Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1327740

Summary: docker-latest run : Container command could not be invoked..
Product: Red Hat Enterprise Linux 7 Reporter: Ed Santiago <santiago>
Component: docker-latestAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED CURRENTRELEASE QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: jcallaha, lsm5
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-16 14:05:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ed Santiago 2016-04-15 19:00:20 UTC 
Environment: docker-latest installed on RHEL7.2 virt. /etc/sysconfig/docker-latest-storage-setup includes VG=vg-docker, where vg-docker is properly set up.

   # systemctl stop docker
   # docker-latest-storage-setup
   # systemctl start docker-latest

docker run commands seem to fail consistently:

   # docker run docker.io/stackbrew/centos:7
   permission denied
   Error response from daemon: Container command could not be invoked.

It's SELinux-related: with "setenforce 0" it works. Possibly helpful, from /var/log/messages:

   Apr 15 14:56:07 localhost kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)

See below for audit.log.

   # rpm -qa|grep docker|sort
   docker-1.9.1-28.el7.x86_64
   docker-forward-journald-1.9.1-28.el7.x86_64
   docker-latest-1.10.3-9.el7.x86_64
   docker-selinux-1.10.3-5.el7.x86_64
   docker-utils-1.9.1-28.el7.x86_64

   # tail -f /var/log/audit/audit.log:

   type=VIRT_CONTROL msg=audit(1460746673.186:44223): pid=6700 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='auid=0 exe=? hostname=? reason=api op=create vm=? vm-pid=? user=?  exe="/usr/bin/docker-latest" hostname=? addr=? terminal=? res=success'
   type=VIRT_CONTROL msg=audit(1460746674.150:44224): pid=6700 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='vm-pid=0 user=? auid=0 exe=date hostname=a3a1b6d23ce2 reason=api op=attach vm=docker.io/stackbrew/centos:7  exe="/usr/bin/docker-latest" hostname=? addr=? terminal=? res=success'
   type=VIRT_CONTROL msg=audit(1460746674.153:44225): pid=6700 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='hostname=a3a1b6d23ce2 reason=api op=start vm=docker.io/stackbrew/centos:7 vm-pid=0 user=? auid=0 exe=date  exe="/usr/bin/docker-latest" hostname=? addr=? terminal=? res=success'
   type=ANOM_PROMISCUOUS msg=audit(1460746674.289:44226): dev=veth70e04ae prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
   type=SYSCALL msg=audit(1460746674.289:44226): arch=c000003e syscall=44 success=yes exit=40 a0=1b a1=c208de4270 a2=28 a3=0 items=0 ppid=6696 pid=6714 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker-latest" exe="/usr/bin/docker-latest" subj=system_u:system_r:initrc_t:s0 key=(null)
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=filter family=2 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=raw family=2 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=security family=2 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=mangle family=2 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=nat family=2 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=filter family=10 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=raw family=10 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=security family=10 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=mangle family=10 entries=0
   type=NETFILTER_CFG msg=audit(1460746674.513:44227): table=nat family=10 entries=0
   type=SYSCALL msg=audit(1460746674.513:44227): arch=c000003e syscall=56 success=yes exit=8604 a0=6c020011 a1=0 a2=0 a3=0 items=0 ppid=6696 pid=6714 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker-latest" exe="/usr/bin/docker-latest" subj=system_u:system_r:initrc_t:s0 key=(null)
   type=AVC msg=audit(1460746674.670:44228): avc:  denied  { transition } for  pid=8604 comm="exe" path="/usr/bin/date" dev="dm-3" ino=25167936 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c42,c688 tclass=process
   type=SYSCALL msg=audit(1460746674.670:44228): arch=c000003e syscall=59 success=no exit=-13 a0=c20854d710 a1=c20854d720 a2=c20800c340 a3=0 items=0 ppid=6700 pid=8604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/docker-latest" subj=system_u:system_r:initrc_t:s0 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1460746674.814:44229): dev=veth70e04ae prom=0 old_prom=256 auid=4294967295 uid=0 gid=0 ses=4294967295
   type=SYSCALL msg=audit(1460746674.814:44229): arch=c000003e syscall=44 success=yes exit=32 a0=e a1=c208c8fc00 a2=20 a3=0 items=0 ppid=6696 pid=6700 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="docker-latest" exe="/usr/bin/docker-latest" subj=system_u:system_r:initrc_t:s0 key=(null)
Comment 2 Lokesh Mandvekar 2016-04-18 16:51:52 UTC 
(In reply to Ed Santiago from comment #0)
> Environment: docker-latest installed on RHEL7.2 virt.
> /etc/sysconfig/docker-latest-storage-setup includes VG=vg-docker, where
> vg-docker is properly set up.
> 
>    # systemctl stop docker
>    # docker-latest-storage-setup
>    # systemctl start docker-latest
> 
> docker run commands seem to fail consistently:
> 
>    # docker run docker.io/stackbrew/centos:7
>    permission denied
>    Error response from daemon: Container command could not be invoked.

Please try 'docker-latest run ...' instead of 'docker run'. docker-latest provides 'docker-latest' binary, while 'docker' binary will be provided by the 'docker' package.
Comment 3 Ed Santiago 2016-04-18 16:54:00 UTC 
I did; sorry about the copy/paste error. Both docker and docker-latest fail in the same way when docker-latest is running as daemon.
Comment 4 Lokesh Mandvekar 2016-04-18 17:27:33 UTC 
I think I did see this once, but that went away on using the correct version of docker-selinux. 

I just built an updated docker-latest-1.10.3-10 . Could you install this new version and retry in a few mins?

Also, please make sure you see this on upgrading:

$ rpm -q docker-selinux docker-latest
docker-selinux-1.9.1-28.el7.x86_64
docker-latest-1.10.3-10.el7.x86_64

docker-seinux is still on 1.9.1 (obtained from the main 'docker' package)
Comment 5 Ed Santiago 2016-04-18 17:51:10 UTC 
No joy:

    # yum upgrade docker-latest
    ...
    Updating:
     docker-latest     x86_64    1.10.3-10.el7       local     8.6 M
    Installing for dependencies:
     libseccomp        x86_64    2.2.1-1.el7         rhel7      49 k

    # systemctl restart docker-latest
    # docker-latest run docker.io/stackbrew/centos:7 date
    permission denied
    docker: Error response from daemon: Container command could not be invoked..

    # rpm -q docker-selinux docker-latest
    docker-selinux-1.9.1-28.el7.x86_64
    docker-latest-1.10.3-10.el7.x86_64

FWIW, I _did_ have docker-selinux-1.10.3-5.el7.x86_64 installed until this morning (fixed by yum downgrade; now on 1.9.1-28). Could its mere presence have screwed something up on my system?
Comment 6 Ed Santiago 2016-04-21 14:28:40 UTC 
Cannot reproduce problem in docker-latest-1.10.3-11.el7.x86_64
Comment 7 Lokesh Mandvekar 2016-05-16 14:05:09 UTC 
closing...