Bug 1214394 - docker-io makes the host's /sys directory read only
Summary: docker-io makes the host's /sys directory read only
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: docker-io
Version: el6
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-04-22 15:46 UTC by Paul Webster
Modified: 2015-09-09 15:08 UTC (History)
18 users (show)

Fixed In Version:
Clone Of:
: 1262994 (view as bug list)
Environment:
Last Closed: 2015-07-15 21:23:12 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Paul Webster 2015-04-22 15:46:56 UTC 
Description of problem:

I installed  docker-io on RHEL 6.6.  If I create a regular container, I suddenly can no longer suspend my machine.  I tracked it down to the /sys directory being mounted read-only on the host.  Bug 1094198 says that it should be mounted read-only within the container if the container is run as non-privileged, but that should not effect the host.

Version-Release number of selected component (if applicable):
docker-io-1.4.1-3.el6.x86_64
RHEL 6.6
kernel-2.6.32-504.12.2.el6.x86_64


How reproducible: 100%


Steps to Reproduce:
Start a docker container:
bash$ docker run -ti fedora:latest /bin/bash

Outside of docker, run as root:
[root@wspwebster log]# echo 7 > /sys/module/cpufreq/parameters/debug
-bash: /sys/module/cpufreq/parameters/debug: Read-only file system


Actual results:

fails to write to /sys anymore.  This effects other commands, like pm-suspend (can't suspend my laptop anymore)

Expected results:

Should be able to write out to the /sys file system as root.


Additional info:
        Version: Intel(R) Core(TM) i7-3720QM CPU @ 2.60GHz
        Version: G5ET90WW (2.50 )
        Version: ThinkPad W530
Comment 1 Paul Webster 2015-04-24 12:04:36 UTC 
I got an upgrade to docker-io-1.5.0-1.el6.x86_64 but it made no difference.

PW
Comment 2 Jason Al-Mansor 2015-05-18 14:26:36 UTC 
According to the docker issue on github this is fixed in 1.6.2:

https://github.com/docker/docker/commit/7c8fca2ddb58c8d2c4fb4df31c242886df7dd257
Comment 3 Paul Webster 2015-05-25 14:39:36 UTC 
So  Bug 1094198 was fedora including a docker change, or fedora making a change?

PW
Comment 4 Daniel Walsh 2015-06-03 12:16:11 UTC 
Fixed in docker-1.6.2 I guess.
Comment 5 David Six 2015-09-09 15:08:32 UTC 
I am still seeing this behavior in docker-io-1.7.1-2.el6.x86_64 on RHEL 6.7

Steps to reproduce:
1. Install docker
2. Start a container without --privileged
3. /sys in now mounted RO

# docker info
Containers: 10
Images: 179
Storage Driver: devicemapper
 Pool Name: docker-253:0-27395432-pool
 Pool Blocksize: 65.54 kB
 Backing Filesystem: extfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 8.951 GB
 Data Space Total: 107.4 GB
 Data Space Available: 98.42 GB
 Metadata Space Used: 10.13 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.137 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.95-RHEL6 (2015-07-29)
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 2.6.32-573.3.1.el6.x86_64
Operating System: <unknown>
CPUs: 2
Total Memory: 1.808 GiB
Name: -
ID: IHHZ:XJ2C:4JQL:AN6P:I7KG:7Y3P:FIEC:P5NK:QKSA:PTKR:CDHR:RILN

# docker version
Client version: 1.7.1
Client API version: 1.19
Go version (client): go1.4.2
Git commit (client): 786b29d/1.7.1
OS/Arch (client): linux/amd64
Server version: 1.7.1
Server API version: 1.19
Go version (server): go1.4.2
Git commit (server): 786b29d/1.7.1
OS/Arch (server): linux/amd64
Note You need to log in before you can comment on or make changes to this bug.