Bug 1362611

Summary: Cannot start container. oci-register-machine failed, permission denied
Product: Red Hat Enterprise Linux 7 Reporter: Lenny Szubowicz <lszubowi>
Component: dockerAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: dwalsh, gouyang, lsm5
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 09:09:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lenny Szubowicz 2016-08-02 16:02:08 UTC 
Description of problem:

Cannot start any docker container on RHEL 7.3 recent nightly server builds
Using docker from http://download.eng.bos.redhat.com/nightly/latest-EXTRAS-7-RHEL-7/

Version-Release number of selected component (if applicable):

docker-selinux-1.10.3-46.el7.10.x86_64
docker-common-1.10.3-46.el7.10.x86_64
docker-1.10.3-46.el7.10.x86_64
docker-rhel-push-plugin-1.10.3-46.el7.10.x86_64
oci-register-machine-0-1.7.git31bbcd2.el7.x86_64
oci-systemd-hook-0.1.4-5.git41491a3.el7.x86_64




How reproducible: Failed every time on all images/containers I tried. 


Steps to Reproduce:
1. docker run -it --name rhel7.2-ctnr rhel7.2 bash


Actual results:

[root@intel-canoepass-uefi-01 ~]# docker run -it --name rhel7.2-ctnr rhel7.2 bash
docker: Error response from daemon: Cannot start container b76e34674e232c63637d7cff419a691069773db3dab6727b735caded53d6dc62: [9] System error: exit status 1.


From journalctl:

Aug 02 11:48:24 intel-canoepass-uefi-01.khw.lab.eng.bos.redhat.com dbus[1069]: [system] Successfully activated service 'org.freedesktop.machine1'
Aug 02 11:48:24 intel-canoepass-uefi-01.khw.lab.eng.bos.redhat.com systemd[1]: Started Virtual Machine and Container Registration Service.
Aug 02 11:48:24 intel-canoepass-uefi-01.khw.lab.eng.bos.redhat.com oci-register-machine[3763]: 2016/08/02 11:48:24 Register machine failed: Failed to determine unit of process 3743 : Permission denied
Aug 02 11:48:24 intel-canoepass-uefi-01.khw.lab.eng.bos.redhat.com systemd[1]: Stopping docker container 19aaf2f93812db57d6b10820d6e84f6fd8be243b5934b20a33575f932773c425.
Aug 02 11:48:24 intel-canoepass-uefi-01.khw.lab.eng.bos.redhat.com systemd[1]: Stopped docker container 19aaf2f93812db57d6b10820d6e84f6fd8be243b5934b20a33575f932773c425.


From /var/log/audit/audit.log:

type=AVC msg=audit(1470152904.148:164): avc:  denied  { search } for  pid=3767 comm="systemd-machine" name="3743" dev="proc" ino=52357 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir
Comment 2 Daniel Walsh 2016-08-03 07:15:55 UTC 
We need the updated docker-selinux package from master.
Comment 3 Daniel Walsh 2016-08-19 12:24:43 UTC 
Fixed in latest docker package.
Comment 6 errata-xmlrpc 2016-11-04 09:09:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2634.html