1317011 – connection to docker compute resource is refused with 'Permission denied - connect(2)'

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1317011 - connection to docker compute resource is refused with 'Permission denied - connect(2)'

Summary: connection to docker compute resource is refused with 'Permission denied - co...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	SELinux
Sub Component:
Version:	6.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	Lukas Zapletal
QA Contact:	Lukas Pramuk
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Duplicates (2):	1319294 1321142 (view as bug list)
Depends On:
Blocks:	GSS_Sat6Beta_Tracker, GSS_Sat6_Tracker
TreeView+	depends on / blocked

Reported:	2016-03-11 17:10 UTC by Lukas Pramuk
Modified:	2019-09-26 14:46 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-27 09:06:14 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	13502	0	'Normal'	'Closed'	'Build failure on RHEL 7.2 - docker moved to separate package'	2019-12-09 14:26:25 UTC
Red Hat Product Errata	RHBA-2016:1500	0	normal	SHIPPED_LIVE	Red Hat Satellite 6.2 Base Libraries	2016-07-27 12:24:38 UTC

Description Lukas Pramuk 2016-03-11 17:10:25 UTC

Description of problem:
Test Connection to local docker compute resource unix:///var/run/docker.sock is refused with 'Permission denied - connect(2)'

Version-Release number of selected component (if applicable):
@Sat6.2.0-Beta-SNAP2

How reproducible:
100%

Steps to Reproduce:

1. prepare docker host on sat6 machine (install katello certs, add foreman to docker grp, set docker to run under docker grp, restart docker)

2. UI: navigate to Infrastructure > Compute resources > New compute resource

3. UI: on Compute resource tab set URL as 'unix:///var/run/docker.sock' and hit Test Connection and error message is displayed:
 "Permission denied - connect(2) for /var/run/docker.sock (Errno::EACCES)"


Actual results:
test connection fails with error

Expected results:
test connection is successful

Additional info:
In behind of refused connection there are SELinux denials

avc:  denied  { connectto } for  pid=72737 comm="diagnostic_con*" path="/run/docker.sock" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=unix_stream_socket

# audit2allow -a


#============= passenger_t ==============

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow passenger_t docker_t:unix_stream_socket connectto;
allow passenger_t hwdata_t:file { read getattr open };

Comment 3 Lukas Pramuk 2016-03-13 12:26:43 UTC

Test Connection to *remote* docker compute resource http://<DOCKER_HOST>:2375 is *also* refused with some more SELinux denials:

# audit2allow -a


#============= passenger_t ==============

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow passenger_t docker_t:unix_stream_socket connectto;
allow passenger_t hwdata_t:dir search;
allow passenger_t hwdata_t:file { read getattr open };

#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, passenger_can_connect_all
allow passenger_t unreserved_port_t:tcp_socket name_connect;

#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, passenger_can_connect_all
allow passenger_t zarafa_port_t:tcp_socket name_connect;

Comment 4 Lukas Zapletal 2016-03-15 12:07:29 UTC

cat /etc/redhat-release

rpm -q docker-selinux

Comment 5 Lukas Zapletal 2016-03-15 12:11:31 UTC

Assuming this was broken by pulling out docker policy from RHEL base core policy to separate subpackage, you only need to install docker-selinux to get it all working. Please confirm and we will add RPM dependency.

Comment 6 Lukas Pramuk 2016-03-15 13:14:59 UTC

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

# rpm -q docker-selinux
docker-selinux-1.8.2-8.el7.x86_64

Comment 7 Lukas Pramuk 2016-03-15 20:18:35 UTC

# getsebool -a |grep passenger
passenger_can_connect_all --> off
passenger_can_connect_docker_tcp --> on
passenger_can_connect_docker_unix --> on
passenger_can_connect_http_proxy --> on
passenger_can_connect_ldap --> on
passenger_can_connect_libvirt --> on
passenger_can_connect_openstack --> on
passenger_can_connect_smtp --> on
passenger_can_spawn_ssh --> on
passenger_run_foreman --> on
passenger_run_puppetmaster --> on

# semanage port -l | grep docker
<empty>

-------------------------------
With Satellite 6.1.7 @RHEL7.2 it works:

# getsebool -a |grep passenger
passenger_can_connect_all --> off
passenger_can_connect_ldap --> on
passenger_can_connect_libvirt --> on
passenger_can_connect_openstack --> on
passenger_can_spawn_ssh --> on
passenger_run_foreman --> on
passenger_run_puppetmaster --> on

# semanage port -l | grep docker
docker_port_t                  tcp      2375-2376

Comment 8 Lukas Pramuk 2016-03-16 12:29:00 UTC

During Satellite installation there is related error:

...
  Installing : foreman-selinux-1.11.0-1.el7sat.noarch                   468/580
 
ValueError: Type docker_port_t is invalid, must be a port type
warning: %post(foreman-selinux-1.11.0-1.el7sat.noarch) scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package foreman-selinux-1.11.0-1.el7sat.noarch

  Installing : katello-selinux-3.0.1.0-1. [                           ] 469/580
...

Comment 10 Brad Buckingham 2016-03-18 18:25:42 UTC

*** Bug 1319294 has been marked as a duplicate of this bug. ***

Comment 13 Lukas Pramuk 2016-03-24 08:14:33 UTC

FailedQA.

@Sat6.2.0-Beta-SNAP5
foreman-selinux-1.11.0-1.el7sat.noarch
docker-selinux-1.8.2-10.el7.x86_64

Comment 19 Stephen Benjamin 2016-03-24 19:00:09 UTC

*** Bug 1321142 has been marked as a duplicate of this bug. ***

Comment 20 Lukas Pramuk 2016-03-31 12:19:00 UTC

VERIFIED.

@Sat6.2.0-Beta-Snap6
foreman-selinux-1.11.0.0-2.el7sat.noarch
docker-selinux-1.8.2-10.el7.x86_64

Connections to a local docker using both unix socket (unix:///var/run/docker.sock) and tcp (http://localhost:2375 or http://<hostname>:2375) succeeds.

Connection to a remote docker (http://<FQDN>:2375) is also successful.

Yay.

Comment 22 errata-xmlrpc 2016-07-27 09:06:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1500

Note You need to log in before you can comment on or make changes to this bug.