Bug 1275554 - Error response from daemon: Relabeling of / is not allowed after upgrading docker
Error response from daemon: Relabeling of / is not allowed after upgrading do...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker (Show other bugs)
7.2
x86_64 Linux
high Severity high
: rc
: ---
Assigned To: Lokesh Mandvekar
atomic-bugs@redhat.com
: Extras
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-27 04:49 EDT by Alex Jia
Modified: 2016-03-31 19:22 EDT (History)
2 users (show)

See Also:
Fixed In Version: docker-1.9.0-7.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-31 19:22:46 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alex Jia 2015-10-27 04:49:48 EDT
Description of problem:
To build a container image with LABEL INSTALL then run atomic install to read the LABEL INSTALL in image, it works well on docker-1.8.2-8.el7.x86_64 with atomic-1.6-1.gitca1e384.el7.x86_64, but it will get error "Error response from daemon: Relabeling of / is not allowed" when upgrading to docker-1.9.0-3.el7.x86_64.

Version-Release number of selected component (if applicable):
docker-1.8.2-8.el7.x86_64
atomic-1.6-1.gitca1e384.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. docker pull busybox
2. cat install.sh 
set -x

echo "This is a test."
3. cat Dockerfile 
FROM busybox

ADD install.sh /root/

LABEL INSTALL="docker run -t --rm --privileged -v /:/host/ IMAGE sh /root/install.sh"

Actual results:
[root@dell-per630-02 test]# docker pull busybox
Using default tag: latest
Trying to pull repository registry.access.redhat.com/busybox ... not found
Trying to pull repository docker.io/library/busybox ... latest: Pulling from library/busybox
bf0f46991aed: Pull complete 
3d5bcd78e074: Pull complete 
library/busybox:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.
Digest: sha256:5551dbdfc48d66734d0f01cafee0952cb6e8eeecd1e2492240bf2fd9640c2279
Status: Downloaded newer image for docker.io/busybox:latest

[root@dell-per630-02 test]# docker build -t busybox_label .
Sending build context to Docker daemon 3.072 kB
Step 0 : FROM busybox
 ---> 3d5bcd78e074
Step 1 : ADD install.sh /root/
 ---> 4d76c90d63a3
Removing intermediate container ea5c6f765c09
Step 2 : LABEL INSTALL "docker run -t --rm --privileged -v /:/host/ IMAGE sh /root/install.sh"
 ---> Running in 2fc5733e7647
 ---> 63b155fb8278
Removing intermediate container 2fc5733e7647
Successfully built 63b155fb8278

[root@dell-per630-02 test]# atomic images
 REPOSITORY                          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
 busybox_label                       latest              63b155fb8278        2015-10-27 16:13    1.11 MB     

[root@dell-per630-02 test]# atomic info busybox_label
INSTALL: docker run -t --rm --privileged -v /:/host/ IMAGE sh /root/install.sh

[root@dell-per630-02 test]# atomic install busybox_label
docker run -t --rm --privileged -v /:/host/ busybox_label sh /root/install.sh
+ echo This is a test.
This is a test.


[root@dell-per630-02 test]# atomic install busybox_label
docker run -t --rm --privileged -v /:/host/ busybox_label sh /root/install.sh
+ echo This is a test.
This is a test.

NOTE: run atomic install again, it's okay.

[root@dell-per630-02 1.9.0-3]# rpm -Uvh *.rpm
Preparing...                          ################################# [100%]
Updating / installing...
   1:docker-selinux-1.9.0-3.el7       ################################# [ 13%]
   2:docker-1.9.0-3.el7               ################################# [ 25%]
   3:docker-logrotate-1.9.0-3.el7     ################################# [ 38%]
   4:docker-unit-test-1.9.0-3.el7     ################################# [ 50%]
Cleaning up / removing...
   5:docker-logrotate-1.8.2-8.el7     ################################# [ 63%]
   6:docker-1.8.2-8.el7               ################################# [ 75%]
   7:docker-selinux-1.8.2-8.el7       ################################# [ 88%]
   8:docker-unit-test-1.8.2-8.el7     ################################# [100%]

[root@dell-per630-02 test]# rpm -q docker
docker-1.9.0-3.el7.x86_64

[root@dell-per630-02 1.9.0-3]# atomic install busybox_label
docker run -t --rm --privileged -v /:/host/ busybox_label sh /root/install.sh
Error response from daemon: Relabeling of / is not allowed


Expected results:
atomic install should work when upgrading docker

Additional info:
Comment 3 Lokesh Mandvekar 2015-10-28 12:54:43 EDT
Dan, so this error occurs because of the '--selinux-enabled' option. Without this option, the results are as expected both via rpm (1.9.0-6) and via git (@projectatomic/rhel7-1.9)
Comment 4 Daniel Walsh 2015-10-28 14:36:22 EDT
This is an old bug that seems to have risen from the dead.
Comment 5 Daniel Walsh 2015-10-28 16:15:22 EDT
This is a big bug. Opened up a couple of pull requests with docker.

Also added patches which should fix this in the next docker-1.9 build.

Fixed in docker-1.9.0-7
Comment 7 Alex Jia 2016-01-20 22:56:00 EST
Upgrading docker from 1.8.2-8 to 1.9.1-12, atomic install works well on atomic-1.6-1.gitca1e384.el7.x86_64 and atomic-1.8-4.git958d939.el7.x86_64, so move the bug to VERIFIED status.
Comment 9 errata-xmlrpc 2016-03-31 19:22:46 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0536.html

Note You need to log in before you can comment on or make changes to this bug.