Bug 1289803 - Docker cannot share docker.sock with containers because of SELinux
Summary: Docker cannot share docker.sock with containers because of SELinux
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: docker
Version: 23
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-09 02:04 UTC by David Parrish
Modified: 2015-12-09 14:39 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-12-09 14:39:33 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description David Parrish 2015-12-09 02:04:12 UTC
Description of problem:

By default, Docker cannot give containers access to /var/run/docker.sock without causing docker.sock to be turned into a directory on reboot.

Version-Release number of selected component (if applicable):

Docker 1.9.1

How reproducible:

Start a container that needs to see docker.sock such as nginx_proxy. Make it restart always. Enable Docker service so it will start on reboot. Reboot the machine. N

Steps to Reproduce:
1. docker run -d --restart=always -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy
2. reboot
3. systemctl start docker

Actual results:

Docker will not restart. /var/run/docker.sock is a directory.


Expected results:

Docker will restart normally with all containers set to restart always. docker.sock should not be a directory.

Additional info:

A workaround is to set SELINUX=permissive in /etc/selinux/config

Comment 1 David Parrish 2015-12-09 07:29:20 UTC
The 'Actual results' I listed I think are actually the result this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1289851

The 'Actual results' for this bug should probalby be the resulting entry in the journald logs and that the nginx-proxy container doesn't function properly.

2015/12/09 07:24:46 Unable to ping docker daemon: Get http://unix.sock/_ping: dial unix /tmp/docker.sock: connect: permission denied

Comment 2 Daniel Walsh 2015-12-09 14:39:33 UTC
Giving access to the docker.sock is equivalent to giving a process full root access to your machine, you need to turn off SELInux for this to work. And if you want any confinement of the container, this is probably a bad idea.

You should just disable SELinux for this container not for the system.

docker run --security-opt label:disable ...

Or 

docker run --privileged

Neither is more or less secure then the other, since this is just giving away full root.

Here is a blog I wrote explaining access to docker.sock

http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/


Note You need to log in before you can comment on or make changes to this bug.