Bug 1327740

Summary:	docker-latest run : Container command could not be invoked..
Product:	Red Hat Enterprise Linux 7	Reporter:	Ed Santiago <santiago>
Component:	docker-latest	Assignee:	Lokesh Mandvekar <lsm5>
Status:	CLOSED CURRENTRELEASE	QA Contact:	atomic-bugs <atomic-bugs>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.2	CC:	jcallaha, lsm5
Target Milestone:	rc	Flags:	jcallaha: needinfo? (lsm5)
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-05-16 14:05:09 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Ed Santiago 2016-04-15 19:00:20 UTC

Environment: docker-latest installed on RHEL7.2 virt. /etc/sysconfig/docker-latest-storage-setup includes VG=vg-docker, where vg-docker is properly set up.

   # systemctl stop docker
   # docker-latest-storage-setup
   # systemctl start docker-latest

docker run commands seem to fail consistently:

   # docker run docker.io/stackbrew/centos:7
   permission denied
   Error response from daemon: Container command could not be invoked.

It's SELinux-related: with "setenforce 0" it works. Possibly helpful, from /var/log/messages:

   Apr 15 14:56:07 localhost kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)

See below for audit.log.

   # rpm -qa|grep docker|sort
   docker-1.9.1-28.el7.x86_64
   docker-forward-journald-1.9.1-28.el7.x86_64
   docker-latest-1.10.3-9.el7.x86_64
   docker-selinux-1.10.3-5.el7.x86_64
   docker-utils-1.9.1-28.el7.x86_64

   # tail -f /var/log/audit/audit.log:

   type=VIRT_CONTROL msg=audit(1460746673.186:44223): pid=6700 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='auid=0 exe=? hostname=? reason=api op=create vm=? vm-pid=? user=?  exe="/usr/bin/docker-latest" hostname=? addr=? terminal=? res=success'
   type=VIRT_CONTROL msg=audit(1460746674.150:44224): pid=6700 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='vm-pid=0 user=? auid=0 exe=date hostname=a3a1b6d23ce2 reason=api op=attach vm=docker.io/stackbrew/centos:7  exe="/usr/bin/docker-latest" hostname=? addr=? terminal=? res=success'
   type=VIRT_CONTROL msg=audit(1460746674.153:44225): pid=6700 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='hostname=a3a1b6d23ce2 reason=api op=start vm=docker.io/stackbrew/centos:7 vm-pid=0 user=? auid=0 exe=date  exe="/usr/bin/docker-latest" hostname=? addr=? terminal=? res=success'
   type=ANOM_PROMISCUOUS msg=audit(1460746674.289:44226): dev=veth70e04ae prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
   type=SYSCALL msg=audit(1460746674.289:44226): arch=c000003e syscall=44 success=yes exit=40 a0=1b a1=c208de4270 a2=28 a3=0 items=0 ppid=6696 pid=6714 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker-latest" exe="/usr/bin/docker-latest" subj=system_u:system_r:initrc_t:s0 key=(null)
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=filter family=2 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=raw family=2 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=security family=2 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=mangle family=2 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=nat family=2 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=filter family=10 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=raw family=10 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=security family=10 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=mangle family=10 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=nat family=10 entries=0
   type=SYSCALL msg=audit(1460746674.513:44227): arch=c000003e syscall=56 success=yes exit=8604 a0=6c020011 a1=0 a2=0 a3=0 items=0 ppid=6696 pid=6714 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker-latest" exe="/usr/bin/docker-latest" subj=system_u:system_r:initrc_t:s0 key=(null)
   type=AVC msg=audit(1460746674.670:44228): avc:  denied  { transition } for  pid=8604 comm="exe" path="/usr/bin/date" dev="dm-3" ino=25167936 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c42,c688 tclass=process
   type=SYSCALL msg=audit(1460746674.670:44228): arch=c000003e syscall=59 success=no exit=-13 a0=c20854d710 a1=c20854d720 a2=c20800c340 a3=0 items=0 ppid=6700 pid=8604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/docker-latest" subj=system_u:system_r:initrc_t:s0 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1460746674.814:44229): dev=veth70e04ae prom=0 old_prom=256 auid=4294967295 uid=0 gid=0 ses=4294967295
   type=SYSCALL msg=audit(1460746674.814:44229): arch=c000003e syscall=44 success=yes exit=32 a0=e a1=c208c8fc00 a2=20 a3=0 items=0 ppid=6696 pid=6700 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker-latest" exe="/usr/bin/docker-latest" subj=system_u:system_r:initrc_t:s0 key=(null)

Comment 2 Lokesh Mandvekar 2016-04-18 16:51:52 UTC

(In reply to Ed Santiago from comment #0)
> Environment: docker-latest installed on RHEL7.2 virt.
> /etc/sysconfig/docker-latest-storage-setup includes VG=vg-docker, where
> vg-docker is properly set up.
> 
>    # systemctl stop docker
>    # docker-latest-storage-setup
>    # systemctl start docker-latest
> 
> docker run commands seem to fail consistently:
> 
>    # docker run docker.io/stackbrew/centos:7
>    permission denied
>    Error response from daemon: Container command could not be invoked.

Please try 'docker-latest run ...' instead of 'docker run'. docker-latest provides 'docker-latest' binary, while 'docker' binary will be provided by the 'docker' package.

Comment 3 Ed Santiago 2016-04-18 16:54:00 UTC

I did; sorry about the copy/paste error. Both docker and docker-latest fail in the same way when docker-latest is running as daemon.

Comment 4 Lokesh Mandvekar 2016-04-18 17:27:33 UTC

I think I did see this once, but that went away on using the correct version of docker-selinux. 

I just built an updated docker-latest-1.10.3-10 . Could you install this new version and retry in a few mins?

Also, please make sure you see this on upgrading:

$ rpm -q docker-selinux docker-latest
docker-selinux-1.9.1-28.el7.x86_64
docker-latest-1.10.3-10.el7.x86_64

docker-seinux is still on 1.9.1 (obtained from the main 'docker' package)

Comment 5 Ed Santiago 2016-04-18 17:51:10 UTC

No joy:

    # yum upgrade docker-latest
    ...
    Updating:
     docker-latest     x86_64    1.10.3-10.el7       local     8.6 M
    Installing for dependencies:
     libseccomp        x86_64    2.2.1-1.el7         rhel7      49 k

    # systemctl restart docker-latest
    # docker-latest run docker.io/stackbrew/centos:7 date
    permission denied
    docker: Error response from daemon: Container command could not be invoked..

    # rpm -q docker-selinux docker-latest
    docker-selinux-1.9.1-28.el7.x86_64
    docker-latest-1.10.3-10.el7.x86_64

FWIW, I _did_ have docker-selinux-1.10.3-5.el7.x86_64 installed until this morning (fixed by yum downgrade; now on 1.9.1-28). Could its mere presence have screwed something up on my system?

Comment 6 Ed Santiago 2016-04-21 14:28:40 UTC

Cannot reproduce problem in docker-latest-1.10.3-11.el7.x86_64

Comment 7 Lokesh Mandvekar 2016-05-16 14:05:09 UTC

closing...