Bug 1094664

Summary: docker-io-0.10.0-2 disables access to /dev/shm
Product: [Fedora] Fedora Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: docker-ioAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: admiller, dwalsh, golang-updates, jkeck, jpazdziora, lmiccini, lsm5, lsm5, mattdm, mgoldman, s, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: docker-io-0.11.1-1.fc20.x86_64 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-24 19:37:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2014-05-06 09:21:01 UTC 
Description of problem:

While testing FreeIPA server and the 389 server in Docker container, I started to see errors like Failed to create semaphore for stats file/Permission denied with docker-io from updates-testing. Upon closer look, /dev/shm seems to be mounted with 1755, which is different from what docker-io 0.9.1 does and what you get on bare metal.

Version-Release number of selected component (if applicable):

docker-io-0.10.0-2.fc20.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. docker run -ti fedora:20 /bin/bash
2. In the container shell, run
   mount | grep /dev/shm
   ls -la /dev/shm
   exit
3. Downgrade to docker-io-0.9.1 and repeat.

Actual results:

# docker run -ti fedora:20 /bin/bash
bash-4.2# mount | grep /dev/shm
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,seclabel,size=65536k,mode=1755)
# docker run -ti fedora:20 /bin/bash
bash-4.2# ls -la /dev/shm
total 4
drwxrwxrwt. 2 root root   40 May  6 08:06 .
drwxr-xr-x. 4 root root 4096 May  6 08:06 ..
bash-4.2# exit
# rpm -q docker-io
docker-io-0.9.1-1.fc20.x86_64

# yum downgrade docker-io -y
[...]

# rpm -q docker-io
docker-io-0.9.1-1.fc20.x86_64
# docker run -ti fedora:20 /bin/bash
bash-4.2# mount | grep /dev/shm
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,seclabel,size=65536k)
bash-4.2# ls -la /dev/shm
total 4
drwxrwxrwt. 2 root root   40 May  6 09:16 .
drwxr-xr-x. 4 root root 4096 May  6 09:16 ..
bash-4.2# exit
exit
#

Expected results:

Permissions on /dev/shm the same as on docker-io-0.9.1.

Additional info:
Comment 1 Daniel Walsh 2014-05-06 19:20:18 UTC 
Is this an SELinux issue?

Could you attach the avc messages.

ausearch -m avc -ts recent -i
Comment 2 Jan Pazdziora (Red Hat) 2014-05-06 19:30:59 UTC 
SELinux is disabled in the container (as reported by getenforce).

Command

ausearch -m avc -ts recent -i

when run on the host says

<no matches>
Comment 3 Daniel Walsh 2014-05-06 19:47:20 UTC 
SELinux is lying inside of the container.

Put the machine into permissive mode and see if you can write to /dev/shm.

ls -lZ /dev/shm from inside of the container.
Comment 4 Jan Pazdziora (Red Hat) 2014-05-07 07:13:17 UTC 
# rpm -q docker-io
docker-io-0.9.1-1.fc20.x86_64
# getenforce 
Permissive
# docker run -ti fedora:20 /bin/bash
bash-4.2# ls -laZ /dev/shm
drwxrwxrwt. root root system_u:object_r:docker_tmpfs_t:s0 .
drwxr-xr-x. root root system_u:object_r:file_t:s0      ..
bash-4.2# ls -la /dev/shm
total 4
drwxrwxrwt. 2 root root   40 May  7 07:06 .
drwxr-xr-x. 4 root root 4096 May  7 07:06 ..
bash-4.2# touch /dev/shm/a
bash-4.2# adduser test
bash-4.2# su - test
[test@c05cc1c52ec1 ~]$ id
uid=1000(test) gid=1000(test) groups=1000(test)
[test@c05cc1c52ec1 ~]$ touch /dev/shm/b
[test@c05cc1c52ec1 ~]$ ls -la /dev/shm
total 4
drwxrwxrwt. 2 root root   80 May  7 07:06 .
drwxr-xr-x. 4 root root 4096 May  7 07:06 ..
-rw-r--r--. 1 root root    0 May  7 07:06 a
-rw-rw-r--. 1 test test    0 May  7 07:06 b
[test@c05cc1c52ec1 ~]$ logout
bash-4.2# exit
#

Back on the host:

# ausearch -m avc -ts recent -i
<no matches>

Now upgraded to:

# rpm -q docker-io
docker-io-0.10.0-2.fc20.x86_64

Restarted docker service and did:

# docker run -ti fedora:20 /bin/bash
bash-4.2# ls -laZ /dev/shm
drwxr-xr-t. root root system_u:object_r:docker_tmpfs_t:s0 .
drwxr-xr-x. root root system_u:object_r:file_t:s0      ..
bash-4.2# ls -la /dev/shm
total 4
drwxr-xr-t. 2 root root   40 May  7 07:10 .
drwxr-xr-x. 4 root root 4096 May  7 07:10 ..
bash-4.2# touch /dev/shm/a
bash-4.2# adduser test
bash-4.2# su - test
[test@e13c9240f149 ~]$ id
uid=1000(test) gid=1000(test) groups=1000(test)
[test@e13c9240f149 ~]$ touch /dev/shm/b
touch: cannot touch ‘/dev/shm/b’: Permission denied
[test@e13c9240f149 ~]$ ls -la /dev/shm
total 4
drwxr-xr-t. 2 root root   60 May  7 07:10 .
drwxr-xr-x. 4 root root 4096 May  7 07:10 ..
-rw-r--r--. 1 root root    0 May  7 07:10 a
[test@e13c9240f149 ~]$ logout
bash-4.2# exit
#

Back on the host:

# ausearch -m avc -ts recent -i
<no matches>
#

I don't think it's SELinux, the mode=1755 of the mountpoint seems to be an explicit indication that non-roots shouldn't be allowed do /dev/shm.
Comment 5 Daniel Walsh 2014-05-07 12:41:15 UTC 
Ah ok. I will see about this.  
# docker run --rm -t -i fedora sh
sh-4.2# ls -lZ /dev/shm -d
drwxrwxrwt. root root system_u:object_r:svirt_sandbox_file_t:s0:c319,c682 /dev/shm
sh-4.2# exit
sh-4.3# rpm -q docker-io
docker-io-0.10.0-4.fc21.x86_64

Seems like latest docker-io package has this fixed.
Comment 6 Daniel Walsh 2014-05-07 12:46:30 UTC 
Lokesh can you push a new version to f20?
Comment 7 Jan Pazdziora (Red Hat) 2014-05-09 08:58:33 UTC 
I confirm that docker-io-0.11.1-1.fc20.x86_64 fixes the problem and that I can install FreeIPA server in Docker container with docker-io-0.11 just like I could with docker-io-0.9.
Comment 8 Lokesh Mandvekar 2014-06-24 19:37:55 UTC 
Closing this since 1.0.0-1 is already in f20 stable and this bug was fixed in 0.11.1 as per Comment 7