Red Hat Bugzilla – Bug 1289803
Docker cannot share docker.sock with containers because of SELinux
Last modified: 2015-12-09 09:39:33 EST
Description of problem: By default, Docker cannot give containers access to /var/run/docker.sock without causing docker.sock to be turned into a directory on reboot. Version-Release number of selected component (if applicable): Docker 1.9.1 How reproducible: Start a container that needs to see docker.sock such as nginx_proxy. Make it restart always. Enable Docker service so it will start on reboot. Reboot the machine. N Steps to Reproduce: 1. docker run -d --restart=always -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy 2. reboot 3. systemctl start docker Actual results: Docker will not restart. /var/run/docker.sock is a directory. Expected results: Docker will restart normally with all containers set to restart always. docker.sock should not be a directory. Additional info: A workaround is to set SELINUX=permissive in /etc/selinux/config
The 'Actual results' I listed I think are actually the result this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1289851 The 'Actual results' for this bug should probalby be the resulting entry in the journald logs and that the nginx-proxy container doesn't function properly. 2015/12/09 07:24:46 Unable to ping docker daemon: Get http://unix.sock/_ping: dial unix /tmp/docker.sock: connect: permission denied
Giving access to the docker.sock is equivalent to giving a process full root access to your machine, you need to turn off SELInux for this to work. And if you want any confinement of the container, this is probably a bad idea. You should just disable SELinux for this container not for the system. docker run --security-opt label:disable ... Or docker run --privileged Neither is more or less secure then the other, since this is just giving away full root. Here is a blog I wrote explaining access to docker.sock http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/