OpenSUSE LeapMicro 6.2 and Traefik: Permission denied

 Running the latest opensuse LeapMicro 6.2 and suddenly Traefik logs have a lot of "Permission denied" errors? Initial searches may have you jumping through hoops for docker group changes, etc. But that won't fix it. LeapMicro 6.2 has a stricter SELinux policy which no amount user/group shenanigans will evade. Instead, do the following:

• install a SELinux suitable policy
• mount bind volumes with an SELinux label

That may sound daunting (and you probably should read up on the topic), but here is a straightforward step-by-step approach:

SELinux labels

Edit your docker-compose (or, docker run command) to mount /var/docker/docker.sock as "/var/docker/docker.sock:/var/docker/docker.sock:ro,Z"

1. This may be for the Traefik container itself or for a docker socket proxy container (recommended)
2. For Traefik's certificate management file mount you will need to do the same (e.g. "/opt/traefik/acme.json:/acme.json:Z")

SELinux policy

1. Start a clean LeapMicro instance

2. Temporarily set SELinux to Permissive mode (this will cause audit logs to be created, but no blocking will take place)

setenforce 0

3. Proceed to install necessary packages, etc (e.g. docker, docker-compose)

4. Copy across your deployment file (e.g. docker-compose.yml)

5. Start the container(s) 

(e.g. docker compose up -d, or docker run -d ...)

6. Test everything is running correctly

7. View the related audit logs generated (if using a socket proxy, the -c paramter might not be "traefik")

ausearch -c traefik --raw

7. Convert SELinux audit logs to an allow policy: 

ausearch -c traefik --raw | audit2allow -M traefik_allow

8. Install the policy

semodule -i traefik_allow.pp

9. Re-enable Enforcing mode

setenforce 1

10. Restart your containers and verify they are working well.

11. Reduce/automate

• copy the traefik_allow.pp file for importing the policy on other servers
• if the traefik_allow.pp file is no longer present, export the module into an file that can be copied off: semodule --cil -E traefik_allow

With a small once-off hassle, the audit utilities provided with SELinux  make it easy to not compromise security.

Troubleshooting NVIDIA issues on openSUSE

I just did an update...and now my system boots to a black screen, or the second screen won't work, etc. Sound familiar?

This is my list of items to review, and hopefuly narrow down the culprit or at least get resolution faster.

Try to manually start the graphical interface...

• init 5
• start-plasmawayland

Check if the services are running...and whether they print accurate data...

• systemctl status prime-select.service
• systemctl status switcheroo-control.service
• (one or the other should be running, not both)

• sudo prime-select get-current (this normally doesn't show accurate info in my experience)
• sudo prime-select get-boot
• switcherooctl list

Check /var/log/messages for (e.g. if using less, use /-key to search, and n/N to search next/previous)

• sddm
• nvidia
• prime

And then, most likely, reinstall the graphics drivers. Because kernel modules need to be reconfigured witht he new drivers, sometimes this has not happened properly at upgrade.

• Search all nvidia drivers and components:
• zypper se -si nvidia-*
• zypper rm nvidia-*
• zypper se -si nvidia*
• Here you can't just remove all. The kernel-firmware-nvidia package removal will want to remove all kernel firmware...not a good idea/
• zypper rm suse-prime
• ...for prime-select
• zypper rm switcheroo-control

• Remove third-party repos. The drivers should only come from NVIDIA or Updates repo.
• In once case the system had loaded some libraries from another repo, and this seemed to be the cause of the issues. The zypper search previously will help you see if other Repos are in use.

• Reboot
• Install the drivers
• zypper in nvidia-video-G06
• This will automatically install prime-select and switcheroo-control
• zypper in nvidia-driver-G06-kmp-default
• Found this was required separately, recently (Update August 2025)
• Reboot and hopefully all is working

openSUSE Leap Micro on Digital Ocean

openSUSE's Leap Micro is a transaction-based operating system, providing built-in protection against updates that might cause the Operating System to fail. This protection is achieved by creating file system snapshots (BTRFS) before updates are applied. Further,as the "Micro" part suggests, it is lightweight and  focused on container and virtualisation use cases.

Using DigitalOcean's Custom Images feature, we can import the qcow image. 

Start by visiting https://get.opensuse.org/leapmicro, go to Downloads and copy the download link for Preconfigured Image (qcow).

In your DigitalOcean dashboard, navigate to Backups & Snapshots, and click on the Custom Images tab.

In the pop-up, paste the URL copied from the openSUSE Micro download page. Click Next and provide a more friendly name for the image, as well as setting the Distribution to be Unknown and the datatcenter where the the image must reside.

Wait for the Pending to change, and your image is ready to become an appliance.

When creating the droplet, select your image from the Custom Images tab. Also, the droplet size will need to have at least 50GB disk size. Under Authentication, only SSH is supported.

Now you can create the droplet. 

Since the image is being setup with cloud-init, the JeOS run-once menu will not be displayed. Connect using SSH: either as sles@public-ip, or root@public-ip. The 'sles' user has full sudo rights.

A big benefit of Leap Micro is that it performs system updates automatically. If you want to install packages, use sudo transactional-update -n pkg in git (the -n great for scripting as it ensures zypper is run in non-interactive mode). Note that you will need to do a reboot as soon as possible afterwards so that the snapshot created since installing the applications is used on start up and marked as reliable.

You can also enable Combustion to have an easy to use web interface for managing the server. You can find the instructions to do so by opening the droplet's console. You will need to:

• Add a user for Combustion login, by running jeos-config user.
• Enable 2FA, by running jeos-config otp.
• Enabling the Combustion service with systemctl enable --now cockpit.service

There is a lot more to explore, and I recommend viewing the videos available from openSUSE. The last heads up is just that podman is provided in place of docker, by default.