Description of problem: While testing FreeIPA server and the 389 server in Docker container, I started to see errors like Failed to create semaphore for stats file/Permission denied with docker-io from updates-testing. Upon closer look, /dev/shm seems to be mounted with 1755, which is different from what docker-io 0.9.1 does and what you get on bare metal. Version-Release number of selected component (if applicable): docker-io-0.10.0-2.fc20.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. docker run -ti fedora:20 /bin/bash 2. In the container shell, run mount | grep /dev/shm ls -la /dev/shm exit 3. Downgrade to docker-io-0.9.1 and repeat. Actual results: # docker run -ti fedora:20 /bin/bash bash-4.2# mount | grep /dev/shm shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,seclabel,size=65536k,mode=1755) # docker run -ti fedora:20 /bin/bash bash-4.2# ls -la /dev/shm total 4 drwxrwxrwt. 2 root root 40 May 6 08:06 . drwxr-xr-x. 4 root root 4096 May 6 08:06 .. bash-4.2# exit # rpm -q docker-io docker-io-0.9.1-1.fc20.x86_64 # yum downgrade docker-io -y [...] # rpm -q docker-io docker-io-0.9.1-1.fc20.x86_64 # docker run -ti fedora:20 /bin/bash bash-4.2# mount | grep /dev/shm shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,seclabel,size=65536k) bash-4.2# ls -la /dev/shm total 4 drwxrwxrwt. 2 root root 40 May 6 09:16 . drwxr-xr-x. 4 root root 4096 May 6 09:16 .. bash-4.2# exit exit # Expected results: Permissions on /dev/shm the same as on docker-io-0.9.1. Additional info:
Is this an SELinux issue? Could you attach the avc messages. ausearch -m avc -ts recent -i
SELinux is disabled in the container (as reported by getenforce). Command ausearch -m avc -ts recent -i when run on the host says <no matches>
SELinux is lying inside of the container. Put the machine into permissive mode and see if you can write to /dev/shm. ls -lZ /dev/shm from inside of the container.
# rpm -q docker-io docker-io-0.9.1-1.fc20.x86_64 # getenforce Permissive # docker run -ti fedora:20 /bin/bash bash-4.2# ls -laZ /dev/shm drwxrwxrwt. root root system_u:object_r:docker_tmpfs_t:s0 . drwxr-xr-x. root root system_u:object_r:file_t:s0 .. bash-4.2# ls -la /dev/shm total 4 drwxrwxrwt. 2 root root 40 May 7 07:06 . drwxr-xr-x. 4 root root 4096 May 7 07:06 .. bash-4.2# touch /dev/shm/a bash-4.2# adduser test bash-4.2# su - test [test@c05cc1c52ec1 ~]$ id uid=1000(test) gid=1000(test) groups=1000(test) [test@c05cc1c52ec1 ~]$ touch /dev/shm/b [test@c05cc1c52ec1 ~]$ ls -la /dev/shm total 4 drwxrwxrwt. 2 root root 80 May 7 07:06 . drwxr-xr-x. 4 root root 4096 May 7 07:06 .. -rw-r--r--. 1 root root 0 May 7 07:06 a -rw-rw-r--. 1 test test 0 May 7 07:06 b [test@c05cc1c52ec1 ~]$ logout bash-4.2# exit # Back on the host: # ausearch -m avc -ts recent -i <no matches> Now upgraded to: # rpm -q docker-io docker-io-0.10.0-2.fc20.x86_64 Restarted docker service and did: # docker run -ti fedora:20 /bin/bash bash-4.2# ls -laZ /dev/shm drwxr-xr-t. root root system_u:object_r:docker_tmpfs_t:s0 . drwxr-xr-x. root root system_u:object_r:file_t:s0 .. bash-4.2# ls -la /dev/shm total 4 drwxr-xr-t. 2 root root 40 May 7 07:10 . drwxr-xr-x. 4 root root 4096 May 7 07:10 .. bash-4.2# touch /dev/shm/a bash-4.2# adduser test bash-4.2# su - test [test@e13c9240f149 ~]$ id uid=1000(test) gid=1000(test) groups=1000(test) [test@e13c9240f149 ~]$ touch /dev/shm/b touch: cannot touch ‘/dev/shm/b’: Permission denied [test@e13c9240f149 ~]$ ls -la /dev/shm total 4 drwxr-xr-t. 2 root root 60 May 7 07:10 . drwxr-xr-x. 4 root root 4096 May 7 07:10 .. -rw-r--r--. 1 root root 0 May 7 07:10 a [test@e13c9240f149 ~]$ logout bash-4.2# exit # Back on the host: # ausearch -m avc -ts recent -i <no matches> # I don't think it's SELinux, the mode=1755 of the mountpoint seems to be an explicit indication that non-roots shouldn't be allowed do /dev/shm.
Ah ok. I will see about this. # docker run --rm -t -i fedora sh sh-4.2# ls -lZ /dev/shm -d drwxrwxrwt. root root system_u:object_r:svirt_sandbox_file_t:s0:c319,c682 /dev/shm sh-4.2# exit sh-4.3# rpm -q docker-io docker-io-0.10.0-4.fc21.x86_64 Seems like latest docker-io package has this fixed.
Lokesh can you push a new version to f20?
I confirm that docker-io-0.11.1-1.fc20.x86_64 fixes the problem and that I can install FreeIPA server in Docker container with docker-io-0.11 just like I could with docker-io-0.9.
Closing this since 1.0.0-1 is already in f20 stable and this bug was fixed in 0.11.1 as per Comment 7