Description of problem: Docker fails to run a container with a volume on files located under /usr (or on symbolic link to files located under /usr) if the ":ro" specification is used to mount it as readonly Version-Release number of selected component (if applicable): docker-io-1.6.0-2.git3eac457.fc21.x86_64 How reproducible: 100% Steps to Reproduce: 1. install docker package docker-io-1.6.0-2.git3eac457.fc21.x86_64 2. restart the docker service 3. run the following command docker run -ti -v /etc/localtime:/etc/localtime:ro busybox echo hello Actual results: get exit code 1 and message FATA[0000] Error response from daemon: Cannot start container 4bb87515e4eb828b295eb4718a7159c958a1154ed839b29fd213a597b91a200e: [8] System error: Relabeling content in /usr is not allowed. Expected results: get exit code 0 and message "hello" Additional info: please refer to initial bug report on docker repository at github https://github.com/docker/docker/issues/12811
I see this also on F22 [root@kvm124 ~]# rpm -q docker docker-1.6.0-3.git9d26a07.fc22.x86_64 This no longer works docker run -d --sig-proxy --name $CT_name --net=none \ -v /etc/localtime:/etc/localtime:ro \ Editing out the :ro stops the Failure docker run -d --sig-proxy --name $CT_name --net=none \ -v /etc/localtime:/etc/localtime \ FATA[0000] Error response from daemon: Cannot start container 925387bd2b2988b1a10ff87e68e188f3a579e68d3d5fc1f31d40a648cd9cb6d2: [8] System error: Relabeling content in /usr is not allowed.
Hi, is there any news on this? docker 1.6.0 on CentOS is working fine with: # rpm -q docker docker-1.6.0-11.0.1.el7.centos.x86_64 it still does not work on Fedora with: $ rpm -q docker-io docker-io-1.6.0-4.git350a636.fc21.x86_64
I am working on moving the Vagrant environment for Kubernetes to Fedora 21. Kubernetes runs the master services in pods that mount in /usr To get around this problem, I have to disable selinux on the master server, but would like to avoid having to do that if possible.
It does not work on CentOS 7 OS as well with docker 1.6.0 from EPEL repo: $ rpm -qi docker Name : docker Version : 1.6.0 Release : 11.0.1.el7.centos Architecture: x86_64 Install Date: Wed 03 Jun 2015 11:15:06 AM CEST Group : Unspecified Size : 33835427 License : ASL 2.0 Signature : RSA/SHA256, Thu 14 May 2015 01:50:02 AM CEST, Key ID 24c6a8a7f4a80eb5 Source RPM : docker-1.6.0-11.0.1.el7.centos.src.rpm Build Date : Thu 14 May 2015 01:47:06 AM CEST Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://www.docker.com Summary : Automates deployment of containerized applications $ docker run -ti -v /etc/localtime:/etc/localtime:ro busybox echo hello Unable to find image 'busybox:latest' locally latest: Pulling from docker.io/busybox cf2616975b4a: Pull complete 6ce2e90b0bc7: Pull complete 8c2e06607696: Already exists docker.io/busybox:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security. Digest: sha256:38a203e1986cf79639cfb9b2e1d6e773de84002feea2d4eb006b52004ee8502d Status: Downloaded newer image for docker.io/busybox:latest Timestamp: 2015-06-03 12:16:19.569470822 +0200 CEST Code: System error Message: Relabeling content in /usr is not allowed. Frames: --- 0: setupRootfs Package: github.com/docker/libcontainer File: rootfs_linux.go@34 --- 1: Init Package: github.com/docker/libcontainer.(*linuxStandardInit) File: standard_init_linux.go@52 --- 2: StartInitialization Package: github.com/docker/libcontainer.(*LinuxFactory) File: factory_linux.go@223 --- 3: initializer Package: github.com/docker/docker/daemon/execdriver/native File: init.go@35 --- 4: FATA[0004] Error response from daemon: Cannot start container a9e9dcf572b52fc40a8f6a802fe45e5e461e92a3d9c537cb8c5859e3bff9cc31: [8] System error: Relabeling content in /usr is not allowed. It requires to remove ":ro" flag in order to work properly.
Should be fixed in docker-1.6.2
After upgrading to 1.6.2 from virt7-testing repo (http://wiki.centos.org/Cloud/Docker) problem still seem to exists: Trying to mount following volume is still not possible: -v /etc/localtime:/etc/localtime:ro docker version: Client version: 1.6.2.el7 Client API version: 1.18 Go version (client): go1.4.2 Git commit (client): c3ca5bb/1.6.2 OS/Arch (client): linux/amd64 Server version: 1.6.2.el7 Server API version: 1.18 Go version (server): go1.4.2 Git commit (server): c3ca5bb/1.6.2 OS/Arch (server): linux/amd64 Running test container was stopped & removed. Then docker service was restarted via systemctl. A new container was started to verify the problem. Problem still exist with version 1.6.2
Lokesh I just fixed this issue in docker-1.6.2 repo. Please rebuild for RHEL7 Fedora 21, 22.
The "Fedora 22 updates for x86_64" repository does not contain any 1.6.2 build. # sudo dnf list docker --disableexcludes all Last metadata expiration check performed 0:00:40 ago on Tue Jul 21 12:53:29 2015. Installed Packages docker.x86_64 1.6.0-3.git9d26a07.fc22 @System Available Packages docker.x86_64 1.7.0-6.git74e7a7a.fc22 updates
It would also be fixed in docker-1.7
Unfortunately, docker-1.7 comes with it's own batch of bugs. Would it be possible to publish docker-1.6.2 for Fedora 22 updates?
Which bugs are you talking about with docker-1.7?
I just cannot use docker-1.7 because of https://bugzilla.redhat.com/show_bug.cgi?id=1244124 https://github.com/docker/docker/issues/14396
Ok, I have asked the firewalld team to look into this and see if they can fix it quickly. As soon as they have a fix, I will get it shipped into fedora.
Thank you Daniel. However, I fear we are in a tunnel now. While we are waiting for a fix, a new major version will be released. When the fix will be found, it will not be released because we should upgrade to latest major version. So there will be no working docker-1.6.x binaries for Fedora 22?