Bug 1322886

How are you running your docker daemon.

What does the docker daemon CLI look like?

# systemctl stop docker

# systemctl status docker
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Thu 2016-03-31 13:07:11 BRT; 7s ago
     Docs: http://docs.docker.com
  Process: 1352 ExecStart=/usr/bin/docker daemon --exec-opt native.cgroupdriver=systemd $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_NETWORK_OPTIONS $INSECURE_REGISTRY (code=exited, status=0/SUCCESS)
 Main PID: 1352 (code=exited, status=0/SUCCESS)

Mar 31 11:36:51 yubi docker[1352]: time="2016-03-31T11:36:51.147789955-03:00" level=info msg="Loading containers: start."
Mar 31 11:36:51 yubi docker[1352]: ....
Mar 31 11:36:51 yubi docker[1352]: time="2016-03-31T11:36:51.154899118-03:00" level=info msg="Loading containers: done."
Mar 31 11:36:51 yubi docker[1352]: time="2016-03-31T11:36:51.154926145-03:00" level=info msg="Daemon has completed initialization"
Mar 31 11:36:51 yubi docker[1352]: time="2016-03-31T11:36:51.154948896-03:00" level=info msg="Docker daemon" commit="f8a9a2a/1.10.3" execdriver=native-0.2 graphdriver=devicemapper version=1.10.3
Mar 31 11:36:51 yubi systemd[1]: Started Docker Application Container Engine.
Mar 31 11:36:51 yubi docker[1352]: time="2016-03-31T11:36:51.162834561-03:00" level=info msg="API listen on /var/run/docker.sock"
Mar 31 13:07:11 yubi systemd[1]: Stopping Docker Application Container Engine...
Mar 31 13:07:11 yubi docker[1352]: time="2016-03-31T13:07:11.351793814-03:00" level=info msg="Processing signal 'terminated'"
Mar 31 13:07:11 yubi systemd[1]: Stopped Docker Application Container Engine.

# systemctl start docker

# systemctl status docker
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2016-03-31 13:07:27 BRT; 1s ago
     Docs: http://docs.docker.com
 Main PID: 5578 (docker)
    Tasks: 10 (limit: 512)
   CGroup: /system.slice/docker.service
           └─5578 /usr/bin/docker daemon --exec-opt native.cgroupdriver=systemd --selinux-enabled --log-driver=journald

Mar 31 13:07:26 yubi docker[5578]: time="2016-03-31T13:07:26.884341751-03:00" level=info msg="Graph migration to content-addressability took 0.00 seconds"
Mar 31 13:07:26 yubi docker[5578]: time="2016-03-31T13:07:26.892924433-03:00" level=info msg="Firewalld running: true"
Mar 31 13:07:26 yubi docker[5578]: time="2016-03-31T13:07:26.973609255-03:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
Mar 31 13:07:27 yubi docker[5578]: time="2016-03-31T13:07:27.064291995-03:00" level=info msg="Loading containers: start."
Mar 31 13:07:27 yubi docker[5578]: ....
Mar 31 13:07:27 yubi docker[5578]: time="2016-03-31T13:07:27.065781819-03:00" level=info msg="Loading containers: done."
Mar 31 13:07:27 yubi docker[5578]: time="2016-03-31T13:07:27.065803349-03:00" level=info msg="Daemon has completed initialization"
Mar 31 13:07:27 yubi docker[5578]: time="2016-03-31T13:07:27.065816320-03:00" level=info msg="Docker daemon" commit="f8a9a2a/1.10.3" execdriver=native-0.2 graphdriver=devicemapper version=1.10.3
Mar 31 13:07:27 yubi systemd[1]: Started Docker Application Container Engine.
Mar 31 13:07:27 yubi docker[5578]: time="2016-03-31T13:07:27.071047939-03:00" level=info msg="API listen on /var/run/docker.sock"

# ps auxf | grep docker
root      5662  0.0  0.0 117188   884 pts/1    S+   13:07   0:00          |   |                   \_ grep --color=auto docker
root      5578  0.3  0.1 492924 32556 ?        Ssl  13:07   0:00 /usr/bin/docker daemon --exec-opt native.cgroupdriver=systemd --selinux-enabled --log-driver=journald


# cat /etc/sysconfig/docker | egrep -v '^#' | uniq

OPTIONS='--selinux-enabled --log-driver=journald'
DOCKER_CERT_PATH=/etc/docker

# getenforce 
Permissive

# docker info
Containers: 5
 Running: 0
 Paused: 0
 Stopped: 5
Images: 1
Server Version: 1.10.3
Storage Driver: devicemapper
 Pool Name: docker-253:0-1179774-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: xfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 272.7 MB
 Data Space Total: 107.4 GB
 Data Space Available: 68.17 GB
 Metadata Space Used: 913.4 kB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.147 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.117 (2016-02-21)
Execution Driver: native-0.2
Logging Driver: journald
Plugins: 
 Volume: local
 Network: bridge null host
Kernel Version: 4.5.0-0.rc7.git0.2.fc24.x86_64
Operating System: Fedora 24 (Twenty Four)
OSType: linux
Architecture: x86_64
Number of Docker Hooks: 1
CPUs: 4
Total Memory: 15.59 GiB
Name: yubi
ID: 2QAH:A3X4:O2II:CSVY:ZIJU:4GBL:3IJI:V7DG:CWRP:H3TA:F5NW:32U2
Registries: docker.io (secure)

Created attachment 1142297 [details]
`strace -ff -p $daemon_pid` followed by `docker run`

Installed F24 Alpha on a VirtualBox VM running on the same host and I cannot reproduce it.

This machine was installed from F23 and upgraded a few weeks ago to F24 after it was branched. It's a pretty boring setup so I'm wondering if other users will have issues upgrading. I thought cleaning all of Docker's config and state directories should help but no luck.

So it may not be an issue for fresh installs but for upgrades. Please let me know what other information would be useful to capture.

Vivek do you see anything obvious?

Giovani, if you just run

docker daemon --selinux-enabled --log-driver=journald

Can you start a container?

Created attachment 1142315 [details]
output from running `docker daemon` and trying to start container

It has got to be something in your configuration.  You have tried other containers, and you attempted to rm -rf /var/lib/docker?

Fortunately, that seems true. I installed F23, upgraded to F24 alpha using DNF (got Docker 1.10.2), containers worked. Upgraded to Docker 1.10.3, containers worked.

I'll keep digging and hopefully find out what's happening here, although I have nothing special in my configuration (I did erase all of /etc/docker, /etc/sysconfig/docker*, /var/lib/docker, /var/run/docker and reinstalled the packages many times).

Thank you!

Also try to run a --privileged container.

Privileged containers are working fine on the F24 VM.

I remember when using 1.10.2 on the host, that I had removed Docker, cleared all directories, rebooted, reinstalled 1.10.2 and everything worked again.

The first time I saw the issue while running 1.10.3, I tried just the reboot alone without success. I also removed Docker and the directories (but without rebooting), no success either. 

Just now, I noticed /sys still had a bunch of cgroup files with "docker" in their names... although Docker was not installed and no containers were running. I removed everything again, rebooted (so the entries in /sys were gone), installed Docker 1.10.3, started the daemon and everything is working fine now!

Although I would automatically blame it on 'zombie' state in /sys, rebooting before didn't fix the issue. It seems as if the Docker files got in a situation where they were creating cgroups that were broken/bad (and would recreate them after reboots)... but this is just speculation on my part.

I'll keep an eye for this issue and let anyone known if I hit it again. Thanks again for all the help. I think this BZ could be closed as NOTABUG.

That is wierd.  Stuff in /sys should not persist across a reboot.  Something in systemd might have been recreating them?

Hit the same bug after upgrading F23 to F24. I had to manually remove docker-engine and install the package docker and docker-selinux . I haven't deleted any directories yet.

Privileged containers work fine. But underprivileged containers don't.

~ ❯❯❯ docker run -it ubuntu bash
permission denied
docker: Error response from daemon: Container command could not be invoked..


journalctl says:

Jul 04 11:30:35 lenovo docker[5541]: time="2016-07-04T11:30:35.916252143+05:30" level=error msg="error locating sandbox id c57bda4ad7f0349767a64d4f26cc10fc83c261ae25662473b1f9e582c80bab2f: sandbox c57bda4ad7f0349767a64d4f26cc10fc83c261ae25662473b1f9e582c80bab2f not found"
Jul 04 11:30:35 lenovo docker[5541]: time="2016-07-04T11:30:35.916315973+05:30" level=warning msg="failed to cleanup ipc mounts:\nfailed to umount /var/lib/docker/containers/4e8d1fbfecf9e97220294aa58cc1d07e197859be12af0f67097c49003c4a316f/shm: invalid argument"
Jul 04 11:30:35 lenovo docker[5541]: time="2016-07-04T11:30:35.916344607+05:30" level=error msg="Error unmounting container 4e8d1fbfecf9e97220294aa58cc1d07e197859be12af0f67097c49003c4a316f: not mounted"
Jul 04 11:30:35 lenovo docker[5541]: time="2016-07-04T11:30:35.916540317+05:30" level=error msg="Handler for POST /v1.22/containers/4e8d1fbfecf9e97220294aa58cc1d07e197859be12af0f67097c49003c4a316f/start returned error: Container command could not be invoked."

Setting SELinux to permissive mode let's me launch the underprivileged container.

Okay, so I reinstalled docker-selinux package, restarted docker daemon and now everything works as expected.

Initially, I had installed docker-selinux and then installed docker 1.10.3. 

Perhaps the package docker-1.10.3-21.git19b5791.fc24.x86_64 should have been a dependency of docker-selinux-1.10.3-21.git19b5791.fc24.x86_64 ?