1275554 – Error response from daemon: Relabeling of / is not allowed after upgrading docker

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1275554 - Error response from daemon: Relabeling of / is not allowed after upgrading docker

Summary: Error response from daemon: Relabeling of / is not allowed after upgrading do...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	docker
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lokesh Mandvekar
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-27 08:49 UTC by Alex Jia
Modified:	2019-03-06 01:10 UTC (History)
CC List:	2 users (show)
Fixed In Version:	docker-1.9.0-7.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-03-31 23:22:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:0536	0	normal	SHIPPED_LIVE	docker bug fix and enhancement update	2016-04-01 03:19:56 UTC

Description Alex Jia 2015-10-27 08:49:48 UTC

Description of problem:
To build a container image with LABEL INSTALL then run atomic install to read the LABEL INSTALL in image, it works well on docker-1.8.2-8.el7.x86_64 with atomic-1.6-1.gitca1e384.el7.x86_64, but it will get error "Error response from daemon: Relabeling of / is not allowed" when upgrading to docker-1.9.0-3.el7.x86_64.

Version-Release number of selected component (if applicable):
docker-1.8.2-8.el7.x86_64
atomic-1.6-1.gitca1e384.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. docker pull busybox
2. cat install.sh 
set -x

echo "This is a test."
3. cat Dockerfile 
FROM busybox

ADD install.sh /root/

LABEL INSTALL="docker run -t --rm --privileged -v /:/host/ IMAGE sh /root/install.sh"

Actual results:
[root@dell-per630-02 test]# docker pull busybox
Using default tag: latest
Trying to pull repository registry.access.redhat.com/busybox ... not found
Trying to pull repository docker.io/library/busybox ... latest: Pulling from library/busybox
bf0f46991aed: Pull complete 
3d5bcd78e074: Pull complete 
library/busybox:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.
Digest: sha256:5551dbdfc48d66734d0f01cafee0952cb6e8eeecd1e2492240bf2fd9640c2279
Status: Downloaded newer image for docker.io/busybox:latest

[root@dell-per630-02 test]# docker build -t busybox_label .
Sending build context to Docker daemon 3.072 kB
Step 0 : FROM busybox
 ---> 3d5bcd78e074
Step 1 : ADD install.sh /root/
 ---> 4d76c90d63a3
Removing intermediate container ea5c6f765c09
Step 2 : LABEL INSTALL "docker run -t --rm --privileged -v /:/host/ IMAGE sh /root/install.sh"
 ---> Running in 2fc5733e7647
 ---> 63b155fb8278
Removing intermediate container 2fc5733e7647
Successfully built 63b155fb8278

[root@dell-per630-02 test]# atomic images
 REPOSITORY                          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
 busybox_label                       latest              63b155fb8278        2015-10-27 16:13    1.11 MB     

[root@dell-per630-02 test]# atomic info busybox_label
INSTALL: docker run -t --rm --privileged -v /:/host/ IMAGE sh /root/install.sh

[root@dell-per630-02 test]# atomic install busybox_label
docker run -t --rm --privileged -v /:/host/ busybox_label sh /root/install.sh
+ echo This is a test.
This is a test.


[root@dell-per630-02 test]# atomic install busybox_label
docker run -t --rm --privileged -v /:/host/ busybox_label sh /root/install.sh
+ echo This is a test.
This is a test.

NOTE: run atomic install again, it's okay.

[root@dell-per630-02 1.9.0-3]# rpm -Uvh *.rpm
Preparing...                          ################################# [100%]
Updating / installing...
   1:docker-selinux-1.9.0-3.el7       ################################# [ 13%]
   2:docker-1.9.0-3.el7               ################################# [ 25%]
   3:docker-logrotate-1.9.0-3.el7     ################################# [ 38%]
   4:docker-unit-test-1.9.0-3.el7     ################################# [ 50%]
Cleaning up / removing...
   5:docker-logrotate-1.8.2-8.el7     ################################# [ 63%]
   6:docker-1.8.2-8.el7               ################################# [ 75%]
   7:docker-selinux-1.8.2-8.el7       ################################# [ 88%]
   8:docker-unit-test-1.8.2-8.el7     ################################# [100%]

[root@dell-per630-02 test]# rpm -q docker
docker-1.9.0-3.el7.x86_64

[root@dell-per630-02 1.9.0-3]# atomic install busybox_label
docker run -t --rm --privileged -v /:/host/ busybox_label sh /root/install.sh
Error response from daemon: Relabeling of / is not allowed


Expected results:
atomic install should work when upgrading docker

Additional info:

Comment 3 Lokesh Mandvekar 2015-10-28 16:54:43 UTC

Dan, so this error occurs because of the '--selinux-enabled' option. Without this option, the results are as expected both via rpm (1.9.0-6) and via git (@projectatomic/rhel7-1.9)

Comment 4 Daniel Walsh 2015-10-28 18:36:22 UTC

This is an old bug that seems to have risen from the dead.

Comment 5 Daniel Walsh 2015-10-28 20:15:22 UTC

This is a big bug. Opened up a couple of pull requests with docker.

Also added patches which should fix this in the next docker-1.9 build.

Fixed in docker-1.9.0-7

Comment 7 Alex Jia 2016-01-21 03:56:00 UTC

Upgrading docker from 1.8.2-8 to 1.9.1-12, atomic install works well on atomic-1.6-1.gitca1e384.el7.x86_64 and atomic-1.8-4.git958d939.el7.x86_64, so move the bug to VERIFIED status.

Comment 9 errata-xmlrpc 2016-03-31 23:22:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0536.html

Note You need to log in before you can comment on or make changes to this bug.