Bug 1410665 - Docker doesn't seem to work on rawhide, with unconfined disabled.
Summary: Docker doesn't seem to work on rawhide, with unconfined disabled.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: docker
Version: 26
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-06 03:37 UTC by Robin Powell
Modified: 2018-05-25 15:13 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-25 15:13:23 UTC
Type: Bug


Attachments (Terms of Use)

Description Robin Powell 2017-01-06 03:37:58 UTC
As always, I'm running with unconfined disabled.

The dockerfile for my container looks like so:

[sampre@vrici jbotcan_mariadb]$ cat Dockerfile
FROM mariadb:10.1.20

RUN usermod -u 1085 mysql
RUN find / -xdev -user 999 -print0 | xargs -0 chown mysql
RUN groupmod -g 1085 mysql
RUN find / -xdev -group 999 -print0 | xargs -0 chgrp mysql

Attempting to build that Docker container fails on the usermod step.  I've tried various experiments, and literally every RUN line in there will fail.  Here's the failure:

[sampre@vrici jbotcan_mariadb]$ sudo docker kill jbotcan_mariadb
Error response from daemon: Cannot kill container jbotcan_mariadb: Container 6f57b7a4320c40504092eb23185ebb17a753f8034baab672e1fb210a40a6d777 is not running
[sampre@vrici jbotcan_mariadb]$ sudo docker rm jbotcan_mariadb
jbotcan_mariadb
[sampre@vrici jbotcan_mariadb]$ sudo docker build --no-cache -t sampre/jbotcan_mariadb .
Sending build context to Docker daemon 119.6 MB
Step 1 : FROM mariadb:10.1.20
 ---> c9466db443d8
Step 2 : RUN usermod -u 1085 mysql
 ---> Running in dc0d3999b717
container_linux.go:247: starting container process caused "process_linux.go:258: applying cgroup configuration for process caused \"SELinux policy denies access.\""
invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"process_linux.go:258: applying cgroup configuration for process caused \\\"SELinux policy denies access.\\\"\"\n"

If I use "setenforce 0" to build the thing and then turn enforcing back on, I also get errors when I try to run it:

[sampre@vrici jbotcan_mariadb]$ sudo /bin/docker run --name jbotcan_mariadb -v /home/sampre/jbotcan_mariadb/db:/var/lib/mysql -d sampre/jbotcan_mariadb
9191f4f6d95c7e7e4ae6e005fb9ea25284eb659dc050cf428bc57d382f6e3d0a
/usr/bin/docker-current: Error response from daemon: invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"process_linux.go:258: applying cgroup configuration for process caused \\\"SELinux policy denies access.\\\"\"\n".

Here  https://paste.fedoraproject.org/520567/67384914 are all the AVCs resulting from the following 4 lines:

sudo docker build --no-cache -t sampre/jbotcan_mariadb .
sudo docker kill jbotcan_mariadb
sudo docker rm jbotcan_mariadb
sudo /bin/docker run --name jbotcan_mariadb -v /home/sampre/jbotcan_mariadb/db:/var/lib/mysql -d sampre/jbotcan_mariadb

Comment 1 Robin Powell 2017-01-06 03:57:00 UTC
The following seems to do the trick; no idea if it's a good solution:

policy_module(MYLOCAL_dockerbugs1410665,1.0.0)

require {
        type container_runtime_t;
        type container_plugin_var_run_t;
        type init_t;
        type init_var_run_t;

        class dir read;
        class system { start stop };
        class service start;
}

#============= container_runtime_t ==============
allow container_runtime_t container_plugin_var_run_t:dir read;
allow container_runtime_t init_t:system { start stop };
allow container_runtime_t init_var_run_t:service start;

Comment 2 Lukas Vrabec 2017-01-06 09:31:03 UTC
Docker policy is shipped by docker team. 

Dan, 
Could you look on it? 

Thanks.

Comment 3 Daniel Walsh 2017-01-06 14:06:39 UTC
Could you add the raw AVCs. What system service is docker starting and stopping?

Comment 4 Robin Powell 2017-01-06 21:26:08 UTC
The raw AVCs are in the last link in my first comment.  Repeating:

Here  https://paste.fedoraproject.org/520567/67384914 are all the AVCs resulting from the following 4 lines:

sudo docker build --no-cache -t sampre/jbotcan_mariadb .
sudo docker kill jbotcan_mariadb
sudo docker rm jbotcan_mariadb
sudo /bin/docker run --name jbotcan_mariadb -v /home/sampre/jbotcan_mariadb/db:/var/lib/mysql -d sampre/jbotcan_mariadb

Comment 5 Fedora End Of Life 2017-02-28 10:53:44 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 6 Fedora End Of Life 2018-05-03 08:12:08 UTC
This message is a reminder that Fedora 26 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 26. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '26'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 26 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 7 Robin Powell 2018-05-25 15:13:23 UTC
Confirmed fixed on Fedora 27.


Note You need to log in before you can comment on or make changes to this bug.