1094664 – docker-io-0.10.0-2 disables access to /dev/shm

Bug 1094664 - docker-io-0.10.0-2 disables access to /dev/shm

Summary: docker-io-0.10.0-2 disables access to /dev/shm

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	docker-io
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-05-06 09:21 UTC by Jan Pazdziora
Modified:	2014-07-01 23:00 UTC (History)
CC List:	12 users (show)
Fixed In Version:	docker-io-0.11.1-1.fc20.x86_64
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-24 19:37:55 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Pazdziora 2014-05-06 09:21:01 UTC

Description of problem:

While testing FreeIPA server and the 389 server in Docker container, I started to see errors like Failed to create semaphore for stats file/Permission denied with docker-io from updates-testing. Upon closer look, /dev/shm seems to be mounted with 1755, which is different from what docker-io 0.9.1 does and what you get on bare metal.

Version-Release number of selected component (if applicable):

docker-io-0.10.0-2.fc20.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. docker run -ti fedora:20 /bin/bash
2. In the container shell, run
   mount | grep /dev/shm
   ls -la /dev/shm
   exit
3. Downgrade to docker-io-0.9.1 and repeat.

Actual results:

# docker run -ti fedora:20 /bin/bash
bash-4.2# mount | grep /dev/shm
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,seclabel,size=65536k,mode=1755)
# docker run -ti fedora:20 /bin/bash
bash-4.2# ls -la /dev/shm
total 4
drwxrwxrwt. 2 root root   40 May  6 08:06 .
drwxr-xr-x. 4 root root 4096 May  6 08:06 ..
bash-4.2# exit
# rpm -q docker-io
docker-io-0.9.1-1.fc20.x86_64

# yum downgrade docker-io -y
[...]

# rpm -q docker-io
docker-io-0.9.1-1.fc20.x86_64
# docker run -ti fedora:20 /bin/bash
bash-4.2# mount | grep /dev/shm
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,seclabel,size=65536k)
bash-4.2# ls -la /dev/shm
total 4
drwxrwxrwt. 2 root root   40 May  6 09:16 .
drwxr-xr-x. 4 root root 4096 May  6 09:16 ..
bash-4.2# exit
exit
#

Expected results:

Permissions on /dev/shm the same as on docker-io-0.9.1.

Additional info:

Comment 1 Daniel Walsh 2014-05-06 19:20:18 UTC

Is this an SELinux issue?

Could you attach the avc messages.

ausearch -m avc -ts recent -i

Comment 2 Jan Pazdziora 2014-05-06 19:30:59 UTC

SELinux is disabled in the container (as reported by getenforce).

Command

ausearch -m avc -ts recent -i

when run on the host says

<no matches>

Comment 3 Daniel Walsh 2014-05-06 19:47:20 UTC

SELinux is lying inside of the container.

Put the machine into permissive mode and see if you can write to /dev/shm.

ls -lZ /dev/shm from inside of the container.

Comment 4 Jan Pazdziora 2014-05-07 07:13:17 UTC

# rpm -q docker-io
docker-io-0.9.1-1.fc20.x86_64
# getenforce 
Permissive
# docker run -ti fedora:20 /bin/bash
bash-4.2# ls -laZ /dev/shm
drwxrwxrwt. root root system_u:object_r:docker_tmpfs_t:s0 .
drwxr-xr-x. root root system_u:object_r:file_t:s0      ..
bash-4.2# ls -la /dev/shm
total 4
drwxrwxrwt. 2 root root   40 May  7 07:06 .
drwxr-xr-x. 4 root root 4096 May  7 07:06 ..
bash-4.2# touch /dev/shm/a
bash-4.2# adduser test
bash-4.2# su - test
[test@c05cc1c52ec1 ~]$ id
uid=1000(test) gid=1000(test) groups=1000(test)
[test@c05cc1c52ec1 ~]$ touch /dev/shm/b
[test@c05cc1c52ec1 ~]$ ls -la /dev/shm
total 4
drwxrwxrwt. 2 root root   80 May  7 07:06 .
drwxr-xr-x. 4 root root 4096 May  7 07:06 ..
-rw-r--r--. 1 root root    0 May  7 07:06 a
-rw-rw-r--. 1 test test    0 May  7 07:06 b
[test@c05cc1c52ec1 ~]$ logout
bash-4.2# exit
#

Back on the host:

# ausearch -m avc -ts recent -i
<no matches>

Now upgraded to:

# rpm -q docker-io
docker-io-0.10.0-2.fc20.x86_64

Restarted docker service and did:

# docker run -ti fedora:20 /bin/bash
bash-4.2# ls -laZ /dev/shm
drwxr-xr-t. root root system_u:object_r:docker_tmpfs_t:s0 .
drwxr-xr-x. root root system_u:object_r:file_t:s0      ..
bash-4.2# ls -la /dev/shm
total 4
drwxr-xr-t. 2 root root   40 May  7 07:10 .
drwxr-xr-x. 4 root root 4096 May  7 07:10 ..
bash-4.2# touch /dev/shm/a
bash-4.2# adduser test
bash-4.2# su - test
[test@e13c9240f149 ~]$ id
uid=1000(test) gid=1000(test) groups=1000(test)
[test@e13c9240f149 ~]$ touch /dev/shm/b
touch: cannot touch ‘/dev/shm/b’: Permission denied
[test@e13c9240f149 ~]$ ls -la /dev/shm
total 4
drwxr-xr-t. 2 root root   60 May  7 07:10 .
drwxr-xr-x. 4 root root 4096 May  7 07:10 ..
-rw-r--r--. 1 root root    0 May  7 07:10 a
[test@e13c9240f149 ~]$ logout
bash-4.2# exit
#

Back on the host:

# ausearch -m avc -ts recent -i
<no matches>
#

I don't think it's SELinux, the mode=1755 of the mountpoint seems to be an explicit indication that non-roots shouldn't be allowed do /dev/shm.

Comment 5 Daniel Walsh 2014-05-07 12:41:15 UTC

Ah ok. I will see about this.  
# docker run --rm -t -i fedora sh
sh-4.2# ls -lZ /dev/shm -d
drwxrwxrwt. root root system_u:object_r:svirt_sandbox_file_t:s0:c319,c682 /dev/shm
sh-4.2# exit
sh-4.3# rpm -q docker-io
docker-io-0.10.0-4.fc21.x86_64

Seems like latest docker-io package has this fixed.

Comment 6 Daniel Walsh 2014-05-07 12:46:30 UTC

Lokesh can you push a new version to f20?

Comment 7 Jan Pazdziora 2014-05-09 08:58:33 UTC

I confirm that docker-io-0.11.1-1.fc20.x86_64 fixes the problem and that I can install FreeIPA server in Docker container with docker-io-0.11 just like I could with docker-io-0.9.

Comment 8 Lokesh Mandvekar 2014-06-24 19:37:55 UTC

Closing this since 1.0.0-1 is already in f20 stable and this bug was fixed in 0.11.1 as per Comment 7

Note You need to log in before you can comment on or make changes to this bug.