Bug 1121345 - kernel 3.15 breaks docker
kernel 3.15 breaks docker
Status: CLOSED DUPLICATE of bug 1119849
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
20
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-19 10:34 EDT by Lars Kellogg-Stedman
Modified: 2014-07-22 14:49 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-07-22 14:49:56 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lars Kellogg-Stedman 2014-07-19 10:34:02 EDT
After upgrading to kernel 3.15 (kernel-3.15.5-200.fc20.x86_64), many operations inside of docker containers now fail reliably.  For example:

    $ docker run -ti fedora /bin/bash
    bash-4.2# su -c 'uptime'
    su: System error
    bash-4.2# runuser -c uptime
    runuser: System error

If I attach something to /dev/log in the container, I see that "su" is logging the following message:

    Jul 19 14:31:18 su: PAM audit_log_acct_message() failed: Operation not permitted

If I reboot back into kernel 3.14 (kernel-3.14.9-200.fc20.x86_64), this problem goes away.
Comment 1 Lars Kellogg-Stedman 2014-07-21 22:42:49 EDT
This behavior appears to have been introduced by kernel commit 33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb (https://github.com/torvalds/linux/commits/33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb).

From v3.15, running 'git revert 33faba7' and dealing with the result conflicts results in a build that operates correctly.  I haven't actually taken a close look at the code does or why it actually fails.
Comment 2 Lars Kellogg-Stedman 2014-07-22 10:26:33 EDT
Specifically, this check is failing in kernel/audit.c, in audit_netlink_ok():

case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
    if (!netlink_capable(skb, CAP_AUDIT_WRITE))
        err = -EPERM;
break;
Comment 3 Lars Kellogg-Stedman 2014-07-22 14:00:31 EDT
I should clarify that this manifests using Docker package docker-io-0:1.0.0-6.fc20.x86_64 (as well as docker-io-1.0.0-7.fc22.x86_64).
Comment 4 Lars Kellogg-Stedman 2014-07-22 14:49:56 EDT

*** This bug has been marked as a duplicate of bug 1119849 ***

Note You need to log in before you can comment on or make changes to this bug.