Description of problem: When running docker container with fedora:25, error message Mount failed for selinuxfs on /sys/fs/selinux: No such file or directory Failed to set up the root directory for shared mount propagation: Operation not permitted is shown. Version-Release number of selected component (if applicable): Fedora 25 host docker-1.12.3-9.git47e22f2.fc25.x86_64 fedora:25 image with systemd-231-10.fc25.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. docker run --name systemd --rm -ti fedora:25 /usr/sbin/init Actual results: # docker run --name systemd --rm -ti fedora:25 /usr/sbin/init Mount failed for selinuxfs on /sys/fs/selinux: No such file or directory Failed to set up the root directory for shared mount propagation: Operation not permitted Expected results: No such error, like on fedora:24. Additional info:
The same problem with fedora:rawhide which has systemd-231-11.fc26.x86_64.
The error goes away when I add -e container=docker to the docker run command.
(In reply to Jan Pazdziora from comment #2) > The error goes away when I add -e container=docker to the docker run command. Hence, issue can be easily avoided by adding "ENV container docker" to Dockerfiles [1] used to build Fedora Docker images. Also, container environment variable is documented in our upstream wiki page [2] (see section "Environment Variables") [1] https://github.com/fedora-cloud/docker-brew-fedora/blob/25/Dockerfile [2] https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/ FWIW, I just retested the reproducer on F24 and I had to add -e container=docker to docker client command line in order to get logs on terminal. I'd argue that to make container with systemd inside actually useful you have to set container env variable properly. At any rate, it is single line in base image docker file or in your own docker file. I'd much prefer having it in the base image though.
(In reply to Michal Sekletar from comment #3) > (In reply to Jan Pazdziora from comment #2) > > > The error goes away when I add -e container=docker to the docker run command. > > Hence, issue can be easily avoided by adding "ENV container docker" to > Dockerfiles [1] used to build Fedora Docker images. Right. Could you please work with the responsible parties to do that? > Also, container > environment variable is documented in our upstream wiki page [2] (see > section "Environment Variables") > > [1] https://github.com/fedora-cloud/docker-brew-fedora/blob/25/Dockerfile > [2] https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/ > > FWIW, I just retested the reproducer on F24 and I had to add -e > container=docker to docker client command line in order to get logs on > terminal. Right. Nonetheless, there was no error message about /sys/fs/selinux with fedora:24 and there suddenly was one with fedora:25, that's why I filed that as a regression. > I'd argue that to make container with systemd inside actually > useful you have to set container env variable properly. At any rate, it is > single line in base image docker file or in your own docker file. I'd much > prefer having it in the base image though. Certainly.
Note that $ docker run --name systemd --rm -ti rhel7 bash -c 'echo $container' docker so adding the environment variable to fedora images is just matching what RHEL is doing already. OTOH, centos:centos7 does not seem to have the variable set, so for seamless systemd in all related OSes, it'd be good to have it added to that base image as well.
This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
On Fedora 26 with docker-1.13.1-40.git877b6df.fc26.x86_64 selinux-policy-3.13.1-260.14.fc26.noarch container-selinux-2.28-1.fc26.noarch oci-systemd-hook-0.1.13-1.gitafe4b4a.fc26.x86_64 and setsebool -P container_manage_cgroup 1 I still see # docker run --name systemd --rm -ti fedora:26 /usr/sbin/init Mount failed for selinuxfs on /sys/fs/selinux: No such file or directory Failed to set up the root directory for shared mount propagation: Operation not permitted and # docker run --name systemd -e container=oci --rm -ti fedora:26 /usr/sbin/init [ no output due to other bug, no error ] Also, I still see # for i in rhel7 fedora:25 fedora:26 fedora:27 ; do echo -n "$i: " ; docker run --rm -ti $i bash -c 'echo $container' ; done rhel7: oci fedora:25: fedora:26: fedora:27: Can you work with the maintainers / authors of the Fedora base container images to set the variable if systemd needs it?
Potential duplicate of this bugzilla is bug 1506965.
(In reply to Jan Pazdziora from comment #7) > Can you work with the maintainers / authors of the Fedora base container > images to set the variable if systemd needs it? I submitted the PR with the variable export months ago. Got no response so far, https://github.com/fedora-cloud/docker-brew-fedora/pull/45
Dan, could we get some review on that https://github.com/fedora-cloud/docker-brew-fedora/pull/45 change? Or is there different / better place where this should be changed?
The pull request has been merged but as noted in https://github.com/fedora-cloud/docker-brew-fedora/pull/45#issuecomment-361046961, we still do not see it reflected in images that have been built since. Do we have any idea what the process of proposing changes to fedora images is?
Matt, any idea what the schedule / plan for Fedora base container image respin is? We'd like to see the change from merged https://github.com/fedora-cloud/docker-brew-fedora/pull/45 in the images but even the images built in January like registry.fedoraproject.org/fedora 27 9881e4229c95 5 weeks ago 252 MB registry.fedoraproject.org/fedora 26 5299737a1de4 5 weeks ago 232 MB do not seem to have the environment variable set. Thank you, Jan
This message is a reminder that Fedora 26 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '26'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 26 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
The issues is still present on Fedora 27 images.
This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Jan is this still and issue in F29?
Yes: $ rpm -q docker docker-1.13.1-62.git9cb56fd.fc29.x86_64 $ docker run --name systemd --rm -ti registry.fedoraproject.org/fedora:29 /usr/sbin/init Mount failed for selinuxfs on /sys/fs/selinux: No such file or directory Failed to set up the root directory for shared mount propagation: Operation not permitted $ docker run --name systemd -e container=oci --rm -ti fedora:29 /usr/sbin/init [ no output here ]
Moving to distribution component per recommendation from other bugzillas.
Moving to Fedora Containers -> base
That should get fixed once https://pagure.io/pungi-fedora/pull-request/734 is merged and we release a new image to the registry.
Closing this bug as Fedora 29 went EOL on 2019-11-26.