Bug 1441100

Summary:	Docker-latest could not run systemd container without privilege or seccomp
Product:	Red Hat Enterprise Linux 7	Reporter:	Guohua Ouyang <gouyang>
Component:	docker-latest	Assignee:	Lokesh Mandvekar <lsm5>
Status:	CLOSED ERRATA	QA Contact:	atomic-bugs <atomic-bugs>
Severity:	high	Docs Contact:
Priority:	high
Version:	7.3	CC:	bbreard, dwalsh, gscrivan, imcleod, lfriedma, lsu, qcai
Target Milestone:	rc	Keywords:	Extras
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	docker-latest-1.13.1-6.gitb7732b0.el7_3	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1452751 (view as bug list)		Environment:
Last Closed:	2017-05-26 14:52:57 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1452751

Description Guohua Ouyang 2017-04-11 08:28:48 UTC

Description of problem:
Docker-latest could not run systemd container without privilege or seccomp

Version-Release number of selected component (if applicable):
docker-latest-1.13.1-4.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Build a httpd systemd container, use Dockerfile as below:
$ cat Dockerfile 
FROM rhel7

RUN yum -y update && yum clean all
RUN yum -y install httpd && yum clean all && \
systemctl enable httpd.service

EXPOSE 80

RUN echo "systemd httpd server" > /var/www/html/index.html

RUN systemctl mask systemd-remount-fs.service dev-hugepages.mount sys-fs-fuse-connections.mount systemd-logind.service getty.target console-getty.service 
RUN cp /usr/lib/systemd/system/dbus.service /etc/systemd/system/; sed -i 's/OOMScoreAdjust=-900//' /etc/systemd/system/dbus.service

VOLUME ["/run", "/tmp"]

ENV container=docker

CMD ["/usr/sbin/init"]


2. run it by docker is ok.
$ sudo docker run -it --rm -p 80:80 -v /sys/fs/cgroup:/sys/fs/cgroup gouyang/httpd
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization docker.
Detected architecture x86-64.

Welcome to Red Hat Enterprise Linux Server 7.3 (Maipo)!

3. run it by docker-latest is failed
$ sudo docker-latest run -it --rm -p 80:80 -v /sys/fs/cgroup:/sys/fs/cgroup gouyang/httpd
[!!!!!!] Failed to mount API filesystems, freezing.

4. run it by docker-latest with privilege is ok
$ sudo docker-latest run -it --rm --privileged -p 80:80 -v /sys/fs/cgroup:/sys/fs/cgroup gouyang/httpd
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization docker.
Detected architecture x86-64.

Welcome to Red Hat Enterprise Linux Server 7.3 (Maipo)!

5. run it by docker-latest with seccomp is ok
$ sudo docker-latest run -it --rm --security-opt seccomp:unconfined -p 80:80 -v /sys/fs/cgroup:/sys/fs/cgroup gouyang/httpd
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization docker.
Detected architecture x86-64.

Welcome to Red Hat Enterprise Linux Server 7.3 (Maipo)!

Actual results:
Step 3 failed

Expected results:
The behaviour of Docker-latest and Docker should be consistence


Additional info:
Reference github issue https://github.com/docker/docker/issues/25290

Comment 2 Qian Cai 2017-04-11 13:51:04 UTC

I believe this is because docker 1.13 blocks more syscalls than docker 1.12 via seccomp policy.

Comment 3 Qian Cai 2017-04-11 13:53:20 UTC

As a workaround mentioned above, it needs --security-opt seccomp:unconfined to disable seccomp to get systemd container working with docker-latest here.

Comment 4 Qian Cai 2017-04-11 14:51:11 UTC

docker 1.13 starts to block "name_to_handle_at" syscall by default.

Once added that syscall to the seccomp allow-list, everything is working fine.

Comment 5 Giuseppe Scrivano 2017-04-11 15:36:19 UTC

I confirm that.  I needed to add name_to_handle_at to get systemd working in a container.

Comment 11 Laurie Friedman 2017-04-12 16:20:58 UTC

Blocker for 7.3.5.

Comment 13 Daniel Walsh 2017-04-12 17:16:58 UTC

Antonio can you get a fix for this in rhel7.3.5

Comment 15 Antonio Murdaca 2017-04-27 12:11:35 UTC

Alright, let's get this fixed. Fedora docker-latest already ships `/etc/docker-latest/seccomp.json`:

 643 # install %%{repo} config directory
 644 install -dp %{buildroot}%{_sysconfdir}/%{name}
 645 # install defalut seccomp profile
 646 install -p -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/%{name}/seccomp.json

Lokesh, we need the same for RH docker-latest dist-git and also modify the systemd unit to have: 

 15           --seccomp-profile=/etc/docker-latest/seccomp.json \

Comment 17 Luwen Su 2017-05-16 09:46:13 UTC

``--seccomp-profile=/etc/docker-latest/seccomp.json`` has been added in docker-latest-1.13.1-10.git475c5d2.el7.x86_64 , move to verified.

Comment 19 errata-xmlrpc 2017-05-26 14:52:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1330