Bug 1216151 - Docker fails mounting a volume as readonly on files located under /usr
Summary: Docker fails mounting a volume as readonly on files located under /usr
Alias: None
Product: Fedora
Classification: Fedora
Component: docker-io
Version: 21
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2015-04-28 15:37 UTC by Yann Robert
Modified: 2015-07-21 16:29 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1221688 1230192 (view as bug list)
Last Closed: 2015-07-15 21:21:05 UTC
Type: Bug

Attachments (Terms of Use)

Description Yann Robert 2015-04-28 15:37:07 UTC
Description of problem:

Docker fails to run a container with a volume on files located under /usr (or on symbolic link to files located under /usr) if the ":ro" specification is used to mount it as readonly

Version-Release number of selected component (if applicable):

How reproducible: 100%

Steps to Reproduce:
1. install docker package docker-io-1.6.0-2.git3eac457.fc21.x86_64
2. restart the docker service
3. run the following command
docker run -ti -v /etc/localtime:/etc/localtime:ro busybox echo hello

Actual results:
get exit code 1
and message FATA[0000] Error response from daemon: Cannot start container 4bb87515e4eb828b295eb4718a7159c958a1154ed839b29fd213a597b91a200e: [8] System error: Relabeling content in /usr is not allowed.

Expected results:
get exit code 0
and message "hello"

Additional info:

please refer to initial bug report on docker repository at github

Comment 1 colin 2015-05-12 21:48:40 UTC
I see this also on F22

[root@kvm124 ~]# rpm -q docker

This no longer works

 docker run  -d --sig-proxy --name $CT_name --net=none \
  -v /etc/localtime:/etc/localtime:ro \

Editing out the :ro stops the Failure

 docker run  -d --sig-proxy --name $CT_name --net=none \
  -v /etc/localtime:/etc/localtime \

FATA[0000] Error response from daemon: Cannot start container 925387bd2b2988b1a10ff87e68e188f3a579e68d3d5fc1f31d40a648cd9cb6d2: [8] System error: Relabeling content in /usr is not allowed.

Comment 2 Yann Robert 2015-05-20 09:09:21 UTC
Hi, is there any news on this?

docker 1.6.0 on CentOS is working fine with:
# rpm -q docker

it still does not work on Fedora with:
$ rpm -q docker-io

Comment 3 Derek Carr 2015-05-27 00:47:55 UTC
I am working on moving the Vagrant environment for Kubernetes to Fedora 21.

Kubernetes runs the master services in pods that mount in /usr

To get around this problem, I have to disable selinux on the master server, but would like to avoid having to do that if possible.

Comment 4 Patryk Kubiak 2015-06-03 10:25:02 UTC
It does not work on CentOS 7 OS as well with docker 1.6.0 from EPEL repo:

$ rpm -qi docker
Name        : docker
Version     : 1.6.0
Release     : 11.0.1.el7.centos
Architecture: x86_64
Install Date: Wed 03 Jun 2015 11:15:06 AM CEST
Group       : Unspecified
Size        : 33835427
License     : ASL 2.0
Signature   : RSA/SHA256, Thu 14 May 2015 01:50:02 AM CEST, Key ID 24c6a8a7f4a80eb5
Source RPM  : docker-1.6.0-11.0.1.el7.centos.src.rpm
Build Date  : Thu 14 May 2015 01:47:06 AM CEST
Build Host  : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://www.docker.com
Summary     : Automates deployment of containerized applications

$ docker run -ti -v /etc/localtime:/etc/localtime:ro busybox echo hello
Unable to find image 'busybox:latest' locally
latest: Pulling from docker.io/busybox
cf2616975b4a: Pull complete 
6ce2e90b0bc7: Pull complete 
8c2e06607696: Already exists 
docker.io/busybox:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.
Digest: sha256:38a203e1986cf79639cfb9b2e1d6e773de84002feea2d4eb006b52004ee8502d
Status: Downloaded newer image for docker.io/busybox:latest
Timestamp: 2015-06-03 12:16:19.569470822 +0200 CEST
Code: System error

Message: Relabeling content in /usr is not allowed.

0: setupRootfs
Package: github.com/docker/libcontainer
File: rootfs_linux.go@34
1: Init
Package: github.com/docker/libcontainer.(*linuxStandardInit)
File: standard_init_linux.go@52
2: StartInitialization
Package: github.com/docker/libcontainer.(*LinuxFactory)
File: factory_linux.go@223
3: initializer
Package: github.com/docker/docker/daemon/execdriver/native
File: init.go@35
4: FATA[0004] Error response from daemon: Cannot start container a9e9dcf572b52fc40a8f6a802fe45e5e461e92a3d9c537cb8c5859e3bff9cc31: [8] System error: Relabeling content in /usr is not allowed. 

It requires to remove ":ro" flag in order to work properly.

Comment 5 Daniel Walsh 2015-06-03 12:14:11 UTC
Should be fixed in docker-1.6.2

Comment 6 Patryk Kubiak 2015-06-09 22:02:22 UTC
After upgrading to 1.6.2 from virt7-testing repo  (http://wiki.centos.org/Cloud/Docker) problem still seem to exists:

Trying to mount following volume is still not possible:
 -v /etc/localtime:/etc/localtime:ro

docker version: 

Client version: 1.6.2.el7
Client API version: 1.18
Go version (client): go1.4.2
Git commit (client): c3ca5bb/1.6.2
OS/Arch (client): linux/amd64
Server version: 1.6.2.el7
Server API version: 1.18
Go version (server): go1.4.2
Git commit (server): c3ca5bb/1.6.2
OS/Arch (server): linux/amd64

Running test container was stopped & removed. 
Then docker service was restarted via systemctl. 
A new container was started to verify the problem. 
Problem still exist with version 1.6.2

Comment 7 Daniel Walsh 2015-06-10 12:20:19 UTC
Lokesh I just fixed this issue in docker-1.6.2 repo.  Please rebuild for RHEL7 Fedora 21, 22.

Comment 8 Yann Robert 2015-07-21 10:58:18 UTC
The "Fedora 22 updates for x86_64" repository does not contain any 1.6.2 build.

# sudo dnf list docker --disableexcludes all
Last metadata expiration check performed 0:00:40 ago on Tue Jul 21 12:53:29 2015.
Installed Packages
docker.x86_64                                                                         1.6.0-3.git9d26a07.fc22                                                                          @System
Available Packages
docker.x86_64                                                                         1.7.0-6.git74e7a7a.fc22                                                                          updates

Comment 9 Daniel Walsh 2015-07-21 12:31:31 UTC
It would also be fixed in docker-1.7

Comment 10 Yann Robert 2015-07-21 13:27:14 UTC
Unfortunately, docker-1.7 comes with it's own batch of bugs.
Would it be possible to publish docker-1.6.2 for Fedora 22 updates?

Comment 11 Daniel Walsh 2015-07-21 14:46:11 UTC
Which bugs are you talking about with docker-1.7?

Comment 12 Yann Robert 2015-07-21 15:15:46 UTC
I just cannot use docker-1.7 because of 

Comment 13 Daniel Walsh 2015-07-21 16:10:30 UTC
Ok, I have asked the firewalld team to look into this and see if they can fix it quickly.  As soon as they have a fix, I will get it shipped into fedora.

Comment 14 Yann Robert 2015-07-21 16:29:34 UTC
Thank you Daniel.
However, I fear we are in a tunnel now. 
While we are waiting for a fix, a new major version will be released. When the fix will be found, it will not be released because we should upgrade to latest major version.
So there will be no working docker-1.6.x binaries for Fedora 22?

Note You need to log in before you can comment on or make changes to this bug.