Bug 1289803 - Docker cannot share docker.sock with containers because of SELinux
Docker cannot share docker.sock with containers because of SELinux
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: docker (Show other bugs)
23
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Lokesh Mandvekar
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-08 21:04 EST by David Parrish
Modified: 2015-12-09 09:39 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-09 09:39:33 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Parrish 2015-12-08 21:04:12 EST
Description of problem:

By default, Docker cannot give containers access to /var/run/docker.sock without causing docker.sock to be turned into a directory on reboot.

Version-Release number of selected component (if applicable):

Docker 1.9.1

How reproducible:

Start a container that needs to see docker.sock such as nginx_proxy. Make it restart always. Enable Docker service so it will start on reboot. Reboot the machine. N

Steps to Reproduce:
1. docker run -d --restart=always -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy
2. reboot
3. systemctl start docker

Actual results:

Docker will not restart. /var/run/docker.sock is a directory.


Expected results:

Docker will restart normally with all containers set to restart always. docker.sock should not be a directory.

Additional info:

A workaround is to set SELINUX=permissive in /etc/selinux/config
Comment 1 David Parrish 2015-12-09 02:29:20 EST
The 'Actual results' I listed I think are actually the result this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1289851

The 'Actual results' for this bug should probalby be the resulting entry in the journald logs and that the nginx-proxy container doesn't function properly.

2015/12/09 07:24:46 Unable to ping docker daemon: Get http://unix.sock/_ping: dial unix /tmp/docker.sock: connect: permission denied
Comment 2 Daniel Walsh 2015-12-09 09:39:33 EST
Giving access to the docker.sock is equivalent to giving a process full root access to your machine, you need to turn off SELInux for this to work. And if you want any confinement of the container, this is probably a bad idea.

You should just disable SELinux for this container not for the system.

docker run --security-opt label:disable ...

Or 

docker run --privileged

Neither is more or less secure then the other, since this is just giving away full root.

Here is a blog I wrote explaining access to docker.sock

http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/

Note You need to log in before you can comment on or make changes to this bug.