Bug 1273893

Summary: docker-selinux breaks when installed before docker
Product: [Fedora] Fedora Reporter: Marius Vollmer <mvollmer>
Component: dockerAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: adimania, admiller, dwalsh, ichavero, jcajka, jchaloup, lsm5, miminar, vbatts
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: docker-1.8.2-13.git28c300f.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-16 17:21:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch to fail silently on restorecon in post install none

Description Marius Vollmer 2015-10-21 13:04:13 UTC 
Description of problem:

Whe bootstrapping our Fedora 23 test images, this happens:

+ dnf -y install systemtap-runtime-virtguest valgrind gdb json-glib realmd glib-networking libssh selinux-policy-targeted docker pcp-libs pcp kubernetes etcd subscription-manager storaged storaged-lvm2 device-mapper-multipath atomic freeipa-client oddjob oddjob-mkhomedir sssd
  [...]
  Installing  : docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64         126/219 
restorecon:  lstat(/var/lib/docker) failed:  No such file or directory
warning: %post(docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64) scriptlet failed, exit status 255
Version-Release number of selected component (if applicable):
  [...]
  Installing  : docker-1:1.8.2-7.gitcb216be.fc23.x86_64                 200/219 
  [...]
Non-fatal POSTIN scriptlet failure in rpm package docker-selinux

+ systemctl start docker
Job for docker.service failed because the control process exited with error code. See "systemctl status docker.service" and "journalctl -xe" for details.

I assume that installing the packages the other way around would succeed.

How reproducible:
Always

To reproduce:

  $ cd .../cockpit/test/
  $ sudo ./vm-prep
  $ TEST_OS=fedora-23 ./vm-create -f cockpit -v --force --no-save

after cloning the Cockpit sources https://github.com/cockpit-project/cockpit.
Comment 1 Daniel Walsh 2015-10-21 15:01:51 UTC 
Lokesh, I sent you an updated spec file which required docker to be installed before the docker-selinux post gets executed.  Have you built a package for this in Fedora 23?
Comment 2 Lokesh Mandvekar 2015-10-21 15:51:45 UTC 
ohh I see I had only added it to master, added it now to f23 and will be fixed in docker-1.8.2-9.gitbdb52b6.fc23
Comment 3 Fedora Update System 2015-10-21 16:16:30 UTC 
docker-1.8.2-9.gitbdb52b6.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-334b8e444d
Comment 4 Marius Vollmer 2015-10-22 06:52:27 UTC 
Thanks!  Is the new docker in some dnf repo somewhere so that I can test this easily?
Comment 5 Fedora Update System 2015-10-24 12:09:21 UTC 
docker-1.8.2-9.gitbdb52b6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update docker'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-334b8e444d
Comment 6 Fedora Update System 2015-11-03 06:57:05 UTC 
docker-1.8.2-10.git28c300f.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-7e1a61e141
Comment 7 Fedora Update System 2015-11-03 19:53:26 UTC 
docker-1.8.2-10.git28c300f.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update docker'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-7e1a61e141
Comment 8 Fedora Update System 2015-11-05 22:24:26 UTC 
docker-1.8.2-10.git28c300f.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Marius Vollmer 2015-11-11 08:36:31 UTC 
Still happens:

  Installing  : docker-selinux-1:1.8.2-10.git28c300f.fc23.x86_64        187/224 
restorecon:  lstat(/var/lib/docker) failed:  No such file or directory
warning: %post(docker-selinux-1:1.8.2-10.git28c300f.fc23.x86_64) scriptlet failed, exit status 255
  Installing  : docker-1:1.8.2-10.git28c300f.fc23.x86_64                188/224
Comment 10 Daniel Walsh 2015-11-11 19:41:47 UTC 
I just built docker packages from source and I see the requires.

rpm -qpf /home/dwalsh/sources/RPMS/x86_64/docker-selinux-1.8.2-11.git28c300f.fc24.x86_64.rpm --requires
/bin/sh
/bin/sh
docker = 1:1.8.2-11.git28c300f.fc24
libselinux-utils
policycoreutils
policycoreutils-python-utils
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsXz) <= 5.2-1
selinux-policy-base >= 3.13.1-119

So it is fixed is in that build.  I don't see this fix in docker-1.9.0-5.git11b81f9.fc24 rawhide

rpm -q docker-selinux
docker-selinux-1.9.0-5.git11b81f9.fc24.x86_64
rpm -q docker-selinux --requires | grep docker
[Exit 1]
Comment 11 Daniel Walsh 2015-11-11 19:43:42 UTC 
I actually think the fix for this is to not require docker to be installed at all, we should just make the postinstall fail silently.  Since if docker-selinux is installed before docker, Which is should be, then rpm will automatically do the right thing as far as labeling.
Comment 12 Daniel Walsh 2015-11-11 19:45:56 UTC 
Created attachment 1092854 [details]
Patch to fail silently on restorecon in post install

Also remove requirement for docker to be installed first.
Comment 13 Marius Vollmer 2015-11-12 09:29:55 UTC 
(In reply to Daniel Walsh from comment #11)
> I actually think the fix for this is to not require docker to be installed
> at all, we should just make the postinstall fail silently.  Since if
> docker-selinux is installed before docker, Which is should be, then rpm will
> automatically do the right thing as far as labeling.

Yes, unlike for docker-selinux-1:1.8.2-7.gitcb216be.fc23.x86_64, this time around docker did actually work, regardless of the error.
Comment 14 Lokesh Mandvekar 2015-11-12 16:04:02 UTC 
I have a new build here: http://koji.fedoraproject.org/koji/taskinfo?taskID=11805530 , but fedpkg update seems to crap out saying invalid koji build, guess i'll retry submitting it in a bit