Bug 1405306
| Summary: | docker run with parameter "--privileged" get failed | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Wenkai Shi <weshi> |
| Component: | docker | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.3 | CC: | ajia, amurdaca, ghuang, jialiu, lfriedma, lsm5, lsu, mifiedle, sdodson, vlaad, xtian |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-01-17 20:44:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
please see https://bugzilla.redhat.com/show_bug.cgi?id=1382997#c54 and https://bugzilla.redhat.com/show_bug.cgi?id=1382997#c53 I do not think they are the same issue. Note that: Run docker run with parameter "--privileged", it failed. Can succeed without parameter "--privileged". (In reply to Johnny Liu from comment #2) > I do not think they are the same issue. Note that: > Run docker run with parameter "--privileged", it failed. Can succeed without > parameter "--privileged". The policy is disabled and it works well if you change SELinux to Permissive status, or enable docker policy. [root@atomic-00 cloud-user]# semodule -lfull | grep docker 100 docker pp disabled I have updated container-selinux to handle this issue. cc14935f9a5ee1977b853dc85b3dd4ba3a16d320 fixes this issue in the RHEL-1.12 branch. This looks like we should have the fix in container-selinux-1.12.4-3.el7.x86_64 Could you attempt a reinstall of container-selinux # dnf reinstall container-selinux If that succeeds could you tell me if this outputs anything? # sesearch -T -s container_runtime_t -c process -t unlabeled_t (In reply to Daniel Walsh from comment #6) > This looks like we should have the fix in > container-selinux-1.12.4-3.el7.x86_64 > > Could you attempt a reinstall of container-selinux > > # dnf reinstall container-selinux > > If that succeeds could you tell me if this outputs anything? > > # sesearch -T -s container_runtime_t -c process -t unlabeled_t [root@host ~]# yum info container-selinux Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Installed Packages Name : container-selinux Arch : x86_64 Epoch : 2 Version : 1.12.4 Release : 3.el7 Size : 29 k Repo : installed From repo : rhel73-extra Summary : SELinux policies for container runtimes URL : https://github.com/docker/docker License : ASL 2.0 Description : SELinux policy modules for use with container runtimes. [root@host ~]# yum reinstall container-selinux -y ... Complete! [root@host ~]# sesearch -T -s container_runtime_t -c process -t unlabeled_t Found 1 semantic te rules: type_transition container_runtime_t unlabeled_t : process spc_t; And it still reproduce: [root@qe-weshi-cute-me ~]# docker run -it --rm --privileged centos /bin/bash panic: standard_init_linux.go:175: exec user process caused "permission denied" [recovered] panic: standard_init_linux.go:175: exec user process caused "permission denied" goroutine 1 [running, locked to thread]: panic(0x6f2ea0, 0xc420148e00) /usr/lib/golang/src/runtime/panic.go:500 +0x1a1 github.com/urfave/cli.HandleAction.func1(0xc42007f748) /builddir/build/BUILD/docker-1b5971af3003488d3fd8add80de5125ee1e096ee/runc-b8dbc3b8e8d868723aec2fd5082e6547ec66cf58/Godeps/_workspace/src/github.com/urfave/cli/app.go:478 +0x247 panic(0x6f2ea0, 0xc420148e00) /usr/lib/golang/src/runtime/panic.go:458 +0x243 github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization.func1(0xc42007f198, 0xc42001e090, 0xc42007f238) /builddir/build/BUILD/docker-1b5971af3003488d3fd8add80de5125ee1e096ee/runc-b8dbc3b8e8d868723aec2fd5082e6547ec66cf58/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:259 +0x18f github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization(0xc42004f450, 0xaac9c0, 0xc420148e00) /builddir/build/BUILD/docker-1b5971af3003488d3fd8add80de5125ee1e096ee/runc-b8dbc3b8e8d868723aec2fd5082e6547ec66cf58/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:277 +0x353 main.glob..func8(0xc420082a00, 0x0, 0x0) /builddir/build/BUILD/docker-1b5971af3003488d3fd8add80de5125ee1e096ee/runc-b8dbc3b8e8d868723aec2fd5082e6547ec66cf58/main_unix.go:26 +0x66 reflect.Value.call(0x6ddc20, 0x769b48, 0x13, 0x73c049, 0x4, 0xc42007f708, 0x1, 0x1, 0x4d1728, 0x731ea0, ...) /usr/lib/golang/src/reflect/value.go:434 +0x5c8 reflect.Value.Call(0x6ddc20, 0x769b48, 0x13, 0xc42007f708, 0x1, 0x1, 0xac2700, 0xc42007f6e8, 0x4da706) /usr/lib/golang/src/reflect/value.go:302 +0xa4 github.com/urfave/cli.HandleAction(0x6ddc20, 0x769b48, 0xc420082a00, 0x0, 0x0) /builddir/build/BUILD/docker-1b5971af3003488d3fd8add80de5125ee1e096ee/runc-b8dbc3b8e8d868723aec2fd5082e6547ec66cf58/Godeps/_workspace/src/github.com/urfave/cli/app.go:487 +0x1e0 github.com/urfave/cli.Command.Run(0x73c215, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74d852, 0x51, 0x0, ...) /builddir/build/BUILD/docker-1b5971af3003488d3fd8add80de5125ee1e096ee/runc-b8dbc3b8e8d868723aec2fd5082e6547ec66cf58/Godeps/_workspace/src/github.com/urfave/cli/command.go:191 +0xc3b github.com/urfave/cli.(*App).Run(0xc4200b0000, 0xc42000c120, 0x2, 0x2, 0x0, 0x0) /builddir/build/BUILD/docker-1b5971af3003488d3fd8add80de5125ee1e096ee/runc-b8dbc3b8e8d868723aec2fd5082e6547ec66cf58/Godeps/_workspace/src/github.com/urfave/cli/app.go:240 +0x611 main.main() /builddir/build/BUILD/docker-1b5971af3003488d3fd8add80de5125ee1e096ee/runc-b8dbc3b8e8d868723aec2fd5082e6547ec66cf58/main.go:137 +0xbd6 All OCP s2i builds are failing due to this (3.4.0.37). *** Bug 1405476 has been marked as a duplicate of this bug. *** I cannot reproduce this on docker-1.12.5-4.el7. s2i builds in OCP run successfully *** Bug 1406319 has been marked as a duplicate of this bug. *** In docker-1.12.5-9.el7.x86_64 # docker run -it --rm --privileged centos /bin/bash Unable to find image 'centos:latest' locally Trying to pull repository registry.access.redhat.com/centos ... Trying to pull repository docker.io/library/centos ... latest: Pulling from docker.io/library/centos 45a2e645736c: Pull complete Digest: sha256:c577af3197aacedf79c5a204cd7f493c8e07ffbce7f88f7600bf19c688c38799 [root@e76e9c812dff /]# Move to verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2017-0116.html |
Description of problem: Install latest docker and try docker run with parameter "--privileged", it failed. Can succeed without parameter "--privileged". Version-Release number of selected component (if applicable): docker-common-1.12.4-3.el7.x86_64 docker-rhel-push-plugin-1.12.4-3.el7.x86_64 docker-client-1.12.4-3.el7.x86_64 docker-1.12.4-3.el7.x86_64 container-selinux-1.12.4-3.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1.Install docker [root@host ~]# yum install docker -y 2.Start docker.service [root@host ~]# systemctl start docker 3.Do docker run [root@host ~]# docker run -it --rm --privileged centos /bin/bash ... Actual results: Command failed [root@host ~]# docker run -it --rm --privileged centos /bin/bash Unable to find image 'centos:latest' locally Trying to pull repository registry.access.redhat.com/centos ... Trying to pull repository docker.io/library/centos ... sha256:c577af3197aacedf79c5a204cd7f493c8e07ffbce7f88f7600bf19c688c38799: Pulling from docker.io/library/centos 45a2e645736c: Pull complete Digest: sha256:c577af3197aacedf79c5a204cd7f493c8e07ffbce7f88f7600bf19c688c38799 Status: Downloaded newer image for docker.io/centos:latest panic: standard_init_linux.go:175: exec user process caused "permission denied" [recovered] panic: standard_init_linux.go:175: exec user process caused "permission denied" goroutine 1 [running, locked to thread]: panic(0x6f2ea0, 0xc42014ae00) /usr/lib/golang/src/runtime/panic.go:500 +0x1a1 github.com/urfave/cli.HandleAction.func1(0xc420091748) /builddir/build/BUILD/docker-1b5971af3003488d3fd8add80de5125ee1e096ee/runc-b8dbc3b8e8d868723aec2fd5082e6547ec66cf58/Godeps/_workspace/src/github.com/urfave/cli/app.go:478 +0x247 panic(0x6f2ea0, 0xc42014ae00) /usr/lib/golang/src/runtime/panic.go:458 +0x243 github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization.func1(0xc420091198, 0xc42001e018, 0xc420091238) /builddir/build/BUILD/docker-1b5971af3003488d3fd8add80de5125ee1e096ee/runc-b8dbc3b8e8d868723aec2fd5082e6547ec66cf58/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:259 +0x18f github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization(0xc42004e230, 0xaac9c0, 0xc42014ae00) /builddir/build/BUILD/docker-1b5971af3003488d3fd8add80de5125ee1e096ee/runc-b8dbc3b8e8d868723aec2fd5082e6547ec66cf58/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:277 +0x353 main.glob..func8(0xc420094a00, 0x0, 0x0) /builddir/build/BUILD/docker-1b5971af3003488d3fd8add80de5125ee1e096ee/runc-b8dbc3b8e8d868723aec2fd5082e6547ec66cf58/main_unix.go:26 +0x66 reflect.Value.call(0x6ddc20, 0x769b48, 0x13, 0x73c049, 0x4, 0xc420091708, 0x1, 0x1, 0x4d1728, 0x731ea0, ...) /usr/lib/golang/src/reflect/value.go:434 +0x5c8 reflect.Value.Call(0x6ddc20, 0x769b48, 0x13, 0xc420091708, 0x1, 0x1, 0xac2700, 0xc4200916e8, 0x4da706) /usr/lib/golang/src/reflect/value.go:302 +0xa4 github.com/urfave/cli.HandleAction(0x6ddc20, 0x769b48, 0xc420094a00, 0x0, 0x0) /builddir/build/BUILD/docker-1b5971af3003488d3fd8add80de5125ee1e096ee/runc-b8dbc3b8e8d868723aec2fd5082e6547ec66cf58/Godeps/_workspace/src/github.com/urfave/cli/app.go:487 +0x1e0 github.com/urfave/cli.Command.Run(0x73c215, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74d852, 0x51, 0x0, ...) /builddir/build/BUILD/docker-1b5971af3003488d3fd8add80de5125ee1e096ee/runc-b8dbc3b8e8d868723aec2fd5082e6547ec66cf58/Godeps/_workspace/src/github.com/urfave/cli/command.go:191 +0xc3b github.com/urfave/cli.(*App).Run(0xc4200b6000, 0xc420064060, 0x2, 0x2, 0x0, 0x0) /builddir/build/BUILD/docker-1b5971af3003488d3fd8add80de5125ee1e096ee/runc-b8dbc3b8e8d868723aec2fd5082e6547ec66cf58/Godeps/_workspace/src/github.com/urfave/cli/app.go:240 +0x611 main.main() /builddir/build/BUILD/docker-1b5971af3003488d3fd8add80de5125ee1e096ee/runc-b8dbc3b8e8d868723aec2fd5082e6547ec66cf58/main.go:137 +0xbd6 [root@host ~]# ausearch -m avc -ts recent ---- time->Fri Dec 16 02:16:17 2016 type=SYSCALL msg=audit(1481872577.148:10086): arch=c000003e syscall=59 success=no exit=-13 a0=c42014c1a0 a1=c4201186c0 a2=c4200dd450 a3=0 items=0 ppid=23848 pid=23863 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/libexec/docker/docker-runc-current" subj=system_u:system_r:container_runtime_t:s0 key=(null) type=AVC msg=audit(1481872577.148:10086): avc: denied { entrypoint } for pid=23863 comm="exe" path="/usr/bin/openshift" dev="dm-4" ino=8488478 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file ---- time->Fri Dec 16 02:16:32 2016 type=SYSCALL msg=audit(1481872592.385:10109): arch=c000003e syscall=59 success=no exit=-13 a0=c42014c1a0 a1=c42011a6c0 a2=c4200dd450 a3=0 items=0 ppid=23955 pid=23970 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/libexec/docker/docker-runc-current" subj=system_u:system_r:container_runtime_t:s0 key=(null) type=AVC msg=audit(1481872592.385:10109): avc: denied { entrypoint } for pid=23970 comm="exe" path="/usr/bin/openshift" dev="dm-4" ino=8488478 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file ---- time->Fri Dec 16 02:18:04 2016 type=SYSCALL msg=audit(1481872684.212:10190): arch=c000003e syscall=59 success=no exit=-13 a0=c4200e14a0 a1=c4200e14b0 a2=c42011a510 a3=0 items=0 ppid=24080 pid=24094 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="exe" exe="/usr/libexec/docker/docker-runc-current" subj=system_u:system_r:container_runtime_t:s0 key=(null) type=AVC msg=audit(1481872684.212:10190): avc: denied { entrypoint } for pid=24094 comm="exe" path="/usr/bin/bash" dev="dm-4" ino=16798231 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file [root@host ~]# ps -eZ | grep docker system_u:system_r:container_runtime_t:s0 12281 ? 00:00:45 dockerd-current system_u:system_r:container_runtime_t:s0 12285 ? 00:00:01 docker-containe Expected results: Command succeed Additional info: If upgrade docker from 1.10 to 1.12, no such issue, only a fresh install could reproduce this issue.