:2018-08-30 14:18:17

标签: docker gpu nvidia selinux nvidia-docker

问题:

有人可以向我解释为什么在守护程序模式下而不是交互模式下运行容器时为什么要应用selinux规则吗?

用例:

我正在运行具有nvidia-gpu支持的docker容器。

当我尝试以交互方式运行它时,所有人都可以正常工作:

now

但是当我想在守护程序模式下运行它时,selinux似乎阻止了它:

docker run -ti --runtime=nvidia --user jovyan -p 81:8888 hub-nbk-gpu:stable nvidia-smi
Thu Aug 30 14:07:53 2018
+-----------------------------------------------------------------------------+
| NVIDIA-SMI 396.26                 Driver Version: 396.26                    |
|-------------------------------+----------------------+----------------------+
| GPU  Name        Persistence-M| Bus-Id        Disp.A | Volatile Uncorr. ECC |
| Fan  Temp  Perf  Pwr:Usage/Cap|         Memory-Usage | GPU-Util  Compute M. |
|===============================+======================+======================|
|   0  Tesla P100-PCIE...  Off  | 00000000:00:1F.0 Off |                    0 |
| N/A   32C    P0    28W / 250W |      0MiB / 16280MiB |      0%      Default |
+-------------------------------+----------------------+----------------------+

+-----------------------------------------------------------------------------+
| Processes:                                                       GPU Memory |
|  GPU       PID   Type   Process name                             Usage      |
|=============================================================================|
|  No running processes found                                                 |
+-----------------------------------------------------------------------------+

当然,如果我禁用selinux,一切正常:

docker run -d --runtime=nvidia --user jovyan -p 81:8888 hub-nbk-gpu:stable
4ad334909bb963aa29d63c0929f79a3beb0ce015685d1a5835dda4137cbff367
docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "permission denied": unknown.

0 个答案:

没有答案
相关问题
最新问题