Description of problem: [esauer@localhost ~]$ sudo setenforce 1 [esauer@localhost ~]$ docker run hello-world container_linux.go:247: starting container process caused "process_linux.go:334: running prestart hook 1 caused \"error running hook: exit status 1, stdout: , stderr: \"" /usr/bin/docker-current: Error response from daemon: invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"process_linux.go:334: running prestart hook 1 caused \\\"error running hook: exit status 1, stdout: , stderr: \\\"\"\n". [esauer@localhost ~]$ sudo setenforce 0 [esauer@localhost ~]$ docker run hello-world Hello from Docker! This message shows that your installation appears to be working correctly. To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. 2. The Docker daemon pulled the "hello-world" image from the Docker Hub. 3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading. 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal. To try something more ambitious, you can run an Ubuntu container with: $ docker run -it ubuntu bash Share images, automate workflows, and more with a free Docker Hub account: https://hub.docker.com For more examples and ideas, visit: https://docs.docker.com/engine/userguide/ Version-Release number of selected component (if applicable): [esauer@localhost ~]$ cat /etc/fedora-release Fedora release 25 (Twenty Five) [esauer@localhost ~]$ docker --version Docker version 1.12.5, build 03508cc/1.12.5 [esauer@localhost ~]$ rpm -qa | grep docker docker-common-1.12.5-4.git03508cc.fc25.x86_64 devassistant-dap-docker-0.11-3.fc24.noarch docker-1.12.5-4.git03508cc.fc25.x86_64 [esauer@localhost ~]$ rpm -qa | grep container skopeo-containers-0.1.14-5.git550a480.fc25.x86_64 plexus-containers-component-annotations-1.6-6.fc25.noarch container-selinux-1.12.5-4.git03508cc.fc25.x86_64 systemd-container-231-10.fc25.x86_64 How reproducible: sudo setenforce 1 docker run hello-world Actual results: Error message: container_linux.go:247: starting container process caused "process_linux.go:334: running prestart hook 1 caused \"error running hook: exit status 1, stdout: , stderr: \"" /usr/bin/docker-current: Error response from daemon: invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"process_linux.go:334: running prestart hook 1 caused \\\"error running hook: exit status 1, stdout: , stderr: \\\"\"\n". Expected results: running container. Additional info:
I made some comments on the following closed bug: https://bugzilla.redhat.com/show_bug.cgi?id=1405131 It seems i'm continuing to have these problem in package versions beyond when that was fixed.
dnf reinstall container-selinux Does it successfully install? We have a new container-selinux in updatest testing as well.
No, it doesn't. [esauer@localhost ~]$ sudo dnf reinstall container-selinux Last metadata expiration check: 3:29:00 ago on Thu Jan 26 16:26:58 2017. Installed package container-selinux-2:1.12.5-4.git03508cc.fc25.x86_64 (from updates) not available. Error: Nothing to do.
I also tried completely uninstalling container-selinux, then reinstalling docker. During the install of container-selinux I get a bad declaration error: Re-declaration of type docker_t Failed to create node Bad type declaration at /var/lib/selinux/targeted/tmp/modules/400/docker/cil:32 /usr/sbin/semodule: Failed! Full output below: $ sudo dnf install docker Last metadata expiration check: 3:55:08 ago on Thu Jan 26 16:26:58 2017. Dependencies resolved. =================================================================================================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================================================================================================== Installing: container-selinux noarch 2:2.2-2.fc25 updates 28 k docker x86_64 2:1.12.6-5.git037a2f5.fc25 updates 17 M docker-common x86_64 2:1.12.6-5.git037a2f5.fc25 updates 71 k oci-register-machine x86_64 0-2.7.gitbb20b00.fc25 fedora 954 k oci-systemd-hook x86_64 0.1.4-4.git15c2f48.fc25 updates 32 k skopeo-containers x86_64 0.1.17-1.dev.git2b3af4a.fc25 updates 9.2 k Transaction Summary =================================================================================================================================================================================================================== Install 6 Packages Total download size: 18 M Installed size: 63 M Is this ok [y/N]: y Downloading Packages: (1/6): container-selinux-2.2-2.fc25.noarch.rpm 112 kB/s | 28 kB 00:00 (2/6): docker-common-1.12.6-5.git037a2f5.fc25.x86_64.rpm 190 kB/s | 71 kB 00:00 (3/6): skopeo-containers-0.1.17-1.dev.git2b3af4a.fc25.x86_64.rpm 47 kB/s | 9.2 kB 00:00 (4/6): oci-systemd-hook-0.1.4-4.git15c2f48.fc25.x86_64.rpm 124 kB/s | 32 kB 00:00 (5/6): oci-register-machine-0-2.7.gitbb20b00.fc25.x86_64.rpm 532 kB/s | 954 kB 00:01 (6/6): docker-1.12.6-5.git037a2f5.fc25.x86_64.rpm 717 kB/s | 17 MB 00:24 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 722 kB/s | 18 MB 00:26 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Installing : skopeo-containers-0.1.17-1.dev.git2b3af4a.fc25.x86_64 1/6 Installing : docker-common-2:1.12.6-5.git037a2f5.fc25.x86_64 2/6 Installing : container-selinux-2:2.2-2.fc25.noarch 3/6 Re-declaration of type docker_t Failed to create node Bad type declaration at /var/lib/selinux/targeted/tmp/modules/400/docker/cil:32 /usr/sbin/semodule: Failed! Installing : docker-2:1.12.6-5.git037a2f5.fc25.x86_64 4/6 Installing : oci-register-machine-0-2.7.gitbb20b00.fc25.x86_64 5/6 Installing : oci-systemd-hook-0.1.4-4.git15c2f48.fc25.x86_64 6/6 Verifying : docker-2:1.12.6-5.git037a2f5.fc25.x86_64 1/6 Verifying : container-selinux-2:2.2-2.fc25.noarch 2/6 Verifying : docker-common-2:1.12.6-5.git037a2f5.fc25.x86_64 3/6 Verifying : skopeo-containers-0.1.17-1.dev.git2b3af4a.fc25.x86_64 4/6 Verifying : oci-systemd-hook-0.1.4-4.git15c2f48.fc25.x86_64 5/6 Verifying : oci-register-machine-0-2.7.gitbb20b00.fc25.x86_64 6/6 Installed: container-selinux.noarch 2:2.2-2.fc25 docker.x86_64 2:1.12.6-5.git037a2f5.fc25 docker-common.x86_64 2:1.12.6-5.git037a2f5.fc25 oci-register-machine.x86_64 0-2.7.gitbb20b00.fc25 oci-systemd-hook.x86_64 0.1.4-4.git15c2f48.fc25 skopeo-containers.x86_64 0.1.17-1.dev.git2b3af4a.fc25 Complete!
Can you try to try the container-selinux that is in updates-testing?
Same result: [root@localhost ~]# dnf config-manager --set-enabled updates-testing [root@localhost ~]# dnf update container-selinux [..] Upgrading: container-selinux noarch 2:2.5-1.fc25 updates-testing [...] Upgrading : container-selinux-2:2.5-1.fc25.noarch 1/2 Re-declaration of type docker_t Failed to create node Bad type declaration at /var/lib/selinux/targeted/tmp/modules/400/docker/cil:32 /usr/sbin/semodule: Failed! [...] [root@localhost ~]# docker run hello-world container_linux.go:247: starting container process caused "process_linux.go:334: running prestart hook 1 caused \"error running hook: exit status 1, stdout: , stderr: \"" /usr/bin/docker-current: Error response from daemon: invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"process_linux.go:334: running prestart hook 1 caused \\\"error running hook: exit status 1, stdout: , stderr: \\\"\"\n". It seems like either the semodule that's trying to be applied is bad, or that semodule itself is broken. I've been able to reproduce that same error message by manually applying the .pp file that is generated for me in the AVC denial message: [root@localhost ~]# ausearch -c 'docker-containe' --raw | audit2allow -M my-dockercontaine ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-dockercontaine.pp [root@localhost ~]# semodule -X 300 -i my-dockercontaine.pp Re-declaration of boolean virt_sandbox_use_fusefs Failed to create node Bad boolean declaration at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:152 semodule: Failed!
This looks like you have multiple docker policies installed Do you have docker-engine-selinux installed? rpm -q docker-engine-selinux docker-selinux
No I do not. [root@localhost ~]# rpm -q docker-engine-selinux docker-selinux package docker-engine-selinux is not installed package docker-selinux is not installed [root@localhost ~]# rpm -qa | grep 'docker\|containe' systemd-container-231-12.fc25.x86_64 container-selinux-2.5-1.fc25.noarch docker-1.12.6-5.git037a2f5.fc25.x86_64 skopeo-containers-0.1.17-1.dev.git2b3af4a.fc25.x86_64 plexus-containers-component-annotations-1.6-6.fc25.noarch devassistant-dap-docker-0.11-3.fc24.noarch docker-common-1.12.6-5.git037a2f5.fc25.x86_64
Eric do you still have this issue with the lates container-selinux package installed?
This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.