Bug 1121345 - kernel 3.15 breaks docker
Summary: kernel 3.15 breaks docker
Status: CLOSED DUPLICATE of bug 1119849
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 20
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2014-07-19 14:34 UTC by Lars Kellogg-Stedman
Modified: 2014-07-22 18:49 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-07-22 18:49:56 UTC

Attachments (Terms of Use)

Description Lars Kellogg-Stedman 2014-07-19 14:34:02 UTC
After upgrading to kernel 3.15 (kernel-3.15.5-200.fc20.x86_64), many operations inside of docker containers now fail reliably.  For example:

    $ docker run -ti fedora /bin/bash
    bash-4.2# su -c 'uptime'
    su: System error
    bash-4.2# runuser -c uptime
    runuser: System error

If I attach something to /dev/log in the container, I see that "su" is logging the following message:

    Jul 19 14:31:18 su: PAM audit_log_acct_message() failed: Operation not permitted

If I reboot back into kernel 3.14 (kernel-3.14.9-200.fc20.x86_64), this problem goes away.

Comment 1 Lars Kellogg-Stedman 2014-07-22 02:42:49 UTC
This behavior appears to have been introduced by kernel commit 33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb (https://github.com/torvalds/linux/commits/33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb).

From v3.15, running 'git revert 33faba7' and dealing with the result conflicts results in a build that operates correctly.  I haven't actually taken a close look at the code does or why it actually fails.

Comment 2 Lars Kellogg-Stedman 2014-07-22 14:26:33 UTC
Specifically, this check is failing in kernel/audit.c, in audit_netlink_ok():

    if (!netlink_capable(skb, CAP_AUDIT_WRITE))
        err = -EPERM;

Comment 3 Lars Kellogg-Stedman 2014-07-22 18:00:31 UTC
I should clarify that this manifests using Docker package docker-io-0:1.0.0-6.fc20.x86_64 (as well as docker-io-1.0.0-7.fc22.x86_64).

Comment 4 Lars Kellogg-Stedman 2014-07-22 18:49:56 UTC

*** This bug has been marked as a duplicate of bug 1119849 ***

Note You need to log in before you can comment on or make changes to this bug.