Bug 1216151
Summary: | Docker fails mounting a volume as readonly on files located under /usr | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Yann Robert <yann.robert> | |
Component: | docker-io | Assignee: | Lokesh Mandvekar <lsm5> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 21 | CC: | adimania, admiller, bugzilla.redhat.com, decarr, dustymabe, dwalsh, golang-updates, hushan.jia, ichavero, jchaloup, jperrin, lsm5, mattdm, mgoldman, miminar, patryk.kubiak, s, thrcka, vbatts, yann.robert | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1221688 1230192 (view as bug list) | Environment: | ||
Last Closed: | 2015-07-15 21:21:05 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Yann Robert
2015-04-28 15:37:07 UTC
I see this also on F22 [root@kvm124 ~]# rpm -q docker docker-1.6.0-3.git9d26a07.fc22.x86_64 This no longer works docker run -d --sig-proxy --name $CT_name --net=none \ -v /etc/localtime:/etc/localtime:ro \ Editing out the :ro stops the Failure docker run -d --sig-proxy --name $CT_name --net=none \ -v /etc/localtime:/etc/localtime \ FATA[0000] Error response from daemon: Cannot start container 925387bd2b2988b1a10ff87e68e188f3a579e68d3d5fc1f31d40a648cd9cb6d2: [8] System error: Relabeling content in /usr is not allowed. Hi, is there any news on this? docker 1.6.0 on CentOS is working fine with: # rpm -q docker docker-1.6.0-11.0.1.el7.centos.x86_64 it still does not work on Fedora with: $ rpm -q docker-io docker-io-1.6.0-4.git350a636.fc21.x86_64 I am working on moving the Vagrant environment for Kubernetes to Fedora 21. Kubernetes runs the master services in pods that mount in /usr To get around this problem, I have to disable selinux on the master server, but would like to avoid having to do that if possible. It does not work on CentOS 7 OS as well with docker 1.6.0 from EPEL repo: $ rpm -qi docker Name : docker Version : 1.6.0 Release : 11.0.1.el7.centos Architecture: x86_64 Install Date: Wed 03 Jun 2015 11:15:06 AM CEST Group : Unspecified Size : 33835427 License : ASL 2.0 Signature : RSA/SHA256, Thu 14 May 2015 01:50:02 AM CEST, Key ID 24c6a8a7f4a80eb5 Source RPM : docker-1.6.0-11.0.1.el7.centos.src.rpm Build Date : Thu 14 May 2015 01:47:06 AM CEST Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://www.docker.com Summary : Automates deployment of containerized applications $ docker run -ti -v /etc/localtime:/etc/localtime:ro busybox echo hello Unable to find image 'busybox:latest' locally latest: Pulling from docker.io/busybox cf2616975b4a: Pull complete 6ce2e90b0bc7: Pull complete 8c2e06607696: Already exists docker.io/busybox:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security. Digest: sha256:38a203e1986cf79639cfb9b2e1d6e773de84002feea2d4eb006b52004ee8502d Status: Downloaded newer image for docker.io/busybox:latest Timestamp: 2015-06-03 12:16:19.569470822 +0200 CEST Code: System error Message: Relabeling content in /usr is not allowed. Frames: --- 0: setupRootfs Package: github.com/docker/libcontainer File: rootfs_linux.go@34 --- 1: Init Package: github.com/docker/libcontainer.(*linuxStandardInit) File: standard_init_linux.go@52 --- 2: StartInitialization Package: github.com/docker/libcontainer.(*LinuxFactory) File: factory_linux.go@223 --- 3: initializer Package: github.com/docker/docker/daemon/execdriver/native File: init.go@35 --- 4: FATA[0004] Error response from daemon: Cannot start container a9e9dcf572b52fc40a8f6a802fe45e5e461e92a3d9c537cb8c5859e3bff9cc31: [8] System error: Relabeling content in /usr is not allowed. It requires to remove ":ro" flag in order to work properly. Should be fixed in docker-1.6.2 After upgrading to 1.6.2 from virt7-testing repo (http://wiki.centos.org/Cloud/Docker) problem still seem to exists: Trying to mount following volume is still not possible: -v /etc/localtime:/etc/localtime:ro docker version: Client version: 1.6.2.el7 Client API version: 1.18 Go version (client): go1.4.2 Git commit (client): c3ca5bb/1.6.2 OS/Arch (client): linux/amd64 Server version: 1.6.2.el7 Server API version: 1.18 Go version (server): go1.4.2 Git commit (server): c3ca5bb/1.6.2 OS/Arch (server): linux/amd64 Running test container was stopped & removed. Then docker service was restarted via systemctl. A new container was started to verify the problem. Problem still exist with version 1.6.2 Lokesh I just fixed this issue in docker-1.6.2 repo. Please rebuild for RHEL7 Fedora 21, 22. The "Fedora 22 updates for x86_64" repository does not contain any 1.6.2 build. # sudo dnf list docker --disableexcludes all Last metadata expiration check performed 0:00:40 ago on Tue Jul 21 12:53:29 2015. Installed Packages docker.x86_64 1.6.0-3.git9d26a07.fc22 @System Available Packages docker.x86_64 1.7.0-6.git74e7a7a.fc22 updates It would also be fixed in docker-1.7 Unfortunately, docker-1.7 comes with it's own batch of bugs. Would it be possible to publish docker-1.6.2 for Fedora 22 updates? Which bugs are you talking about with docker-1.7? I just cannot use docker-1.7 because of https://bugzilla.redhat.com/show_bug.cgi?id=1244124 https://github.com/docker/docker/issues/14396 Ok, I have asked the firewalld team to look into this and see if they can fix it quickly. As soon as they have a fix, I will get it shipped into fedora. Thank you Daniel. However, I fear we are in a tunnel now. While we are waiting for a fix, a new major version will be released. When the fix will be found, it will not be released because we should upgrade to latest major version. So there will be no working docker-1.6.x binaries for Fedora 22? |