Bug 1403370

Summary: failed to install selinux policies from containers-selinux when installing docker 1.12
Product: Red Hat Enterprise Linux 7 Reporter: Micah Abbott <miabbott>
Component: dockerAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: amurdaca, dwalsh, ghuang, lsm5, lsu, lvrabec, mgrepl, peter
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: docker-1.12.4-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1403718 (view as bug list) Environment:
Last Closed: 2017-01-17 20:44:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1403718    
Attachments:
Description Flags
gear policy should not exists anymore, looks like it is still in RHEL7 systems. none

Description Micah Abbott 2016-12-09 20:37:36 UTC 
Trying to install docker 1.12 from the nightly extras repo on a RHEL 7 Server appears successful, but there are definitely some SELINX errors thrown during install.

# yum install docker
Loaded plugins: product-id, search-disabled-repos, subscription-manager
nightly-extras                                           | 3.0 kB     00:00     
rhel-7-server-extras-rpms                                | 3.4 kB     00:00     
rhel-7-server-rpms                                       | 3.5 kB     00:00     
(1/7): nightly-extras/primary_db                           |  36 kB   00:00     
(2/7): rhel-7-server-extras-rpms/x86_64/group              |  104 B   00:00     
(3/7): rhel-7-server-extras-rpms/x86_64/updateinfo         | 120 kB   00:00     
(4/7): rhel-7-server-extras-rpms/x86_64/primary_db         | 162 kB   00:00     
(5/7): rhel-7-server-rpms/7Server/x86_64/group             | 701 kB   00:00     
(6/7): rhel-7-server-rpms/7Server/x86_64/updateinfo        | 1.8 MB   00:00     
(7/7): rhel-7-server-rpms/7Server/x86_64/primary_db        |  32 MB   00:02     
Resolving Dependencies
--> Running transaction check
---> Package docker.x86_64 2:1.12.3-10.el7 will be installed
--> Processing Dependency: docker-common = 2:1.12.3-10.el7 for package: 2:docker-1.12.3-10.el7.x86_64
--> Processing Dependency: docker-rhel-push-plugin = 2:1.12.3-10.el7 for package: 2:docker-1.12.3-10.el7.x86_64
--> Processing Dependency: container-selinux >= 2:1.12.3-10.el7 for package: 2:docker-1.12.3-10.el7.x86_64
--> Processing Dependency: skopeo-containers for package: 2:docker-1.12.3-10.el7.x86_64
--> Running transaction check
---> Package container-selinux.x86_64 2:1.12.3-10.el7 will be installed
---> Package docker-common.x86_64 2:1.12.3-10.el7 will be installed
---> Package docker-rhel-push-plugin.x86_64 2:1.12.3-10.el7 will be installed
---> Package skopeo-containers.x86_64 1:0.1.17-0.7.git1f655f3.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                Arch   Version                     Repository      Size
================================================================================
Installing:
 docker                 x86_64 2:1.12.3-10.el7             nightly-extras  22 M
Installing for dependencies:
 container-selinux      x86_64 2:1.12.3-10.el7             nightly-extras  79 k
 docker-common          x86_64 2:1.12.3-10.el7             nightly-extras  62 k
 docker-rhel-push-plugin
                        x86_64 2:1.12.3-10.el7             nightly-extras 2.3 M
 skopeo-containers      x86_64 1:0.1.17-0.7.git1f655f3.el7 nightly-extras 7.4 k

Transaction Summary
================================================================================
Install  1 Package (+4 Dependent packages)

Total download size: 24 M
Installed size: 110 M
Is this ok [y/d/N]: y
Downloading packages:
(1/5): container-selinux-1.12.3-10.el7.x86_64.rpm          |  79 kB   00:00     
(2/5): docker-common-1.12.3-10.el7.x86_64.rpm              |  62 kB   00:00     
(3/5): docker-rhel-push-plugin-1.12.3-10.el7.x86_64.rpm    | 2.3 MB   00:00     
(4/5): skopeo-containers-0.1.17-0.7.git1f655f3.el7.x86_64. | 7.4 kB   00:00     
(5/5): docker-1.12.3-10.el7.x86_64.rpm                     |  22 MB   00:00     
--------------------------------------------------------------------------------
Total                                               46 MB/s |  24 MB  00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 2:docker-rhel-push-plugin-1.12.3-10.el7.x86_64               1/5 
  Installing : 2:docker-common-1.12.3-10.el7.x86_64                         2/5 
  Installing : 1:skopeo-containers-0.1.17-0.7.git1f655f3.el7.x86_64         3/5 
  Installing : 2:container-selinux-1.12.3-10.el7.x86_64                     4/5 
libsemanage.semanage_direct_remove_key: Unable to remove module docker at priority 100. (No such file or directory).
libsemanage.semanage_direct_remove_key: Unable to remove module docker at priority 400. (No such file or directory).
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/containers(/.*)?  (system_u:object_r:gear_var_lib_t:s0 and system_u:object_r:container_var_lib_t:s0).
/etc/selinux/final/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1.
/usr/sbin/semodule:  Failed!
  Installing : 2:docker-1.12.3-10.el7.x86_64                                5/5 
  Verifying  : 2:container-selinux-1.12.3-10.el7.x86_64                     1/5 
  Verifying  : 1:skopeo-containers-0.1.17-0.7.git1f655f3.el7.x86_64         2/5 
  Verifying  : 2:docker-common-1.12.3-10.el7.x86_64                         3/5 
  Verifying  : 2:docker-1.12.3-10.el7.x86_64                                4/5 
  Verifying  : 2:docker-rhel-push-plugin-1.12.3-10.el7.x86_64               5/5 

Installed:
  docker.x86_64 2:1.12.3-10.el7                                                 

Dependency Installed:
  container-selinux.x86_64 2:1.12.3-10.el7                                      
  docker-common.x86_64 2:1.12.3-10.el7                                          
  docker-rhel-push-plugin.x86_64 2:1.12.3-10.el7                                
  skopeo-containers.x86_64 1:0.1.17-0.7.git1f655f3.el7                          

Complete!



Trying to start the service fails, but looks like it is bz#1403264

# systemctl start docker
Job for docker.service failed because the control process exited with error code. See "systemctl status docker.service" and "journalctl -xe" for details.
# systemctl status docker -l
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2016-12-09 15:32:23 EST; 3s ago
     Docs: http://docs.docker.com
  Process: 2387 ExecStart=/usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --authorization-plugin=rhel-push-plugin --exec-opt native.cgroupdriver=systemd $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_NETWORK_OPTIONS $ADD_REGISTRY $BLOCK_REGISTRY $INSECURE_REGISTRY (code=exited, status=1/FAILURE)
 Main PID: 2387 (code=exited, status=1/FAILURE)

Dec 09 15:32:23 localhost.localdomain systemd[1]: Starting Docker Application Container Engine...
Dec 09 15:32:23 localhost.localdomain dockerd-current[2387]: time="2016-12-09T15:32:23.394119913-05:00" level=fatal msg="Failed to connect to containerd. Please make sure containerd is installed in your PATH or you have specificed the correct address. Got error: exec: \"docker-containerd\": executable file not found in $PATH"
Dec 09 15:32:23 localhost.localdomain systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE
Dec 09 15:32:23 localhost.localdomain systemd[1]: Failed to start Docker Application Container Engine.
Dec 09 15:32:23 localhost.localdomain systemd[1]: Unit docker.service entered failed state.
Dec 09 15:32:23 localhost.localdomain systemd[1]: docker.service failed.
Comment 2 Daniel Walsh 2016-12-10 12:39:06 UTC 
Created attachment 1230253 [details]
gear policy should not exists anymore, looks like it is still in RHEL7 systems.

Please apply this patch to docker.spec, it fixes labels on /usr/bin/docker* and /usr/libexec/docker/*  

It also disables docker and gears policy packages. Which will fix the label conflict problem.
Comment 3 Daniel Walsh 2016-12-10 12:40:16 UTC 
Lukas and Miroslav, please remove the gear policy from RHEL systems, we no longer ship it.
Comment 4 Daniel Walsh 2016-12-11 12:49:34 UTC 
Turns out gear policy is also in Fedora. We need it removed their also.
Comment 5 Daniel Walsh 2016-12-11 12:50:37 UTC 
Lokesh, I have updated container-selinux policy for RHEL systems in DOCKER-1.12 Branch.
Comment 7 Luwen Su 2017-01-10 03:08:36 UTC 
The update/install of docker-1.12.5-9.el7.x86_64 works well , move to verified
Comment 9 errata-xmlrpc 2017-01-17 20:44:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0116.html