Bug 1281805
Summary: | docker 1.8.2 fails to perform any action when selinux set to enforcing | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Praveen Kumar <prkumar> |
Component: | docker | Assignee: | Lokesh Mandvekar <lsm5> |
Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
Severity: | medium | Docs Contact: | |
Priority: | urgent | ||
Version: | 7.2 | CC: | ajia, bleanhar, dustymabe, kanderso, kumarpraveen.nitdgp, lfriedma, lsm5, mjenner, sdodson, tpoitras |
Target Milestone: | rc | Keywords: | Extras |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | docker-1.8.2-10.el7 | Doc Type: | Bug Fix |
Doc Text: |
Previously, Docker 1.8.2 was failing to perform any actions if SELinux was set to enforcing mode. This is no longer an issue, and Docker images now run as expected.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-12-08 15:37:01 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Praveen Kumar
2015-11-13 13:02:23 UTC
Any avc messages? yum reinstall docker-selinux Could help. (In reply to Daniel Walsh from comment #2) > Any avc messages? # ausearch -m avc ---- time->Mon Nov 16 02:32:06 2015 type=SYSCALL msg=audit(1447659126.109:1157): arch=c000003e syscall=59 success=no exit=-13 a0=c20815e2e0 a1=c2081603e0 a2=c208149a80 a3=0 items=0 ppid=936 pid=13090 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/docker" subj=system_u:system_r:unconfined_service_t:s0 key=(null) type=AVC msg=audit(1447659126.109:1157): avc: denied { transition } for pid=13090 comm="exe" path="/usr/bin/cat" dev="dm-5" ino=67110949 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c108,c1017 tclass=process > yum reinstall docker-selinux # yum reinstall docker-selinux Loaded plugins: product-id, search-disabled-repos, subscription-manager Installed package docker-selinux-1.8.2-8.el7.x86_64 (from koji-override-0) not available. Error: Nothing to do I followed below step to make it work. # yum remove -y docker-selinux; yum install -y docker-selinux # systemctl restart docker Also (Before and after updating docker-selinux package). $ sudo rpm -V docker coreutils S.5....T. c /etc/sysconfig/docker-storage S.5....T. c /etc/sysconfig/docker-storage-setup Praveen are you still seeing the problem? ps -eZ | grep docker Lokesh don't we have a fix for this in Fedora? I tried some of the openshift3/* images live in production and did not hit issues -bash-4.2# atomic host status TIMESTAMP (UTC) VERSION ID OSNAME REFSPEC * 2015-11-10 16:11:46 7.2 ec85fba1bf rhel-atomic-host rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard docker run -it --rm <image> version openshift3/ose-docker-builder openshift3/ose-docker-builder openshift3/ose-f5-router openshift3/ose-haproxy-router This is an arbitrary rpm transaction ordering issue.. Sometimes it happens (because the ordering sorts docker-selinux before docker) and sometimes it doesn't. In the vagrant box we are using for CDK we got unlucky. This is from the kickstart logs: ``` [root@localhost anaconda]# grep "scriptlet failed" /var/log/anaconda/packaging.log 15:46:13,521 INFO packaging: warning: %post(docker-selinux-1.8.2-8.el7.x86_64) scriptlet failed, exit status 255 ``` This was fixed in Fedora I believe: http://pkgs.fedoraproject.org/cgit/docker.git/commit/?h=f23&id=d6be327e7fc7bc777b6106e69011754609266a21 (In reply to Dusty Mabe from comment #8) > This is an arbitrary rpm transaction ordering issue.. Sometimes it happens > (because the ordering sorts docker-selinux before docker) and sometimes it > doesn't. > > In the vagrant box we are using for CDK we got unlucky. This is from the > kickstart logs: > > ``` > [root@localhost anaconda]# grep "scriptlet failed" > /var/log/anaconda/packaging.log > 15:46:13,521 INFO packaging: warning: > %post(docker-selinux-1.8.2-8.el7.x86_64) scriptlet failed, exit status 255 > ``` Thanks Dusty for explanation. So we have to wait till 1.8.2-10 land to RHEL tree and CDK build will pick it up till than that bad hack is only way to go. > This was fixed in Fedora I believe: > http://pkgs.fedoraproject.org/cgit/docker.git/commit/ > ?h=f23&id=d6be327e7fc7bc777b6106e69011754609266a21 docker run works well and no any AVC denied error occurs on docker-1.8.2-10.el7.x86_64, so move the bug to verified status. # getenforce Enforcing # rpm -q docker docker-1.8.2-10.el7.x86_64 # docker run -it --rm openshift3/ose version openshift v3.1.0.4-3-ga6353c7 kubernetes v1.1.0-origin-1107-g4c8e6f4 etcd 2.1.2 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2554.html |