Hide Forgot
Description of problem: With latest RHEL 7.3 / OCP 3.3 as of 2017-01-12 OCP deployment fails, I'm seeing the following when e.g. docker-registry-1-deploy / router-1-deploy pods are in ContainerCreating state during OCP deployment: [root@infra01 ~]# rpm -q selinux-policy docker docker-selinux container-selinux selinux-policy-3.13.1-102.el7_3.7.noarch docker-1.10.3-59.el7.x86_64 package docker-selinux is not installed container-selinux-1.10.3-59.el7.x86_64 [root@infra01 ~]# grep denied /var/log/audit/audit.log | head -n 1 type=AVC msg=audit(1484251796.227:1917): avc: denied { transition } for pid=15134 comm="exe" path="/usr/bin/pod" dev="dm-4" ino=2104360 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c0,c5 tclass=process [root@infra01 ~]# grep -c denied /var/log/audit/audit.log 93 If SELinux is in Permissive, things works as expected. Thanks.
Our latest docker is docker-1.12.5-14.el7
(In reply to Daniel Walsh from comment #1) > Our latest docker is docker-1.12.5-14.el7 On our public RHEL channels we have: docker-1.10.3-59.el7.x86_64 docker-latest-1.12.3-10.el7.x86_64 The docker-latest package provides docker-latest service and configuration files but OCP packages have dependencies to the docker (not docker-latest) package and they use the docker service and configurations (not docker-latest). Thanks.
I'm happy to confirm docker 1.12.5-14 (to be officially released in few days) fixes this issue. I filed two other BZs on remotely related lower impact issues: https://bugzilla.redhat.com/show_bug.cgi?id=1413535 https://bugzilla.redhat.com/show_bug.cgi?id=1413536 Thanks.
This issue is fixed in current releases, closing. Thanks. container-selinux-2.9-4.el7.noarch docker-1.12.6-11.el7.x86_64 selinux-policy-3.13.1-102.el7_3.16.noarch