1420591 – ocp installation failed when using docker 1.12.6-2

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1420591 - ocp installation failed when using docker 1.12.6-2

Summary: ocp installation failed when using docker 1.12.6-2

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	container-selinux
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Martin Jenner
Docs Contact:
URL:
Whiteboard:	aos-scalability-35
Duplicates (2):	1422637 1423497 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-02-09 02:56 UTC by Wenkai Shi
Modified:	2017-03-02 19:11 UTC (History)
CC List:	21 users (show)
Fixed In Version:	container-selinux-2:2.9-3
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-02 19:11:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:0416	0	normal	SHIPPED_LIVE	new package: container-selinux	2017-03-03 00:07:50 UTC

Description Wenkai Shi 2017-02-09 02:56:24 UTC

Description of problem:
ocp installation failed when use docker 1.12.6-2. After installation failed, run "setenforce 0" command , docker restart succeed, then run "setenforce 1" and restart docker, still succeed.

Version-Release number of selected component (if applicable):
atomic-openshift-utils-3.5.5-1.git.0.3ae2138.el7
docker-client-1.12.6-2.el7.x86_64
docker-rhel-push-plugin-1.12.6-2.el7.x86_64
docker-1.12.6-2.el7.x86_64
docker-common-1.12.6-2.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install OCP 3.5 with Docker 1.12.6-2
2.
3.

Actual results:
[root@ansible ~]# ansible-playbook -i hosts -v /usr/share/ansible/openshift-ansible/playbooks/byo/config
...
TASK [Enable and start the docker service] *************************************
Thursday 09 February 2017  01:19:51 +0000 (0:00:00.209)       0:02:16.098 ***** 
fatal: [master.example.com]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to start service docker: A dependency job for docker.service failed. See 'journalctl -xe' for details.\n"}
fatal: [node.example.com]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to start service docker: A dependency job for docker.service failed. See 'journalctl -xe' for details.\n"}
...

Expected results:
Install succeed

Additional info:
[root@master ~]# systemctl status docker 
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: http://docs.docker.com

Feb 08 20:54:42 master.example.com systemd[1]: Dependency failed for Docker Application Container Engine.
Feb 08 20:54:42 master.example.com systemd[1]: Job docker.service/start failed with result 'dependency'.

[root@master ~]# journalctl -xe -u docker
-- Logs begin at Wed 2017-02-08 20:51:18 EST, end at Wed 2017-02-08 21:24:42 EST. --
Feb 08 20:54:42 master.example.com systemd[1]: Dependency failed for Docker Application Container Engine.
-- Subject: Unit docker.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker.service has failed.
-- 
-- The result is dependency.
Feb 08 20:54:42 master.example.com systemd[1]: Job docker.service/start failed with result 'dependency'.
[root@master ~]# systemctl restart docker
[root@master ~]# journalctl -xe -u docker
Feb 08 21:34:20 master.example.com polkitd[580]: Registered Authentication Agent for unix-process:11031:258227 (system bus name :1.29 [/usr/bin/pkttyagent --not
Feb 08 21:34:20 master.example.com systemd[1]: Failed to set SELinux security context system_u:object_r:docker_var_run_t:s0 for /run/docker: Invalid argument
Feb 08 21:34:20 master.example.com systemd[1]: Failed to set SELinux security context system_u:object_r:docker_plugin_var_run_t:s0 for /run/docker/plugins/rhel-
Feb 08 21:34:20 master.example.com systemd[1]: rhel-push-plugin.socket failed to listen on sockets: Invalid argument
Feb 08 21:34:20 master.example.com systemd[1]: Failed to listen on Docker Block RHEL push plugin Socket for the API.
-- Subject: Unit rhel-push-plugin.socket has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit rhel-push-plugin.socket has failed.
-- 
-- The result is failed.
Feb 08 21:34:20 master.example.com systemd[1]: Dependency failed for Docker Application Container Engine.
-- Subject: Unit docker.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker.service has failed.
-- 
-- The result is dependency.
Feb 08 21:34:20 master.example.com systemd[1]: Job docker.service/start failed with result 'dependency'.

Comment 2 Wenkai Shi 2017-02-09 07:10:26 UTC

I think the root cause may relate container-selinux-2.7-1.el7.noarch, check listed console output:

[root@test ~]# yum install docker -y 
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
rhel73                                                                                                                                                                 | 4.1 kB  00:00:00     
rhel73-extra                                                                                                                                                           | 3.0 kB  00:00:00     
(1/3): rhel73-extra/primary_db                                                                                                                                         |  39 kB  00:00:01     
(2/3): rhel73/group_gz                                                                                                                                                 | 136 kB  00:00:02     
(3/3): rhel73/primary_db                                                                                                                                               | 3.9 MB  00:00:10     
Resolving Dependencies
--> Running transaction check
---> Package docker.x86_64 2:1.12.6-2.el7 will be installed
--> Processing Dependency: docker-client = 2:1.12.6-2.el7 for package: 2:docker-1.12.6-2.el7.x86_64
--> Processing Dependency: docker-common = 2:1.12.6-2.el7 for package: 2:docker-1.12.6-2.el7.x86_64
--> Processing Dependency: docker-rhel-push-plugin = 2:1.12.6-2.el7 for package: 2:docker-1.12.6-2.el7.x86_64
--> Processing Dependency: container-selinux >= 2:2.7-1 for package: 2:docker-1.12.6-2.el7.x86_64
--> Processing Dependency: oci-register-machine >= 1:0-1.11 for package: 2:docker-1.12.6-2.el7.x86_64
--> Processing Dependency: oci-systemd-hook >= 1:0.1.4-9 for package: 2:docker-1.12.6-2.el7.x86_64
--> Processing Dependency: skopeo-containers for package: 2:docker-1.12.6-2.el7.x86_64
--> Processing Dependency: libseccomp.so.2()(64bit) for package: 2:docker-1.12.6-2.el7.x86_64
--> Running transaction check
---> Package container-selinux.noarch 2:2.7-1.el7 will be installed
---> Package docker-client.x86_64 2:1.12.6-2.el7 will be installed
---> Package docker-common.x86_64 2:1.12.6-2.el7 will be installed
---> Package docker-rhel-push-plugin.x86_64 2:1.12.6-2.el7 will be installed
---> Package libseccomp.x86_64 0:2.3.1-2.el7 will be installed
---> Package oci-register-machine.x86_64 1:0-1.11.gitdd0daef.el7 will be installed
---> Package oci-systemd-hook.x86_64 1:0.1.4-10.git0c91618.el7 will be installed
--> Processing Dependency: libyajl.so.2()(64bit) for package: 1:oci-systemd-hook-0.1.4-10.git0c91618.el7.x86_64
---> Package skopeo-containers.x86_64 1:0.1.18-1.el7 will be installed
--> Running transaction check
---> Package yajl.x86_64 0:2.0.4-4.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================================================================================
 Package                                             Arch                               Version                                                Repository                                Size
==============================================================================================================================================================================================
Installing:
 docker                                              x86_64                             2:1.12.6-2.el7                                         rhel73-extra                              20 M
Installing for dependencies:
 container-selinux                                   noarch                             2:2.7-1.el7                                            rhel73-extra                              26 k
 docker-client                                       x86_64                             2:1.12.6-2.el7                                         rhel73-extra                             4.4 M
 docker-common                                       x86_64                             2:1.12.6-2.el7                                         rhel73-extra                              70 k
 docker-rhel-push-plugin                             x86_64                             2:1.12.6-2.el7                                         rhel73-extra                             2.0 M
 libseccomp                                          x86_64                             2.3.1-2.el7                                            rhel73                                    56 k
 oci-register-machine                                x86_64                             1:0-1.11.gitdd0daef.el7                                rhel73-extra                             1.0 M
 oci-systemd-hook                                    x86_64                             1:0.1.4-10.git0c91618.el7                              rhel73-extra                              29 k
 skopeo-containers                                   x86_64                             1:0.1.18-1.el7                                         rhel73-extra                             7.6 k
 yajl                                                x86_64                             2.0.4-4.el7                                            rhel73                                    39 k

Transaction Summary
==============================================================================================================================================================================================
Install  1 Package (+9 Dependent packages)

Total download size: 28 M
Installed size: 110 M
Downloading packages:
(1/10): container-selinux-2.7-1.el7.noarch.rpm                                                                                                                         |  26 kB  00:00:01     
(2/10): docker-client-1.12.6-2.el7.x86_64.rpm                                                                                                                          | 4.4 MB  00:00:20     
(3/10): docker-common-1.12.6-2.el7.x86_64.rpm                                                                                                                          |  70 kB  00:00:01     
(4/10): libseccomp-2.3.1-2.el7.x86_64.rpm                                                                                                                              |  56 kB  00:00:01     
(5/10): docker-rhel-push-plugin-1.12.6-2.el7.x86_64.rpm                                                                                                                | 2.0 MB  00:00:08     
(6/10): oci-register-machine-0-1.11.gitdd0daef.el7.x86_64.rpm                                                                                                          | 1.0 MB  00:00:05     
(7/10): oci-systemd-hook-0.1.4-10.git0c91618.el7.x86_64.rpm                                                                                                            |  29 kB  00:00:01     
(8/10): skopeo-containers-0.1.18-1.el7.x86_64.rpm                                                                                                                      | 7.6 kB  00:00:01     
(9/10): yajl-2.0.4-4.el7.x86_64.rpm                                                                                                                                    |  39 kB  00:00:01     
(10/10): docker-1.12.6-2.el7.x86_64.rpm                                                                                                                                |  20 MB  00:00:58     
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                         486 kB/s |  28 MB  00:00:58     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 2:docker-common-1.12.6-2.el7.x86_64                                                                                                                                       1/10 
  Installing : 2:docker-client-1.12.6-2.el7.x86_64                                                                                                                                       2/10 
  Installing : 2:container-selinux-2.7-1.el7.noarch                                                                                                                                      3/10 
Failed to resolve booleanif statement at /etc/selinux/targeted/tmp/modules/200/container/cil:1027
/usr/sbin/semodule:  Failed!
  Installing : libseccomp-2.3.1-2.el7.x86_64                                                                                                                                             4/10 
  Installing : yajl-2.0.4-4.el7.x86_64                                                                                                                                                   5/10 
  Installing : 1:oci-systemd-hook-0.1.4-10.git0c91618.el7.x86_64                                                                                                                         6/10 
  Installing : 1:oci-register-machine-0-1.11.gitdd0daef.el7.x86_64                                                                                                                       7/10 
  Installing : 2:docker-rhel-push-plugin-1.12.6-2.el7.x86_64                                                                                                                             8/10 
  Installing : 1:skopeo-containers-0.1.18-1.el7.x86_64                                                                                                                                   9/10 
  Installing : 2:docker-1.12.6-2.el7.x86_64                                                                                                                                             10/10 
rhel73/productid                                                                                                                                                       | 1.6 kB  00:00:00     
  Verifying  : 1:skopeo-containers-0.1.18-1.el7.x86_64                                                                                                                                   1/10 
  Verifying  : 2:docker-1.12.6-2.el7.x86_64                                                                                                                                              2/10 
  Verifying  : 2:docker-rhel-push-plugin-1.12.6-2.el7.x86_64                                                                                                                             3/10 
  Verifying  : 2:docker-common-1.12.6-2.el7.x86_64                                                                                                                                       4/10 
  Verifying  : 1:oci-register-machine-0-1.11.gitdd0daef.el7.x86_64                                                                                                                       5/10 
  Verifying  : yajl-2.0.4-4.el7.x86_64                                                                                                                                                   6/10 
  Verifying  : libseccomp-2.3.1-2.el7.x86_64                                                                                                                                             7/10 
  Verifying  : 2:docker-client-1.12.6-2.el7.x86_64                                                                                                                                       8/10 
  Verifying  : 2:container-selinux-2.7-1.el7.noarch                                                                                                                                      9/10 
  Verifying  : 1:oci-systemd-hook-0.1.4-10.git0c91618.el7.x86_64                                                                                                                        10/10 

Installed:
  docker.x86_64 2:1.12.6-2.el7                                                                                                                                                                

Dependency Installed:
  container-selinux.noarch 2:2.7-1.el7  docker-client.x86_64 2:1.12.6-2.el7                  docker-common.x86_64 2:1.12.6-2.el7                docker-rhel-push-plugin.x86_64 2:1.12.6-2.el7 
  libseccomp.x86_64 0:2.3.1-2.el7       oci-register-machine.x86_64 1:0-1.11.gitdd0daef.el7  oci-systemd-hook.x86_64 1:0.1.4-10.git0c91618.el7  skopeo-containers.x86_64 1:0.1.18-1.el7       
  yajl.x86_64 0:2.0.4-4.el7            

Complete!
[root@test ~]# systemctl start docker 
A dependency job for docker.service failed. See 'journalctl -xe' for details.


[root@test ~]# journalctl -xe
...
Feb 09 01:50:29 test.example.com yum[10391]: Installed: 2:docker-common-1.12.6-2.el7.x86_64
Feb 09 01:50:32 test.example.com yum[10391]: Installed: 2:docker-client-1.12.6-2.el7.x86_64
Feb 09 01:50:50 test.example.com dbus[603]: avc:  received policyload notice (seqno=2)
Feb 09 01:50:50 test.example.com dbus-daemon[603]: dbus[603]: avc:  received policyload notice (seqno=2)
Feb 09 01:50:50 test.example.com dbus[603]: [system] Reloaded configuration
Feb 09 01:50:50 test.example.com dbus-daemon[603]: dbus[603]: [system] Reloaded configuration
Feb 09 01:50:51 test.example.com setsebool[10417]: The virt_use_nfs policy boolean was changed to 1 by root
Feb 09 01:50:51 test.example.com setsebool[10417]: The virt_sandbox_use_all_caps policy boolean was changed to 1 by root
Feb 09 01:52:03 test.example.com kernel: SELinux: 2048 avtab hash slots, 103956 rules.
Feb 09 01:52:03 test.example.com kernel: SELinux: 2048 avtab hash slots, 103956 rules.
Feb 09 01:52:03 test.example.com kernel: SELinux:  8 users, 14 roles, 4956 types, 300 bools, 1 sens, 1024 cats
Feb 09 01:52:03 test.example.com kernel: SELinux:  91 classes, 103956 rules
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:unconfined_r:docker_home_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:system_r:docker_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:system_r:spc_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:system_r:docker_auth_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:system_r:docker_home_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:system_r:gear_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context unconfined_u:system_r:docker_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context unconfined_u:system_r:spc_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context unconfined_u:system_r:docker_auth_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context unconfined_u:unconfined_r:docker_home_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context unconfined_u:system_r:docker_home_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:object_r:docker_config_t:s0 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context unconfined_u:object_r:docker_config_t:s0 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context unconfined_u:system_r:gear_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:object_r:docker_exec_t:s0 became invalid (unmapped).
Feb 09 01:52:04 test.example.com dbus[603]: avc:  received policyload notice (seqno=3)
Feb 09 01:52:05 test.example.com dbus-daemon[603]: dbus[603]: avc:  received policyload notice (seqno=3)
Feb 09 01:52:05 test.example.com dbus-daemon[603]: dbus[603]: [system] Reloaded configuration
Feb 09 01:52:05 test.example.com dbus[603]: [system] Reloaded configuration
Feb 09 01:52:06 test.example.com yum[10391]: Installed: 2:container-selinux-2.7-1.el7.noarch
Feb 09 01:52:10 test.example.com yum[10391]: Installed: libseccomp-2.3.1-2.el7.x86_64
Feb 09 01:52:15 test.example.com yum[10391]: Installed: yajl-2.0.4-4.el7.x86_64
Feb 09 01:52:17 test.example.com yum[10391]: Installed: 1:oci-systemd-hook-0.1.4-10.git0c91618.el7.x86_64
Feb 09 01:52:18 test.example.com yum[10391]: Installed: 1:oci-register-machine-0-1.11.gitdd0daef.el7.x86_64
Feb 09 01:52:19 test.example.com yum[10391]: Installed: 2:docker-rhel-push-plugin-1.12.6-2.el7.x86_64
Feb 09 01:52:21 test.example.com yum[10391]: Installed: 1:skopeo-containers-0.1.18-1.el7.x86_64
Feb 09 01:52:21 test.example.com useradd[10442]: new group: name=dockerroot, GID=993
Feb 09 01:52:21 test.example.com useradd[10442]: new user: name=dockerroot, UID=996, GID=993, home=/var/lib/docker, shell=/sbin/nologin
Feb 09 01:52:30 test.example.com systemd[1]: Reloading.
Feb 09 01:52:30 test.example.com systemd[1]: [/usr/lib/systemd/system/microcode.service:10] Trailing garbage, ignoring.
Feb 09 01:52:30 test.example.com systemd[1]: microcode.service lacks both ExecStart= and ExecStop= setting. Refusing.
Feb 09 01:52:30 test.example.com yum[10391]: Installed: 2:docker-1.12.6-2.el7.x86_64
Feb 09 01:52:48 test.example.com polkitd[618]: Registered Authentication Agent for unix-process:10464:116328 (system bus name :1.29 [/usr/bin/pkttyagent --notify-
Feb 09 01:52:48 test.example.com systemd[1]: Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.
Feb 09 01:52:48 test.example.com systemd[1]: Starting Docker Storage Setup...
-- Subject: Unit docker-storage-setup.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker-storage-setup.service has begun starting up.
Feb 09 01:52:48 test.example.com systemd[1]: Failed to set SELinux security context system_u:object_r:docker_var_run_t:s0 for /run/docker: Invalid argument
Feb 09 01:52:48 test.example.com systemd[1]: Failed to set SELinux security context system_u:object_r:docker_plugin_var_run_t:s0 for /run/docker/plugins/rhel-push
Feb 09 01:52:48 test.example.com systemd[1]: rhel-push-plugin.socket failed to listen on sockets: Invalid argument
Feb 09 01:52:48 test.example.com systemd[1]: Failed to listen on Docker Block RHEL push plugin Socket for the API.
-- Subject: Unit rhel-push-plugin.socket has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit rhel-push-plugin.socket has failed.
-- 
-- The result is failed.
Feb 09 01:52:48 test.example.com systemd[1]: Dependency failed for Docker Application Container Engine.
-- Subject: Unit docker.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker.service has failed.
-- 
-- The result is dependency.
Feb 09 01:52:48 test.example.com systemd[1]: Job docker.service/start failed with result 'dependency'.
...

Comment 6 Daniel Walsh 2017-02-09 17:12:16 UTC

container-selinux failed to install Looks like it is trying to use a boolean that does not exist in RHEL7.

Could someone run this command on a RHEL7 box to see what the issue is.

# getsebool virt_sandbox_use_sys_admin virt_sandbox_use_mknod virt_sandbox_use_all_caps virt_sandbox_use_netlink container_manage_cgroup virt_sandbox_use_audit

Comment 7 Gan Huang 2017-02-10 01:56:41 UTC

# getsebool virt_sandbox_use_sys_admin virt_sandbox_use_mknod virt_sandbox_use_all_caps virt_sandbox_use_netlink container_manage_cgroup virt_sandbox_use_audit
virt_sandbox_use_sys_admin --> off
virt_sandbox_use_mknod --> off
virt_sandbox_use_all_caps --> on
virt_sandbox_use_netlink --> off
Error getting active value for container_manage_cgroup

Comment 8 Alex Jia 2017-02-10 03:00:12 UTC

(In reply to Daniel Walsh from comment #6)
> container-selinux failed to install Looks like it is trying to use a boolean
> that does not exist in RHEL7.
> 
> Could someone run this command on a RHEL7 box to see what the issue is.
> 
> # getsebool virt_sandbox_use_sys_admin virt_sandbox_use_mknod
> virt_sandbox_use_all_caps virt_sandbox_use_netlink container_manage_cgroup
> virt_sandbox_use_audit

[root@localhost ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)

[root@localhost ~]# getsebool virt_sandbox_use_sys_admin virt_sandbox_use_mknod virt_sandbox_use_all_caps virt_sandbox_use_netlink container_manage_cgroup 
virt_sandbox_use_sys_admin --> off
virt_sandbox_use_mknod --> off
virt_sandbox_use_all_caps --> on
virt_sandbox_use_netlink --> off
Error getting active value for container_manage_cgroup

Comment 9 Alex Jia 2017-02-10 03:07:23 UTC

(In reply to Alex Jia from comment #8)
> (In reply to Daniel Walsh from comment #6)
> > container-selinux failed to install Looks like it is trying to use a boolean
> > that does not exist in RHEL7.


type=AVC msg=audit(1486695967.153:2424): avc:  denied  { transition } for  pid=18829 comm="exe" path="/usr/bin/openshift" dev="dm-3" ino=16798113 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c316,c911 tclass=process

Comment 10 Daniel Walsh 2017-02-10 13:37:08 UTC

Lokesh I removed the boolean and updated the RHEL-1.12 branch.  We need a new build of docker/container-selinux for rhel.

Comment 11 Micah Abbott 2017-02-10 21:40:30 UTC

We are also seeing this in the early compose of RHELAH 7.3.3


# atomic host status
State: idle
Deployments:
● custom:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.3 (2017-02-08 22:07:07)
        Commit: ae15dd3fc917e6147f72e0e209cc0864faaf3df1efe1b0ac9d55c8ee5c6fb8d4
        OSName: rhel-atomic-host

  rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.2 (2017-01-13 22:00:41)
        Commit: 96826a0d917d7ff10f9fd0289581649f2ffbddd76f3b80efd3d95cc11915cacb
        OSName: rhel-atomic-host

# rpm -q docker container-selinux selinux-policy
docker-1.12.6-2.el7.x86_64
container-selinux-2.7-1.el7.noarch
selinux-policy-3.13.1-102.el7_3.13.noarch

# docker run --rm busybox echo 'hello'
panic: standard_init_linux.go:178: exec user process caused "permission denied" [recovered]
        panic: standard_init_linux.go:178: exec user process caused "permission denied"

goroutine 1 [running, locked to thread]:
panic(0x6f3000, 0xc42012f1f0)
        /usr/lib/golang/src/runtime/panic.go:500 +0x1a1
github.com/urfave/cli.HandleAction.func1(0xc42007f748)
        /builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/app.go:478 +0x247
panic(0x6f3000, 0xc42012f1f0)
        /usr/lib/golang/src/runtime/panic.go:458 +0x243
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization.func1(0xc42007f198, 0xc42001e090, 0xc42007f238)
        /builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:259 
+0x18f
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization(0xc42004e730, 0xaac9c0, 0xc42012f1f0)
        /builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:277 
+0x353
main.glob..func8(0xc420082780, 0x0, 0x0)
        /builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/main_unix.go:26 +0x66
reflect.Value.call(0x6ddd80, 0x769ce8, 0x13, 0x73c1c9, 0x4, 0xc42007f708, 0x1, 0x1, 0x4d17a8, 0x732020, ...)
        /usr/lib/golang/src/reflect/value.go:434 +0x5c8
reflect.Value.Call(0x6ddd80, 0x769ce8, 0x13, 0xc42007f708, 0x1, 0x1, 0xac2700, 0xc42007f6e8, 0x4da786)
        /usr/lib/golang/src/reflect/value.go:302 +0xa4
github.com/urfave/cli.HandleAction(0x6ddd80, 0x769ce8, 0xc420082780, 0x0, 0x0)
        /builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/app.go:487 +0x1e0
github.com/urfave/cli.Command.Run(0x73c395, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74d9d9, 0x51, 0x0, ...)
        /builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/command.go:191 +0xc3b
github.com/urfave/cli.(*App).Run(0xc4200c6000, 0xc42000c120, 0x2, 0x2, 0x0, 0x0)
        /builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/app.go:240 +0x611
main.main()
        /builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/main.go:137 +0xbd6

# journalctl --since "1 minutes ago" | grep denied                  
Feb 10 21:38:48 rhel-atomic-7.2-test kernel: type=1400 audit(1486762728.849:6): avc:  denied  { transition } for  pid=12507 comm="exe" path="/bin/echo" dev="dm-4" ino=6292481 scontext=system_u:system_r:unconfine
d_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c62,c980 tclass=process
Feb 10 21:38:48 rhel-atomic-7.2-test dockerd-current[3866]: panic: standard_init_linux.go:178: exec user process caused "permission denied" [recovered]
Feb 10 21:38:48 rhel-atomic-7.2-test dockerd-current[3866]:         panic: standard_init_linux.go:178: exec user process caused "permission denied"

# getsebool virt_sandbox_use_sys_admin virt_sandbox_use_mknod virt_sandbox_use_all_caps virt_sandbox_use_netlink container_manage_cgroup virt_sandbox_use_audit                              
virt_sandbox_use_sys_admin --> off
virt_sandbox_use_mknod --> off
virt_sandbox_use_all_caps --> on
virt_sandbox_use_netlink --> off
Error getting active value for container_manage_cgroup

Comment 13 Alex Jia 2017-02-14 02:40:39 UTC

To reisntall container-selinux-2.9-2.el7 and docker-1.12.6-3.el7 by yum in RHEL7.3, I still can see previous errors and it also doesn't work after running restorecon -R /usr/bin/docker*.

Comment 14 Alex Jia 2017-02-14 03:06:10 UTC

(In reply to Alex Jia from comment #13)
> To reisntall container-selinux-2.9-2.el7 and docker-1.12.6-3.el7 by yum in
> RHEL7.3, I still can see previous errors and it also doesn't work after
> running restorecon -R /usr/bin/docker*.

also update selinux-policy to selinux-policy-3.13.1-119.el7.noarch

Comment 15 Alex Jia 2017-02-15 03:21:22 UTC

The same issue is in docker-1.12.6-4.el7.x86_64 w/ selinux-policy-3.13.1-119.el7.noarch and container-selinux-2.9-2.el7.noarch.

Comment 18 Alex Jia 2017-02-16 02:22:05 UTC

It also doesn't work in docker-1.12.6-5.el7.

Comment 19 Steve Kuznetsov 2017-02-16 16:30:31 UTC

*** Bug 1422637 has been marked as a duplicate of this bug. ***

Comment 20 Micah Abbott 2017-02-16 17:02:24 UTC

Lokesh found that he was able to work around this by using 'setenforce 0' to re-install selinux-policy

# setenforce 0
# yum reinstall selinux-policy
# setenforce 1
# systemctl start docker

Comment 22 Alex Jia 2017-02-20 09:19:39 UTC

*** Bug 1423497 has been marked as a duplicate of this bug. ***

Comment 25 Alex Jia 2017-02-21 00:09:44 UTC

The  docker-1.12.6-8.el7 w/ container-selinux-2:2.9-3 works well for me,  Wenkai, please help double confirm this, thanks.

Comment 26 Wenkai Shi 2017-02-21 01:20:47 UTC

(In reply to Alex Jia from comment #25)
> The  docker-1.12.6-8.el7 w/ container-selinux-2:2.9-3 works well for me, 
> Wenkai, please help double confirm this, thanks.

Confirm with version docker-1.12.6-8.el7.x86_64 and container-selinux-2.9-3.el7.noarch. It works.
:)

Comment 27 Luwen Su 2017-02-21 07:59:42 UTC

Per comment25 and 26, move to verified.

Comment 29 errata-xmlrpc 2017-03-02 19:11:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2017-0416.html

Note You need to log in before you can comment on or make changes to this bug.

ajia
amurdaca
aos-bugs
ghuang
gpei
jeder
jokerman
lfriedma
lslebodn
lsm5
lsu
miabbott
michael.voegele
mifiedle
mmccomas
ndehadra
skuznets
wabouham
weshi
wmeng
xtian