Red Hat Bugzilla – Bug 1289803
Docker cannot share docker.sock with containers because of SELinux
Last modified: 2015-12-09 09:39:33 EST
Description of problem:
By default, Docker cannot give containers access to /var/run/docker.sock without causing docker.sock to be turned into a directory on reboot.
Version-Release number of selected component (if applicable):
Start a container that needs to see docker.sock such as nginx_proxy. Make it restart always. Enable Docker service so it will start on reboot. Reboot the machine. N
Steps to Reproduce:
1. docker run -d --restart=always -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy
3. systemctl start docker
Docker will not restart. /var/run/docker.sock is a directory.
Docker will restart normally with all containers set to restart always. docker.sock should not be a directory.
A workaround is to set SELINUX=permissive in /etc/selinux/config
The 'Actual results' I listed I think are actually the result this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1289851
The 'Actual results' for this bug should probalby be the resulting entry in the journald logs and that the nginx-proxy container doesn't function properly.
2015/12/09 07:24:46 Unable to ping docker daemon: Get http://unix.sock/_ping: dial unix /tmp/docker.sock: connect: permission denied
Giving access to the docker.sock is equivalent to giving a process full root access to your machine, you need to turn off SELInux for this to work. And if you want any confinement of the container, this is probably a bad idea.
You should just disable SELinux for this container not for the system.
docker run --security-opt label:disable ...
docker run --privileged
Neither is more or less secure then the other, since this is just giving away full root.
Here is a blog I wrote explaining access to docker.sock