Bug 1275554

Summary: Error response from daemon: Relabeling of / is not allowed after upgrading docker
Product: Red Hat Enterprise Linux 7 Reporter: Alex Jia <ajia>
Component: dockerAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.2CC: dwalsh, lsm5
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: docker-1.9.0-7.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-31 23:22:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alex Jia 2015-10-27 08:49:48 UTC 
Description of problem:
To build a container image with LABEL INSTALL then run atomic install to read the LABEL INSTALL in image, it works well on docker-1.8.2-8.el7.x86_64 with atomic-1.6-1.gitca1e384.el7.x86_64, but it will get error "Error response from daemon: Relabeling of / is not allowed" when upgrading to docker-1.9.0-3.el7.x86_64.

Version-Release number of selected component (if applicable):
docker-1.8.2-8.el7.x86_64
atomic-1.6-1.gitca1e384.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. docker pull busybox
2. cat install.sh 
set -x

echo "This is a test."
3. cat Dockerfile 
FROM busybox

ADD install.sh /root/

LABEL INSTALL="docker run -t --rm --privileged -v /:/host/ IMAGE sh /root/install.sh"

Actual results:
[root@dell-per630-02 test]# docker pull busybox
Using default tag: latest
Trying to pull repository registry.access.redhat.com/busybox ... not found
Trying to pull repository docker.io/library/busybox ... latest: Pulling from library/busybox
bf0f46991aed: Pull complete 
3d5bcd78e074: Pull complete 
library/busybox:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.
Digest: sha256:5551dbdfc48d66734d0f01cafee0952cb6e8eeecd1e2492240bf2fd9640c2279
Status: Downloaded newer image for docker.io/busybox:latest

[root@dell-per630-02 test]# docker build -t busybox_label .
Sending build context to Docker daemon 3.072 kB
Step 0 : FROM busybox
 ---> 3d5bcd78e074
Step 1 : ADD install.sh /root/
 ---> 4d76c90d63a3
Removing intermediate container ea5c6f765c09
Step 2 : LABEL INSTALL "docker run -t --rm --privileged -v /:/host/ IMAGE sh /root/install.sh"
 ---> Running in 2fc5733e7647
 ---> 63b155fb8278
Removing intermediate container 2fc5733e7647
Successfully built 63b155fb8278

[root@dell-per630-02 test]# atomic images
 REPOSITORY                          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
 busybox_label                       latest              63b155fb8278        2015-10-27 16:13    1.11 MB     

[root@dell-per630-02 test]# atomic info busybox_label
INSTALL: docker run -t --rm --privileged -v /:/host/ IMAGE sh /root/install.sh

[root@dell-per630-02 test]# atomic install busybox_label
docker run -t --rm --privileged -v /:/host/ busybox_label sh /root/install.sh
+ echo This is a test.
This is a test.


[root@dell-per630-02 test]# atomic install busybox_label
docker run -t --rm --privileged -v /:/host/ busybox_label sh /root/install.sh
+ echo This is a test.
This is a test.

NOTE: run atomic install again, it's okay.

[root@dell-per630-02 1.9.0-3]# rpm -Uvh *.rpm
Preparing...                          ################################# [100%]
Updating / installing...
   1:docker-selinux-1.9.0-3.el7       ################################# [ 13%]
   2:docker-1.9.0-3.el7               ################################# [ 25%]
   3:docker-logrotate-1.9.0-3.el7     ################################# [ 38%]
   4:docker-unit-test-1.9.0-3.el7     ################################# [ 50%]
Cleaning up / removing...
   5:docker-logrotate-1.8.2-8.el7     ################################# [ 63%]
   6:docker-1.8.2-8.el7               ################################# [ 75%]
   7:docker-selinux-1.8.2-8.el7       ################################# [ 88%]
   8:docker-unit-test-1.8.2-8.el7     ################################# [100%]

[root@dell-per630-02 test]# rpm -q docker
docker-1.9.0-3.el7.x86_64

[root@dell-per630-02 1.9.0-3]# atomic install busybox_label
docker run -t --rm --privileged -v /:/host/ busybox_label sh /root/install.sh
Error response from daemon: Relabeling of / is not allowed


Expected results:
atomic install should work when upgrading docker

Additional info:
Comment 3 Lokesh Mandvekar 2015-10-28 16:54:43 UTC 
Dan, so this error occurs because of the '--selinux-enabled' option. Without this option, the results are as expected both via rpm (1.9.0-6) and via git (@projectatomic/rhel7-1.9)
Comment 4 Daniel Walsh 2015-10-28 18:36:22 UTC 
This is an old bug that seems to have risen from the dead.
Comment 5 Daniel Walsh 2015-10-28 20:15:22 UTC 
This is a big bug. Opened up a couple of pull requests with docker.

Also added patches which should fix this in the next docker-1.9 build.

Fixed in docker-1.9.0-7
Comment 7 Alex Jia 2016-01-21 03:56:00 UTC 
Upgrading docker from 1.8.2-8 to 1.9.1-12, atomic install works well on atomic-1.6-1.gitca1e384.el7.x86_64 and atomic-1.8-4.git958d939.el7.x86_64, so move the bug to VERIFIED status.
Comment 9 errata-xmlrpc 2016-03-31 23:22:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0536.html