Description of problem: Test Connection to local docker compute resource unix:///var/run/docker.sock is refused with 'Permission denied - connect(2)' Version-Release number of selected component (if applicable): @Sat6.2.0-Beta-SNAP2 How reproducible: 100% Steps to Reproduce: 1. prepare docker host on sat6 machine (install katello certs, add foreman to docker grp, set docker to run under docker grp, restart docker) 2. UI: navigate to Infrastructure > Compute resources > New compute resource 3. UI: on Compute resource tab set URL as 'unix:///var/run/docker.sock' and hit Test Connection and error message is displayed: "Permission denied - connect(2) for /var/run/docker.sock (Errno::EACCES)" Actual results: test connection fails with error Expected results: test connection is successful Additional info: In behind of refused connection there are SELinux denials avc: denied { connectto } for pid=72737 comm="diagnostic_con*" path="/run/docker.sock" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=unix_stream_socket # audit2allow -a #============= passenger_t ============== #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow passenger_t docker_t:unix_stream_socket connectto; allow passenger_t hwdata_t:file { read getattr open };
Test Connection to *remote* docker compute resource http://<DOCKER_HOST>:2375 is *also* refused with some more SELinux denials: # audit2allow -a #============= passenger_t ============== #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow passenger_t docker_t:unix_stream_socket connectto; allow passenger_t hwdata_t:dir search; allow passenger_t hwdata_t:file { read getattr open }; #!!!! This avc can be allowed using one of the these booleans: # nis_enabled, passenger_can_connect_all allow passenger_t unreserved_port_t:tcp_socket name_connect; #!!!! This avc can be allowed using one of the these booleans: # nis_enabled, passenger_can_connect_all allow passenger_t zarafa_port_t:tcp_socket name_connect;
cat /etc/redhat-release rpm -q docker-selinux
Assuming this was broken by pulling out docker policy from RHEL base core policy to separate subpackage, you only need to install docker-selinux to get it all working. Please confirm and we will add RPM dependency.
# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) # rpm -q docker-selinux docker-selinux-1.8.2-8.el7.x86_64
# getsebool -a |grep passenger passenger_can_connect_all --> off passenger_can_connect_docker_tcp --> on passenger_can_connect_docker_unix --> on passenger_can_connect_http_proxy --> on passenger_can_connect_ldap --> on passenger_can_connect_libvirt --> on passenger_can_connect_openstack --> on passenger_can_connect_smtp --> on passenger_can_spawn_ssh --> on passenger_run_foreman --> on passenger_run_puppetmaster --> on # semanage port -l | grep docker <empty> ------------------------------- With Satellite 6.1.7 @RHEL7.2 it works: # getsebool -a |grep passenger passenger_can_connect_all --> off passenger_can_connect_ldap --> on passenger_can_connect_libvirt --> on passenger_can_connect_openstack --> on passenger_can_spawn_ssh --> on passenger_run_foreman --> on passenger_run_puppetmaster --> on # semanage port -l | grep docker docker_port_t tcp 2375-2376
During Satellite installation there is related error: ... Installing : foreman-selinux-1.11.0-1.el7sat.noarch 468/580 ValueError: Type docker_port_t is invalid, must be a port type warning: %post(foreman-selinux-1.11.0-1.el7sat.noarch) scriptlet failed, exit status 1 Non-fatal POSTIN scriptlet failure in rpm package foreman-selinux-1.11.0-1.el7sat.noarch Installing : katello-selinux-3.0.1.0-1. [ ] 469/580 ...
*** Bug 1319294 has been marked as a duplicate of this bug. ***
FailedQA. @Sat6.2.0-Beta-SNAP5 foreman-selinux-1.11.0-1.el7sat.noarch docker-selinux-1.8.2-10.el7.x86_64
*** Bug 1321142 has been marked as a duplicate of this bug. ***
VERIFIED. @Sat6.2.0-Beta-Snap6 foreman-selinux-1.11.0.0-2.el7sat.noarch docker-selinux-1.8.2-10.el7.x86_64 Connections to a local docker using both unix socket (unix:///var/run/docker.sock) and tcp (http://localhost:2375 or http://<hostname>:2375) succeeds. Connection to a remote docker (http://<FQDN>:2375) is also successful. Yay.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1500