Bug 1338894

Summary: [RFE] Allow Docker + SELinux + Btrfs
Product: Red Hat Enterprise Linux 7 Reporter: Neal Gompa <ngompa13>
Component: dockerAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: lsm5, lsu, yruseva
Target Milestone: rcKeywords: Extras, FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
In previous versions of docker, you needed to disable SELinux support for container separation if you were using the btrfs back end. This is no longer required. Having SELinux and BTRFS working together will increase the security separation between containers.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-23 16:18:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Neal Gompa 2016-05-23 15:18:59 UTC 
Description of problem:
Currently, Docker prevents the usage of Docker with Btrfs if SELinux is enabled (regardless of SELinux mode).

This was related to issues with applying contexts on container initialization in subvolumes[0]. However, with Docker 1.10.0, this issue should no longer be present, as Dan Walsh's fix was merged in for that release[1].

So please either upgrade Docker to 1.10 or newer (current release is 1.11.1, which has the new architecture using runc, containerd, etc.) or backport the fixes to the current Docker release you intend to support (1.9.x).

[0]: https://github.com/docker/docker/issues/7952#issuecomment-138268890
[1]: https://github.com/docker/docker/pull/16452

Version-Release number of selected component (if applicable):
docker-1.9.1-40.el7
Comment 2 Daniel Walsh 2016-05-23 17:43:07 UTC 
Neal docker-latest is currently docker-1.10, so you should be able to use this now.

The next version of docker for RHEL will default to docker-1.10.  We have concerns about whether docker-1.11 is Enterprise Ready.  We are thinking of skipping it and waiting for docker-1.12.
Comment 3 Daniel Walsh 2016-06-03 12:40:52 UTC 
Fixed in docker-1.10
Comment 6 Luwen Su 2016-06-12 09:06:22 UTC 
In docker-1.10.3-40.el7.x86_64 selinux-policy-3.13.1-68.el7.noarch,

1.Prepare a free device first, /dev/vdb here.
#mkfs.btrfs /dev/vdb

Write /dev/vdb to fstab

#cat /etc/fstab 
....
UUID=06330bae-9e7c-404b-84cf-34c9126881b3 /var/lib/docker         btrfs   defaults        0 0

#mount -a

open selinux:
# getenforce 
Enforcing

2.I start docker daemon with forearound
#docker daemon --authorization-plugin=rhel-push-plugin --exec-opt native.cgroupdriver=systemd --storage-driver=btrfs --selinux-enabled --log-driver=journald --add-registry registry.access.redhat.com

INFO[0000] Graph migration to content-addressability took 0.00 seconds 
INFO[0000] Firewalld running: true                      
INFO[0001] Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address 
INFO[0004] Loading containers: start.                   

INFO[0004] Loading containers: done.                    
INFO[0004] Daemon has completed initialization          
INFO[0004] Docker daemon                                 commit=7528fb1-unsupported execdriver=native-0.2 graphdriver=btrfs version=1.10.3
INFO[0004] API listen on /var/run/docker.sock 

3.Test a simple write/read action
#docker pull fedora
#docker run -it fedora /bin/bash
#cat /etc/fstab

works fine.
Comment 8 errata-xmlrpc 2016-06-23 16:18:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1274