Bug 1461024

Summary:	Docker: SELinux relabeling issue for a local nfs volume
Product:	Red Hat Enterprise Linux 7	Reporter:	Suhaas Bhat <subhat>
Component:	docker	Assignee:	Antonio Murdaca <amurdaca>
Status:	CLOSED ERRATA	QA Contact:	atomic-bugs <atomic-bugs>
Severity:	low	Docs Contact:
Priority:	medium
Version:	7.3	CC:	amurdaca, byount, dwalsh, jrosenta, lsm5, lsu, pasik, rhowe, subhat
Target Milestone:	rc	Keywords:	Extras
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	docker-2:1.12.6-50.git0fdc778	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-09-05 10:35:14 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Suhaas Bhat 2017-06-13 11:50:50 UTC

Description of problem:

With the latest update of docker (rhel7 extra repo), we encounter a bug with nfs volumes (local driver).


Version-Release number of selected component (if applicable):
 docker-1.12.6-28.git1398f24.el7.x86_64
 

How reproducible:
Fully reproducable 

Steps to Reproduce:

1. docker volume create -d local --name xxx --opt type=nfs --opt o=addr=xxxx,rw,actimeo=0,sync --opt device=</path/to/dir> 

2. docker run --rm -ti -v xxx:xxx --name <container name> <image name> /bin/bash 


Actual results:

/usr/bin/docker-current: Error response from daemon: SELinux relabeling of /var/lib/docker/volumes/xxxx/_data is not allowed: "operation not supported".


Expected results:

Container should have been created with successful nfs mount.

Additional info:

There is a similar upstream issue which contains the workaround for the issue.
https://github.com/moby/moby/issues/31255

Workaround :

Run the 2nd command as 
docker run --rm -ti -v xxx:xxx:nocopy --name <container name> <image name> /bin/bash

Comment 2 Daniel Walsh 2017-06-13 21:54:12 UTC

Looks like we need 
https://github.com/opencontainers/selinux/pull/4

Back ported.

Comment 3 Daniel Walsh 2017-06-30 14:55:05 UTC

Antonio can we get this into RHEL7 Version?

Comment 6 Daniel Walsh 2017-07-13 12:39:05 UTC

Antonio any movement on getting this back ported?

Comment 9 Ryan Howe 2017-07-13 23:05:52 UTC

Thank you this make sense. The following fails: 
~~~
[root@ah-node ~]# mount.nfs 192.168.0.3:/share/docker /var/lib/docker/volumes  -o context="system_u:object_r:docker_var_lib_t:s0" 
[root@ah-node ~]# docker run -it --rm --name test  -v /mnt rhel7 
/usr/bin/docker-current: Error response from daemon: SELinux relabeling of /var/lib/docker/volumes/1fbd1daf0e7dc772d45e6a68acd57161cd4232889a690025f7a93b2f213a0a37/_data is not allowed: "operation not supported".
See '/usr/bin/docker-current run --help'

OR

[root@ah-node ~]# umount /var/lib/docker/volumes
[root@ah-node ~]# mount.nfs 192.168.0.3:/share/docker /var/lib/docker/volumes  -onosharecache,context="system_u:object_r:svirt_sandbox_file_t:s0" 
[root@ah-node ~]# docker run -it --rm --name test  -v /mnt rhel7 
/usr/bin/docker-current: Error response from daemon: SELinux relabeling of /var/lib/docker/volumes/b55bf8169de8bb08d87a9d857f238c51bd46af45ed7c6932f20d46f8bbf53a60/_data is not allowed: "operation not supported".
See '/usr/bin/docker-current run --help'.
~~~


To work around the issue a user should just avoid mounting a nfs share the /var/lib/docker/volumes. As well as use the mount invocation setting the context during mount of the nfs volume to be used. 


docker-1.12.6-32.git88a4867.el7.x86_64

~~~
[root@ah-node ~]# mkdir /var/lib/docker/nfsvolumes
[root@ah-node ~]# mount.nfs 192.168.0.3:/share/docker /var/lib/docker/nfsvolumes  -ocontext="system_u:object_r:svirt_sandbox_file_t:s0"
[root@ah-node ~]# mkdir /var/lib/docker/nfsvolumes/v1
[root@ah-node ~]# docker run -it --rm --name test -v /var/lib/docker/nfsvolumes/v1:/mnt:Z rhel7 touch /mnt/test 
~~~


I think you can also use `docker volume create` and pass the context option. I did not test this though .

Comment 10 Antonio Murdaca 2017-07-24 13:05:27 UTC

(In reply to Daniel Walsh from comment #2)
> Looks like we need 
> https://github.com/opencontainers/selinux/pull/4
> 
> Back ported.

Back ported.

Comment 11 Antonio Murdaca 2017-07-24 13:06:10 UTC

https://github.com/projectatomic/runc/commit/31a9f6e22729606814e9bcbcf9eeebc1887527cb

Comment 13 Luwen Su 2017-08-25 07:35:36 UTC

In docker-1.12.6-55.gitc4618fb.el7.x86_64, move to verified.

/dev/sdb is a virtual device.

# docker volume create -d local --name test --opt type=nfs --opt o=addr=xxxx,rw,actimeo=0,sync --opt device=/dev/sdb
test

# docker run --rm -ti -v /var/lib/docker/volumes/test:/root --name test rhel7 /bin/bash
bash-4.2# ls
bin   dev  home  lib64	     media  opt   root	sbin  sys  usr
boot  etc  lib	 lost+found  mnt    proc  run	srv   tmp  var
bash-4.2# cd root
bash-4.2# ls
_data  opts.json
bash-4.2# exit
exit

# getenforce 
Enforcing

Comment 15 errata-xmlrpc 2017-09-05 10:35:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2599