Description of problem: usr/bin/docker info' did not exit successfully Version-Release number of selected component (if applicable): WARNING: Error loading config file:stat /root/.docker/config.json: permission denied' How reproducible: install docker and condor Steps to Reproduce: 1. install all condor and all docker rpms 2. systemctl start docker, systemctl start condor 3. watch in condor log file and find Error loading config file:stat /root/.docker/config.json: permission denied'. Actual results: docker should work Expected results: Additional info:
Update with right versionContainers: 0 Images: 0 Server Version: 1.9.1-fc23 Storage Driver: devicemapper Pool Name: docker-8:36-27133951-pool Pool Blocksize: 65.54 kB Base Device Size: 107.4 GB Backing Filesystem: Data file: /dev/loop0 Metadata file: /dev/loop1 Data Space Used: 53.74 MB Data Space Total: 107.4 GB Data Space Available: 107.3 GB Metadata Space Used: 606.2 kB Metadata Space Total: 2.147 GB Metadata Space Available: 2.147 GB Udev Sync Supported: true Deferred Removal Enabled: false Deferred Deletion Enabled: false Deferred Deleted Device Count: 0 Data loop file: /var/lib/docker/devicemapper/devicemapper/data Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata Library Version: 1.02.109 (2015-09-22) Execution Driver: native-0.2 Logging Driver: journald Kernel Version: 4.2.8-300.fc23.x86_64 Operating System: Fedora 23 (Workstation Edition) CPUs: 12 Total Memory: 31.32 GiB Name: uefi_super_knut ID: KCYY:LCDL:PFII:4RIJ:UVQY:HLWS:KEQW:QY5U:GYJM:NYSK:2PEE:AQ3Y
Could you see if this is an SELinux issue? ausearch -m avc -ts recent After it happens.
time->Mon Mar 13 12:50:23 2017 type=AVC msg=audit(1489405823.809:480): avc: denied { open } for pid=181458 comm="cat" path="/proc/sys/fs/file-max" dev="proc" ino=14116 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0 ---- time->Mon Mar 13 12:50:23 2017 type=AVC msg=audit(1489405823.812:481): avc: denied { open } for pid=181460 comm="cat" path="/proc/sys/net/ipv4/ip_local_port_range" dev="proc" ino=25971 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 ---- time->Mon Mar 13 12:50:23 2017 type=AVC msg=audit(1489405823.812:482): avc: denied { open } for pid=181457 comm="linux_kernel_tu" path="/proc/sys/net/ipv4/ip_local_port_range" dev="proc" ino=25971 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 ---- time->Mon Mar 13 12:50:23 2017 type=AVC msg=audit(1489405823.812:483): avc: denied { open } for pid=181457 comm="linux_kernel_tu" path="/proc/sys/net/ipv4/ip_local_port_range" dev="proc" ino=25971 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 ---- time->Mon Mar 13 12:50:23 2017 type=AVC msg=audit(1489405823.813:484): avc: denied { open } for pid=181461 comm="cat" path="/proc/sys/net/core/somaxconn" dev="proc" ino=25945 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 ---- time->Mon Mar 13 12:50:23 2017 type=AVC msg=audit(1489405823.814:485): avc: denied { open } for pid=181462 comm="cat" path="/proc/sys/net/core/rmem_max" dev="proc" ino=15331 scontext=system_u:system_r:condor_master_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
I have add requested data.Duplicated in 1422529, 1422570 and 1423388. I got the message above when i start condor with sudo systemctl start condor. condor_q give me this message with selinux ondor_q -- Failed to fetch ads from: <10.0.0.70:9618?addrs=10.0.0.70-9618&noUDP&sock=181456_4d36_4> : localhost SECMAN:2007:Failed to end classad message. and as rootsudo condor_q -- Schedd: localhost : <10.0.0.70:40057> ID OWNER SUBMITTED RUN_TIME ST PRI SIZE CMD 3.0 knutjbj 2/15 13:09 1+02:07:21 I 0 0.0 cluster2_sentinel.ORRE7he4q9G0q 5.0 knutjbj 2/15 13:09 1+01:39:05 I 0 4.0 cluster4_sentinel.MzpMMZUsfXmfM 8.0 knutjbj 2/17 09:26 1+00:51:02 I 0 4.0 cluster7_sentinel.fBgKqPDIyGUzu 10.0 knutjbj 2/17 09:26 1+01:23:24 I 0 18.0 cluster9_sentinel.DssrmYuoVbVNo 14.0 knutjbj 2/18 06:23 0+23:06:32 I 0 15.0 cluster13_sentinel.VoBL1ojLakeg2 5 jobs; 0 completed, 0 removed, 5 idle, 0 running, 0 held, 0 suspended When I disable selinux sudo systemctl start condor [knutjbj@uefiknut ~]$ condor_q -- Schedd: localhost : <10.0.0.70:9618?... ID OWNER SUBMITTED RUN_TIME ST PRI SIZE CMD 3.0 knutjbj 2/15 13:09 1+02:07:21 I 0 0.0 cluster2_sentinel.ORRE7he4q9G0q 5.0 knutjbj 2/15 13:09 1+01:39:05 I 0 4.0 cluster4_sentinel.MzpMMZUsfXmfM 8.0 knutjbj 2/17 09:26 1+00:51:02 I 0 4.0 cluster7_sentinel.fBgKqPDIyGUzu 10.0 knutjbj 2/17 09:26 1+01:23:24 I 0 18.0 cluster9_sentinel.DssrmYuoVbVNo 14.0 knutjbj 2/18 06:23 0+23:06:32 I 0 15.0 cluster13_sentinel.VoBL1ojLakeg2 5 jobs; 0 completed, 0 removed, 5 idle, 0 running, 0 held, 0 suspended
These AVC's have nothing to do with docker
Hi Knut! I think Ben is working on an update currently -- upstream has a few SELinux-related fixes for the policy distributed by the condor RPM. Dan is correct: these AVCs aren't related to Docker, but these do look suspiciously familiar. There probably _are_ other AVCs in your logs (particularly, a lot of the shipped policy caused a crazy number of denials when using the Docker universe). Let's wait a few more days and see if this clears up as part of the planned update. HTH Brian
Hi Brian Which version of selinux-policy-target will contain thesse fixes? Knut J
condor-8.6.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-cc65fbb48c
condor-8.6.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-cc65fbb48c
Will fedora 25 be updated as well?
Do you have a workaround (that isn't disable SELinux)? If not, I'll update F25, but I'm inclined to not change the release series mid-stream if we can help it.
I have disable selinux.
I found this selinux policy in git from htcondor. https://htcondor-wiki.cs.wisc.edu/index.cgi/fileview?f=build/packaging/srpm/htcondor.te&v=1daf9a94e6397ea24746cb6903f1cfbed36e632e
This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.