Bug 1420591
| Summary: | ocp installation failed when using docker 1.12.6-2 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Wenkai Shi <weshi> |
| Component: | container-selinux | Assignee: | Lokesh Mandvekar <lsm5> |
| Status: | CLOSED ERRATA | QA Contact: | Martin Jenner <mjenner> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.3 | CC: | ajia, amurdaca, aos-bugs, ghuang, gpei, jeder, jokerman, lfriedma, lslebodn, lsm5, lsu, miabbott, michael.voegele, mifiedle, mmccomas, ndehadra, skuznets, wabouham, weshi, wmeng, xtian |
| Target Milestone: | rc | Keywords: | Extras, TestBlocker |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | aos-scalability-35 | ||
| Fixed In Version: | container-selinux-2:2.9-3 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-02 19:11:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I think the root cause may relate container-selinux-2.7-1.el7.noarch, check listed console output: [root@test ~]# yum install docker -y Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. rhel73 | 4.1 kB 00:00:00 rhel73-extra | 3.0 kB 00:00:00 (1/3): rhel73-extra/primary_db | 39 kB 00:00:01 (2/3): rhel73/group_gz | 136 kB 00:00:02 (3/3): rhel73/primary_db | 3.9 MB 00:00:10 Resolving Dependencies --> Running transaction check ---> Package docker.x86_64 2:1.12.6-2.el7 will be installed --> Processing Dependency: docker-client = 2:1.12.6-2.el7 for package: 2:docker-1.12.6-2.el7.x86_64 --> Processing Dependency: docker-common = 2:1.12.6-2.el7 for package: 2:docker-1.12.6-2.el7.x86_64 --> Processing Dependency: docker-rhel-push-plugin = 2:1.12.6-2.el7 for package: 2:docker-1.12.6-2.el7.x86_64 --> Processing Dependency: container-selinux >= 2:2.7-1 for package: 2:docker-1.12.6-2.el7.x86_64 --> Processing Dependency: oci-register-machine >= 1:0-1.11 for package: 2:docker-1.12.6-2.el7.x86_64 --> Processing Dependency: oci-systemd-hook >= 1:0.1.4-9 for package: 2:docker-1.12.6-2.el7.x86_64 --> Processing Dependency: skopeo-containers for package: 2:docker-1.12.6-2.el7.x86_64 --> Processing Dependency: libseccomp.so.2()(64bit) for package: 2:docker-1.12.6-2.el7.x86_64 --> Running transaction check ---> Package container-selinux.noarch 2:2.7-1.el7 will be installed ---> Package docker-client.x86_64 2:1.12.6-2.el7 will be installed ---> Package docker-common.x86_64 2:1.12.6-2.el7 will be installed ---> Package docker-rhel-push-plugin.x86_64 2:1.12.6-2.el7 will be installed ---> Package libseccomp.x86_64 0:2.3.1-2.el7 will be installed ---> Package oci-register-machine.x86_64 1:0-1.11.gitdd0daef.el7 will be installed ---> Package oci-systemd-hook.x86_64 1:0.1.4-10.git0c91618.el7 will be installed --> Processing Dependency: libyajl.so.2()(64bit) for package: 1:oci-systemd-hook-0.1.4-10.git0c91618.el7.x86_64 ---> Package skopeo-containers.x86_64 1:0.1.18-1.el7 will be installed --> Running transaction check ---> Package yajl.x86_64 0:2.0.4-4.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================================================== Installing: docker x86_64 2:1.12.6-2.el7 rhel73-extra 20 M Installing for dependencies: container-selinux noarch 2:2.7-1.el7 rhel73-extra 26 k docker-client x86_64 2:1.12.6-2.el7 rhel73-extra 4.4 M docker-common x86_64 2:1.12.6-2.el7 rhel73-extra 70 k docker-rhel-push-plugin x86_64 2:1.12.6-2.el7 rhel73-extra 2.0 M libseccomp x86_64 2.3.1-2.el7 rhel73 56 k oci-register-machine x86_64 1:0-1.11.gitdd0daef.el7 rhel73-extra 1.0 M oci-systemd-hook x86_64 1:0.1.4-10.git0c91618.el7 rhel73-extra 29 k skopeo-containers x86_64 1:0.1.18-1.el7 rhel73-extra 7.6 k yajl x86_64 2.0.4-4.el7 rhel73 39 k Transaction Summary ============================================================================================================================================================================================== Install 1 Package (+9 Dependent packages) Total download size: 28 M Installed size: 110 M Downloading packages: (1/10): container-selinux-2.7-1.el7.noarch.rpm | 26 kB 00:00:01 (2/10): docker-client-1.12.6-2.el7.x86_64.rpm | 4.4 MB 00:00:20 (3/10): docker-common-1.12.6-2.el7.x86_64.rpm | 70 kB 00:00:01 (4/10): libseccomp-2.3.1-2.el7.x86_64.rpm | 56 kB 00:00:01 (5/10): docker-rhel-push-plugin-1.12.6-2.el7.x86_64.rpm | 2.0 MB 00:00:08 (6/10): oci-register-machine-0-1.11.gitdd0daef.el7.x86_64.rpm | 1.0 MB 00:00:05 (7/10): oci-systemd-hook-0.1.4-10.git0c91618.el7.x86_64.rpm | 29 kB 00:00:01 (8/10): skopeo-containers-0.1.18-1.el7.x86_64.rpm | 7.6 kB 00:00:01 (9/10): yajl-2.0.4-4.el7.x86_64.rpm | 39 kB 00:00:01 (10/10): docker-1.12.6-2.el7.x86_64.rpm | 20 MB 00:00:58 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 486 kB/s | 28 MB 00:00:58 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : 2:docker-common-1.12.6-2.el7.x86_64 1/10 Installing : 2:docker-client-1.12.6-2.el7.x86_64 2/10 Installing : 2:container-selinux-2.7-1.el7.noarch 3/10 Failed to resolve booleanif statement at /etc/selinux/targeted/tmp/modules/200/container/cil:1027 /usr/sbin/semodule: Failed! Installing : libseccomp-2.3.1-2.el7.x86_64 4/10 Installing : yajl-2.0.4-4.el7.x86_64 5/10 Installing : 1:oci-systemd-hook-0.1.4-10.git0c91618.el7.x86_64 6/10 Installing : 1:oci-register-machine-0-1.11.gitdd0daef.el7.x86_64 7/10 Installing : 2:docker-rhel-push-plugin-1.12.6-2.el7.x86_64 8/10 Installing : 1:skopeo-containers-0.1.18-1.el7.x86_64 9/10 Installing : 2:docker-1.12.6-2.el7.x86_64 10/10 rhel73/productid | 1.6 kB 00:00:00 Verifying : 1:skopeo-containers-0.1.18-1.el7.x86_64 1/10 Verifying : 2:docker-1.12.6-2.el7.x86_64 2/10 Verifying : 2:docker-rhel-push-plugin-1.12.6-2.el7.x86_64 3/10 Verifying : 2:docker-common-1.12.6-2.el7.x86_64 4/10 Verifying : 1:oci-register-machine-0-1.11.gitdd0daef.el7.x86_64 5/10 Verifying : yajl-2.0.4-4.el7.x86_64 6/10 Verifying : libseccomp-2.3.1-2.el7.x86_64 7/10 Verifying : 2:docker-client-1.12.6-2.el7.x86_64 8/10 Verifying : 2:container-selinux-2.7-1.el7.noarch 9/10 Verifying : 1:oci-systemd-hook-0.1.4-10.git0c91618.el7.x86_64 10/10 Installed: docker.x86_64 2:1.12.6-2.el7 Dependency Installed: container-selinux.noarch 2:2.7-1.el7 docker-client.x86_64 2:1.12.6-2.el7 docker-common.x86_64 2:1.12.6-2.el7 docker-rhel-push-plugin.x86_64 2:1.12.6-2.el7 libseccomp.x86_64 0:2.3.1-2.el7 oci-register-machine.x86_64 1:0-1.11.gitdd0daef.el7 oci-systemd-hook.x86_64 1:0.1.4-10.git0c91618.el7 skopeo-containers.x86_64 1:0.1.18-1.el7 yajl.x86_64 0:2.0.4-4.el7 Complete! [root@test ~]# systemctl start docker A dependency job for docker.service failed. See 'journalctl -xe' for details. [root@test ~]# journalctl -xe ... Feb 09 01:50:29 test.example.com yum[10391]: Installed: 2:docker-common-1.12.6-2.el7.x86_64 Feb 09 01:50:32 test.example.com yum[10391]: Installed: 2:docker-client-1.12.6-2.el7.x86_64 Feb 09 01:50:50 test.example.com dbus[603]: avc: received policyload notice (seqno=2) Feb 09 01:50:50 test.example.com dbus-daemon[603]: dbus[603]: avc: received policyload notice (seqno=2) Feb 09 01:50:50 test.example.com dbus[603]: [system] Reloaded configuration Feb 09 01:50:50 test.example.com dbus-daemon[603]: dbus[603]: [system] Reloaded configuration Feb 09 01:50:51 test.example.com setsebool[10417]: The virt_use_nfs policy boolean was changed to 1 by root Feb 09 01:50:51 test.example.com setsebool[10417]: The virt_sandbox_use_all_caps policy boolean was changed to 1 by root Feb 09 01:52:03 test.example.com kernel: SELinux: 2048 avtab hash slots, 103956 rules. Feb 09 01:52:03 test.example.com kernel: SELinux: 2048 avtab hash slots, 103956 rules. Feb 09 01:52:03 test.example.com kernel: SELinux: 8 users, 14 roles, 4956 types, 300 bools, 1 sens, 1024 cats Feb 09 01:52:03 test.example.com kernel: SELinux: 91 classes, 103956 rules Feb 09 01:52:04 test.example.com kernel: SELinux: Context unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid (unmapped). Feb 09 01:52:04 test.example.com kernel: SELinux: Context system_u:unconfined_r:docker_home_t:s0-s0:c0.c1023 became invalid (unmapped). Feb 09 01:52:04 test.example.com kernel: SELinux: Context system_u:system_r:docker_t:s0-s0:c0.c1023 became invalid (unmapped). Feb 09 01:52:04 test.example.com kernel: SELinux: Context system_u:system_r:spc_t:s0-s0:c0.c1023 became invalid (unmapped). Feb 09 01:52:04 test.example.com kernel: SELinux: Context system_u:system_r:docker_auth_t:s0-s0:c0.c1023 became invalid (unmapped). Feb 09 01:52:04 test.example.com kernel: SELinux: Context system_u:system_r:docker_home_t:s0-s0:c0.c1023 became invalid (unmapped). Feb 09 01:52:04 test.example.com kernel: SELinux: Context system_u:system_r:gear_t:s0-s0:c0.c1023 became invalid (unmapped). Feb 09 01:52:04 test.example.com kernel: SELinux: Context unconfined_u:system_r:docker_t:s0-s0:c0.c1023 became invalid (unmapped). Feb 09 01:52:04 test.example.com kernel: SELinux: Context unconfined_u:system_r:spc_t:s0-s0:c0.c1023 became invalid (unmapped). Feb 09 01:52:04 test.example.com kernel: SELinux: Context unconfined_u:system_r:docker_auth_t:s0-s0:c0.c1023 became invalid (unmapped). Feb 09 01:52:04 test.example.com kernel: SELinux: Context unconfined_u:unconfined_r:docker_home_t:s0-s0:c0.c1023 became invalid (unmapped). Feb 09 01:52:04 test.example.com kernel: SELinux: Context unconfined_u:system_r:docker_home_t:s0-s0:c0.c1023 became invalid (unmapped). Feb 09 01:52:04 test.example.com kernel: SELinux: Context system_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid (unmapped). Feb 09 01:52:04 test.example.com kernel: SELinux: Context system_u:object_r:docker_config_t:s0 became invalid (unmapped). Feb 09 01:52:04 test.example.com kernel: SELinux: Context unconfined_u:object_r:docker_config_t:s0 became invalid (unmapped). Feb 09 01:52:04 test.example.com kernel: SELinux: Context unconfined_u:system_r:gear_t:s0-s0:c0.c1023 became invalid (unmapped). Feb 09 01:52:04 test.example.com kernel: SELinux: Context system_u:object_r:docker_exec_t:s0 became invalid (unmapped). Feb 09 01:52:04 test.example.com dbus[603]: avc: received policyload notice (seqno=3) Feb 09 01:52:05 test.example.com dbus-daemon[603]: dbus[603]: avc: received policyload notice (seqno=3) Feb 09 01:52:05 test.example.com dbus-daemon[603]: dbus[603]: [system] Reloaded configuration Feb 09 01:52:05 test.example.com dbus[603]: [system] Reloaded configuration Feb 09 01:52:06 test.example.com yum[10391]: Installed: 2:container-selinux-2.7-1.el7.noarch Feb 09 01:52:10 test.example.com yum[10391]: Installed: libseccomp-2.3.1-2.el7.x86_64 Feb 09 01:52:15 test.example.com yum[10391]: Installed: yajl-2.0.4-4.el7.x86_64 Feb 09 01:52:17 test.example.com yum[10391]: Installed: 1:oci-systemd-hook-0.1.4-10.git0c91618.el7.x86_64 Feb 09 01:52:18 test.example.com yum[10391]: Installed: 1:oci-register-machine-0-1.11.gitdd0daef.el7.x86_64 Feb 09 01:52:19 test.example.com yum[10391]: Installed: 2:docker-rhel-push-plugin-1.12.6-2.el7.x86_64 Feb 09 01:52:21 test.example.com yum[10391]: Installed: 1:skopeo-containers-0.1.18-1.el7.x86_64 Feb 09 01:52:21 test.example.com useradd[10442]: new group: name=dockerroot, GID=993 Feb 09 01:52:21 test.example.com useradd[10442]: new user: name=dockerroot, UID=996, GID=993, home=/var/lib/docker, shell=/sbin/nologin Feb 09 01:52:30 test.example.com systemd[1]: Reloading. Feb 09 01:52:30 test.example.com systemd[1]: [/usr/lib/systemd/system/microcode.service:10] Trailing garbage, ignoring. Feb 09 01:52:30 test.example.com systemd[1]: microcode.service lacks both ExecStart= and ExecStop= setting. Refusing. Feb 09 01:52:30 test.example.com yum[10391]: Installed: 2:docker-1.12.6-2.el7.x86_64 Feb 09 01:52:48 test.example.com polkitd[618]: Registered Authentication Agent for unix-process:10464:116328 (system bus name :1.29 [/usr/bin/pkttyagent --notify- Feb 09 01:52:48 test.example.com systemd[1]: Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument. Feb 09 01:52:48 test.example.com systemd[1]: Starting Docker Storage Setup... -- Subject: Unit docker-storage-setup.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit docker-storage-setup.service has begun starting up. Feb 09 01:52:48 test.example.com systemd[1]: Failed to set SELinux security context system_u:object_r:docker_var_run_t:s0 for /run/docker: Invalid argument Feb 09 01:52:48 test.example.com systemd[1]: Failed to set SELinux security context system_u:object_r:docker_plugin_var_run_t:s0 for /run/docker/plugins/rhel-push Feb 09 01:52:48 test.example.com systemd[1]: rhel-push-plugin.socket failed to listen on sockets: Invalid argument Feb 09 01:52:48 test.example.com systemd[1]: Failed to listen on Docker Block RHEL push plugin Socket for the API. -- Subject: Unit rhel-push-plugin.socket has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit rhel-push-plugin.socket has failed. -- -- The result is failed. Feb 09 01:52:48 test.example.com systemd[1]: Dependency failed for Docker Application Container Engine. -- Subject: Unit docker.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit docker.service has failed. -- -- The result is dependency. Feb 09 01:52:48 test.example.com systemd[1]: Job docker.service/start failed with result 'dependency'. ... container-selinux failed to install Looks like it is trying to use a boolean that does not exist in RHEL7. Could someone run this command on a RHEL7 box to see what the issue is. # getsebool virt_sandbox_use_sys_admin virt_sandbox_use_mknod virt_sandbox_use_all_caps virt_sandbox_use_netlink container_manage_cgroup virt_sandbox_use_audit # getsebool virt_sandbox_use_sys_admin virt_sandbox_use_mknod virt_sandbox_use_all_caps virt_sandbox_use_netlink container_manage_cgroup virt_sandbox_use_audit virt_sandbox_use_sys_admin --> off virt_sandbox_use_mknod --> off virt_sandbox_use_all_caps --> on virt_sandbox_use_netlink --> off Error getting active value for container_manage_cgroup (In reply to Daniel Walsh from comment #6) > container-selinux failed to install Looks like it is trying to use a boolean > that does not exist in RHEL7. > > Could someone run this command on a RHEL7 box to see what the issue is. > > # getsebool virt_sandbox_use_sys_admin virt_sandbox_use_mknod > virt_sandbox_use_all_caps virt_sandbox_use_netlink container_manage_cgroup > virt_sandbox_use_audit [root@localhost ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.3 (Maipo) [root@localhost ~]# getsebool virt_sandbox_use_sys_admin virt_sandbox_use_mknod virt_sandbox_use_all_caps virt_sandbox_use_netlink container_manage_cgroup virt_sandbox_use_sys_admin --> off virt_sandbox_use_mknod --> off virt_sandbox_use_all_caps --> on virt_sandbox_use_netlink --> off Error getting active value for container_manage_cgroup (In reply to Alex Jia from comment #8) > (In reply to Daniel Walsh from comment #6) > > container-selinux failed to install Looks like it is trying to use a boolean > > that does not exist in RHEL7. type=AVC msg=audit(1486695967.153:2424): avc: denied { transition } for pid=18829 comm="exe" path="/usr/bin/openshift" dev="dm-3" ino=16798113 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c316,c911 tclass=process Lokesh I removed the boolean and updated the RHEL-1.12 branch. We need a new build of docker/container-selinux for rhel. We are also seeing this in the early compose of RHELAH 7.3.3
# atomic host status
State: idle
Deployments:
● custom:rhel-atomic-host/7/x86_64/standard
Version: 7.3.3 (2017-02-08 22:07:07)
Commit: ae15dd3fc917e6147f72e0e209cc0864faaf3df1efe1b0ac9d55c8ee5c6fb8d4
OSName: rhel-atomic-host
rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
Version: 7.3.2 (2017-01-13 22:00:41)
Commit: 96826a0d917d7ff10f9fd0289581649f2ffbddd76f3b80efd3d95cc11915cacb
OSName: rhel-atomic-host
# rpm -q docker container-selinux selinux-policy
docker-1.12.6-2.el7.x86_64
container-selinux-2.7-1.el7.noarch
selinux-policy-3.13.1-102.el7_3.13.noarch
# docker run --rm busybox echo 'hello'
panic: standard_init_linux.go:178: exec user process caused "permission denied" [recovered]
panic: standard_init_linux.go:178: exec user process caused "permission denied"
goroutine 1 [running, locked to thread]:
panic(0x6f3000, 0xc42012f1f0)
/usr/lib/golang/src/runtime/panic.go:500 +0x1a1
github.com/urfave/cli.HandleAction.func1(0xc42007f748)
/builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/app.go:478 +0x247
panic(0x6f3000, 0xc42012f1f0)
/usr/lib/golang/src/runtime/panic.go:458 +0x243
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization.func1(0xc42007f198, 0xc42001e090, 0xc42007f238)
/builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:259
+0x18f
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization(0xc42004e730, 0xaac9c0, 0xc42012f1f0)
/builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:277
+0x353
main.glob..func8(0xc420082780, 0x0, 0x0)
/builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/main_unix.go:26 +0x66
reflect.Value.call(0x6ddd80, 0x769ce8, 0x13, 0x73c1c9, 0x4, 0xc42007f708, 0x1, 0x1, 0x4d17a8, 0x732020, ...)
/usr/lib/golang/src/reflect/value.go:434 +0x5c8
reflect.Value.Call(0x6ddd80, 0x769ce8, 0x13, 0xc42007f708, 0x1, 0x1, 0xac2700, 0xc42007f6e8, 0x4da786)
/usr/lib/golang/src/reflect/value.go:302 +0xa4
github.com/urfave/cli.HandleAction(0x6ddd80, 0x769ce8, 0xc420082780, 0x0, 0x0)
/builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/app.go:487 +0x1e0
github.com/urfave/cli.Command.Run(0x73c395, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74d9d9, 0x51, 0x0, ...)
/builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/command.go:191 +0xc3b
github.com/urfave/cli.(*App).Run(0xc4200c6000, 0xc42000c120, 0x2, 0x2, 0x0, 0x0)
/builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/app.go:240 +0x611
main.main()
/builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/main.go:137 +0xbd6
# journalctl --since "1 minutes ago" | grep denied
Feb 10 21:38:48 rhel-atomic-7.2-test kernel: type=1400 audit(1486762728.849:6): avc: denied { transition } for pid=12507 comm="exe" path="/bin/echo" dev="dm-4" ino=6292481 scontext=system_u:system_r:unconfine
d_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c62,c980 tclass=process
Feb 10 21:38:48 rhel-atomic-7.2-test dockerd-current[3866]: panic: standard_init_linux.go:178: exec user process caused "permission denied" [recovered]
Feb 10 21:38:48 rhel-atomic-7.2-test dockerd-current[3866]: panic: standard_init_linux.go:178: exec user process caused "permission denied"
# getsebool virt_sandbox_use_sys_admin virt_sandbox_use_mknod virt_sandbox_use_all_caps virt_sandbox_use_netlink container_manage_cgroup virt_sandbox_use_audit
virt_sandbox_use_sys_admin --> off
virt_sandbox_use_mknod --> off
virt_sandbox_use_all_caps --> on
virt_sandbox_use_netlink --> off
Error getting active value for container_manage_cgroup
To reisntall container-selinux-2.9-2.el7 and docker-1.12.6-3.el7 by yum in RHEL7.3, I still can see previous errors and it also doesn't work after running restorecon -R /usr/bin/docker*. (In reply to Alex Jia from comment #13) > To reisntall container-selinux-2.9-2.el7 and docker-1.12.6-3.el7 by yum in > RHEL7.3, I still can see previous errors and it also doesn't work after > running restorecon -R /usr/bin/docker*. also update selinux-policy to selinux-policy-3.13.1-119.el7.noarch The same issue is in docker-1.12.6-4.el7.x86_64 w/ selinux-policy-3.13.1-119.el7.noarch and container-selinux-2.9-2.el7.noarch. It also doesn't work in docker-1.12.6-5.el7. *** Bug 1422637 has been marked as a duplicate of this bug. *** Lokesh found that he was able to work around this by using 'setenforce 0' to re-install selinux-policy # setenforce 0 # yum reinstall selinux-policy # setenforce 1 # systemctl start docker *** Bug 1423497 has been marked as a duplicate of this bug. *** The docker-1.12.6-8.el7 w/ container-selinux-2:2.9-3 works well for me, Wenkai, please help double confirm this, thanks. (In reply to Alex Jia from comment #25) > The docker-1.12.6-8.el7 w/ container-selinux-2:2.9-3 works well for me, > Wenkai, please help double confirm this, thanks. Confirm with version docker-1.12.6-8.el7.x86_64 and container-selinux-2.9-3.el7.noarch. It works. :) Per comment25 and 26, move to verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2017-0416.html |
Description of problem: ocp installation failed when use docker 1.12.6-2. After installation failed, run "setenforce 0" command , docker restart succeed, then run "setenforce 1" and restart docker, still succeed. Version-Release number of selected component (if applicable): atomic-openshift-utils-3.5.5-1.git.0.3ae2138.el7 docker-client-1.12.6-2.el7.x86_64 docker-rhel-push-plugin-1.12.6-2.el7.x86_64 docker-1.12.6-2.el7.x86_64 docker-common-1.12.6-2.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Install OCP 3.5 with Docker 1.12.6-2 2. 3. Actual results: [root@ansible ~]# ansible-playbook -i hosts -v /usr/share/ansible/openshift-ansible/playbooks/byo/config ... TASK [Enable and start the docker service] ************************************* Thursday 09 February 2017 01:19:51 +0000 (0:00:00.209) 0:02:16.098 ***** fatal: [master.example.com]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to start service docker: A dependency job for docker.service failed. See 'journalctl -xe' for details.\n"} fatal: [node.example.com]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to start service docker: A dependency job for docker.service failed. See 'journalctl -xe' for details.\n"} ... Expected results: Install succeed Additional info: [root@master ~]# systemctl status docker ● docker.service - Docker Application Container Engine Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled) Active: inactive (dead) Docs: http://docs.docker.com Feb 08 20:54:42 master.example.com systemd[1]: Dependency failed for Docker Application Container Engine. Feb 08 20:54:42 master.example.com systemd[1]: Job docker.service/start failed with result 'dependency'. [root@master ~]# journalctl -xe -u docker -- Logs begin at Wed 2017-02-08 20:51:18 EST, end at Wed 2017-02-08 21:24:42 EST. -- Feb 08 20:54:42 master.example.com systemd[1]: Dependency failed for Docker Application Container Engine. -- Subject: Unit docker.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit docker.service has failed. -- -- The result is dependency. Feb 08 20:54:42 master.example.com systemd[1]: Job docker.service/start failed with result 'dependency'. [root@master ~]# systemctl restart docker [root@master ~]# journalctl -xe -u docker Feb 08 21:34:20 master.example.com polkitd[580]: Registered Authentication Agent for unix-process:11031:258227 (system bus name :1.29 [/usr/bin/pkttyagent --not Feb 08 21:34:20 master.example.com systemd[1]: Failed to set SELinux security context system_u:object_r:docker_var_run_t:s0 for /run/docker: Invalid argument Feb 08 21:34:20 master.example.com systemd[1]: Failed to set SELinux security context system_u:object_r:docker_plugin_var_run_t:s0 for /run/docker/plugins/rhel- Feb 08 21:34:20 master.example.com systemd[1]: rhel-push-plugin.socket failed to listen on sockets: Invalid argument Feb 08 21:34:20 master.example.com systemd[1]: Failed to listen on Docker Block RHEL push plugin Socket for the API. -- Subject: Unit rhel-push-plugin.socket has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit rhel-push-plugin.socket has failed. -- -- The result is failed. Feb 08 21:34:20 master.example.com systemd[1]: Dependency failed for Docker Application Container Engine. -- Subject: Unit docker.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit docker.service has failed. -- -- The result is dependency. Feb 08 21:34:20 master.example.com systemd[1]: Job docker.service/start failed with result 'dependency'.