Bug 1420591 - ocp installation failed when using docker 1.12.6-2
Summary: ocp installation failed when using docker 1.12.6-2
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: container-selinux
Version: 7.3
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: Martin Jenner
URL:
Whiteboard: aos-scalability-35
: 1422637 1423497 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-09 02:56 UTC by Wenkai Shi
Modified: 2017-03-02 19:11 UTC (History)
21 users (show)

Fixed In Version: container-selinux-2:2.9-3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-02 19:11:09 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:0416 0 normal SHIPPED_LIVE new package: container-selinux 2017-03-03 00:07:50 UTC

Description Wenkai Shi 2017-02-09 02:56:24 UTC
Description of problem:
ocp installation failed when use docker 1.12.6-2. After installation failed, run "setenforce 0" command , docker restart succeed, then run "setenforce 1" and restart docker, still succeed.

Version-Release number of selected component (if applicable):
atomic-openshift-utils-3.5.5-1.git.0.3ae2138.el7
docker-client-1.12.6-2.el7.x86_64
docker-rhel-push-plugin-1.12.6-2.el7.x86_64
docker-1.12.6-2.el7.x86_64
docker-common-1.12.6-2.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install OCP 3.5 with Docker 1.12.6-2
2.
3.

Actual results:
[root@ansible ~]# ansible-playbook -i hosts -v /usr/share/ansible/openshift-ansible/playbooks/byo/config
...
TASK [Enable and start the docker service] *************************************
Thursday 09 February 2017  01:19:51 +0000 (0:00:00.209)       0:02:16.098 ***** 
fatal: [master.example.com]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to start service docker: A dependency job for docker.service failed. See 'journalctl -xe' for details.\n"}
fatal: [node.example.com]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to start service docker: A dependency job for docker.service failed. See 'journalctl -xe' for details.\n"}
...

Expected results:
Install succeed

Additional info:
[root@master ~]# systemctl status docker 
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: http://docs.docker.com

Feb 08 20:54:42 master.example.com systemd[1]: Dependency failed for Docker Application Container Engine.
Feb 08 20:54:42 master.example.com systemd[1]: Job docker.service/start failed with result 'dependency'.

[root@master ~]# journalctl -xe -u docker
-- Logs begin at Wed 2017-02-08 20:51:18 EST, end at Wed 2017-02-08 21:24:42 EST. --
Feb 08 20:54:42 master.example.com systemd[1]: Dependency failed for Docker Application Container Engine.
-- Subject: Unit docker.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker.service has failed.
-- 
-- The result is dependency.
Feb 08 20:54:42 master.example.com systemd[1]: Job docker.service/start failed with result 'dependency'.
[root@master ~]# systemctl restart docker
[root@master ~]# journalctl -xe -u docker
Feb 08 21:34:20 master.example.com polkitd[580]: Registered Authentication Agent for unix-process:11031:258227 (system bus name :1.29 [/usr/bin/pkttyagent --not
Feb 08 21:34:20 master.example.com systemd[1]: Failed to set SELinux security context system_u:object_r:docker_var_run_t:s0 for /run/docker: Invalid argument
Feb 08 21:34:20 master.example.com systemd[1]: Failed to set SELinux security context system_u:object_r:docker_plugin_var_run_t:s0 for /run/docker/plugins/rhel-
Feb 08 21:34:20 master.example.com systemd[1]: rhel-push-plugin.socket failed to listen on sockets: Invalid argument
Feb 08 21:34:20 master.example.com systemd[1]: Failed to listen on Docker Block RHEL push plugin Socket for the API.
-- Subject: Unit rhel-push-plugin.socket has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit rhel-push-plugin.socket has failed.
-- 
-- The result is failed.
Feb 08 21:34:20 master.example.com systemd[1]: Dependency failed for Docker Application Container Engine.
-- Subject: Unit docker.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker.service has failed.
-- 
-- The result is dependency.
Feb 08 21:34:20 master.example.com systemd[1]: Job docker.service/start failed with result 'dependency'.

Comment 2 Wenkai Shi 2017-02-09 07:10:26 UTC
I think the root cause may relate container-selinux-2.7-1.el7.noarch, check listed console output:

[root@test ~]# yum install docker -y 
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
rhel73                                                                                                                                                                 | 4.1 kB  00:00:00     
rhel73-extra                                                                                                                                                           | 3.0 kB  00:00:00     
(1/3): rhel73-extra/primary_db                                                                                                                                         |  39 kB  00:00:01     
(2/3): rhel73/group_gz                                                                                                                                                 | 136 kB  00:00:02     
(3/3): rhel73/primary_db                                                                                                                                               | 3.9 MB  00:00:10     
Resolving Dependencies
--> Running transaction check
---> Package docker.x86_64 2:1.12.6-2.el7 will be installed
--> Processing Dependency: docker-client = 2:1.12.6-2.el7 for package: 2:docker-1.12.6-2.el7.x86_64
--> Processing Dependency: docker-common = 2:1.12.6-2.el7 for package: 2:docker-1.12.6-2.el7.x86_64
--> Processing Dependency: docker-rhel-push-plugin = 2:1.12.6-2.el7 for package: 2:docker-1.12.6-2.el7.x86_64
--> Processing Dependency: container-selinux >= 2:2.7-1 for package: 2:docker-1.12.6-2.el7.x86_64
--> Processing Dependency: oci-register-machine >= 1:0-1.11 for package: 2:docker-1.12.6-2.el7.x86_64
--> Processing Dependency: oci-systemd-hook >= 1:0.1.4-9 for package: 2:docker-1.12.6-2.el7.x86_64
--> Processing Dependency: skopeo-containers for package: 2:docker-1.12.6-2.el7.x86_64
--> Processing Dependency: libseccomp.so.2()(64bit) for package: 2:docker-1.12.6-2.el7.x86_64
--> Running transaction check
---> Package container-selinux.noarch 2:2.7-1.el7 will be installed
---> Package docker-client.x86_64 2:1.12.6-2.el7 will be installed
---> Package docker-common.x86_64 2:1.12.6-2.el7 will be installed
---> Package docker-rhel-push-plugin.x86_64 2:1.12.6-2.el7 will be installed
---> Package libseccomp.x86_64 0:2.3.1-2.el7 will be installed
---> Package oci-register-machine.x86_64 1:0-1.11.gitdd0daef.el7 will be installed
---> Package oci-systemd-hook.x86_64 1:0.1.4-10.git0c91618.el7 will be installed
--> Processing Dependency: libyajl.so.2()(64bit) for package: 1:oci-systemd-hook-0.1.4-10.git0c91618.el7.x86_64
---> Package skopeo-containers.x86_64 1:0.1.18-1.el7 will be installed
--> Running transaction check
---> Package yajl.x86_64 0:2.0.4-4.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================================================================================
 Package                                             Arch                               Version                                                Repository                                Size
==============================================================================================================================================================================================
Installing:
 docker                                              x86_64                             2:1.12.6-2.el7                                         rhel73-extra                              20 M
Installing for dependencies:
 container-selinux                                   noarch                             2:2.7-1.el7                                            rhel73-extra                              26 k
 docker-client                                       x86_64                             2:1.12.6-2.el7                                         rhel73-extra                             4.4 M
 docker-common                                       x86_64                             2:1.12.6-2.el7                                         rhel73-extra                              70 k
 docker-rhel-push-plugin                             x86_64                             2:1.12.6-2.el7                                         rhel73-extra                             2.0 M
 libseccomp                                          x86_64                             2.3.1-2.el7                                            rhel73                                    56 k
 oci-register-machine                                x86_64                             1:0-1.11.gitdd0daef.el7                                rhel73-extra                             1.0 M
 oci-systemd-hook                                    x86_64                             1:0.1.4-10.git0c91618.el7                              rhel73-extra                              29 k
 skopeo-containers                                   x86_64                             1:0.1.18-1.el7                                         rhel73-extra                             7.6 k
 yajl                                                x86_64                             2.0.4-4.el7                                            rhel73                                    39 k

Transaction Summary
==============================================================================================================================================================================================
Install  1 Package (+9 Dependent packages)

Total download size: 28 M
Installed size: 110 M
Downloading packages:
(1/10): container-selinux-2.7-1.el7.noarch.rpm                                                                                                                         |  26 kB  00:00:01     
(2/10): docker-client-1.12.6-2.el7.x86_64.rpm                                                                                                                          | 4.4 MB  00:00:20     
(3/10): docker-common-1.12.6-2.el7.x86_64.rpm                                                                                                                          |  70 kB  00:00:01     
(4/10): libseccomp-2.3.1-2.el7.x86_64.rpm                                                                                                                              |  56 kB  00:00:01     
(5/10): docker-rhel-push-plugin-1.12.6-2.el7.x86_64.rpm                                                                                                                | 2.0 MB  00:00:08     
(6/10): oci-register-machine-0-1.11.gitdd0daef.el7.x86_64.rpm                                                                                                          | 1.0 MB  00:00:05     
(7/10): oci-systemd-hook-0.1.4-10.git0c91618.el7.x86_64.rpm                                                                                                            |  29 kB  00:00:01     
(8/10): skopeo-containers-0.1.18-1.el7.x86_64.rpm                                                                                                                      | 7.6 kB  00:00:01     
(9/10): yajl-2.0.4-4.el7.x86_64.rpm                                                                                                                                    |  39 kB  00:00:01     
(10/10): docker-1.12.6-2.el7.x86_64.rpm                                                                                                                                |  20 MB  00:00:58     
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                         486 kB/s |  28 MB  00:00:58     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 2:docker-common-1.12.6-2.el7.x86_64                                                                                                                                       1/10 
  Installing : 2:docker-client-1.12.6-2.el7.x86_64                                                                                                                                       2/10 
  Installing : 2:container-selinux-2.7-1.el7.noarch                                                                                                                                      3/10 
Failed to resolve booleanif statement at /etc/selinux/targeted/tmp/modules/200/container/cil:1027
/usr/sbin/semodule:  Failed!
  Installing : libseccomp-2.3.1-2.el7.x86_64                                                                                                                                             4/10 
  Installing : yajl-2.0.4-4.el7.x86_64                                                                                                                                                   5/10 
  Installing : 1:oci-systemd-hook-0.1.4-10.git0c91618.el7.x86_64                                                                                                                         6/10 
  Installing : 1:oci-register-machine-0-1.11.gitdd0daef.el7.x86_64                                                                                                                       7/10 
  Installing : 2:docker-rhel-push-plugin-1.12.6-2.el7.x86_64                                                                                                                             8/10 
  Installing : 1:skopeo-containers-0.1.18-1.el7.x86_64                                                                                                                                   9/10 
  Installing : 2:docker-1.12.6-2.el7.x86_64                                                                                                                                             10/10 
rhel73/productid                                                                                                                                                       | 1.6 kB  00:00:00     
  Verifying  : 1:skopeo-containers-0.1.18-1.el7.x86_64                                                                                                                                   1/10 
  Verifying  : 2:docker-1.12.6-2.el7.x86_64                                                                                                                                              2/10 
  Verifying  : 2:docker-rhel-push-plugin-1.12.6-2.el7.x86_64                                                                                                                             3/10 
  Verifying  : 2:docker-common-1.12.6-2.el7.x86_64                                                                                                                                       4/10 
  Verifying  : 1:oci-register-machine-0-1.11.gitdd0daef.el7.x86_64                                                                                                                       5/10 
  Verifying  : yajl-2.0.4-4.el7.x86_64                                                                                                                                                   6/10 
  Verifying  : libseccomp-2.3.1-2.el7.x86_64                                                                                                                                             7/10 
  Verifying  : 2:docker-client-1.12.6-2.el7.x86_64                                                                                                                                       8/10 
  Verifying  : 2:container-selinux-2.7-1.el7.noarch                                                                                                                                      9/10 
  Verifying  : 1:oci-systemd-hook-0.1.4-10.git0c91618.el7.x86_64                                                                                                                        10/10 

Installed:
  docker.x86_64 2:1.12.6-2.el7                                                                                                                                                                

Dependency Installed:
  container-selinux.noarch 2:2.7-1.el7  docker-client.x86_64 2:1.12.6-2.el7                  docker-common.x86_64 2:1.12.6-2.el7                docker-rhel-push-plugin.x86_64 2:1.12.6-2.el7 
  libseccomp.x86_64 0:2.3.1-2.el7       oci-register-machine.x86_64 1:0-1.11.gitdd0daef.el7  oci-systemd-hook.x86_64 1:0.1.4-10.git0c91618.el7  skopeo-containers.x86_64 1:0.1.18-1.el7       
  yajl.x86_64 0:2.0.4-4.el7            

Complete!
[root@test ~]# systemctl start docker 
A dependency job for docker.service failed. See 'journalctl -xe' for details.


[root@test ~]# journalctl -xe
...
Feb 09 01:50:29 test.example.com yum[10391]: Installed: 2:docker-common-1.12.6-2.el7.x86_64
Feb 09 01:50:32 test.example.com yum[10391]: Installed: 2:docker-client-1.12.6-2.el7.x86_64
Feb 09 01:50:50 test.example.com dbus[603]: avc:  received policyload notice (seqno=2)
Feb 09 01:50:50 test.example.com dbus-daemon[603]: dbus[603]: avc:  received policyload notice (seqno=2)
Feb 09 01:50:50 test.example.com dbus[603]: [system] Reloaded configuration
Feb 09 01:50:50 test.example.com dbus-daemon[603]: dbus[603]: [system] Reloaded configuration
Feb 09 01:50:51 test.example.com setsebool[10417]: The virt_use_nfs policy boolean was changed to 1 by root
Feb 09 01:50:51 test.example.com setsebool[10417]: The virt_sandbox_use_all_caps policy boolean was changed to 1 by root
Feb 09 01:52:03 test.example.com kernel: SELinux: 2048 avtab hash slots, 103956 rules.
Feb 09 01:52:03 test.example.com kernel: SELinux: 2048 avtab hash slots, 103956 rules.
Feb 09 01:52:03 test.example.com kernel: SELinux:  8 users, 14 roles, 4956 types, 300 bools, 1 sens, 1024 cats
Feb 09 01:52:03 test.example.com kernel: SELinux:  91 classes, 103956 rules
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:unconfined_r:docker_home_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:system_r:docker_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:system_r:spc_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:system_r:docker_auth_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:system_r:docker_home_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:system_r:gear_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context unconfined_u:system_r:docker_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context unconfined_u:system_r:spc_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context unconfined_u:system_r:docker_auth_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context unconfined_u:unconfined_r:docker_home_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context unconfined_u:system_r:docker_home_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:object_r:docker_config_t:s0 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context unconfined_u:object_r:docker_config_t:s0 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context unconfined_u:system_r:gear_t:s0-s0:c0.c1023 became invalid (unmapped).
Feb 09 01:52:04 test.example.com kernel: SELinux:  Context system_u:object_r:docker_exec_t:s0 became invalid (unmapped).
Feb 09 01:52:04 test.example.com dbus[603]: avc:  received policyload notice (seqno=3)
Feb 09 01:52:05 test.example.com dbus-daemon[603]: dbus[603]: avc:  received policyload notice (seqno=3)
Feb 09 01:52:05 test.example.com dbus-daemon[603]: dbus[603]: [system] Reloaded configuration
Feb 09 01:52:05 test.example.com dbus[603]: [system] Reloaded configuration
Feb 09 01:52:06 test.example.com yum[10391]: Installed: 2:container-selinux-2.7-1.el7.noarch
Feb 09 01:52:10 test.example.com yum[10391]: Installed: libseccomp-2.3.1-2.el7.x86_64
Feb 09 01:52:15 test.example.com yum[10391]: Installed: yajl-2.0.4-4.el7.x86_64
Feb 09 01:52:17 test.example.com yum[10391]: Installed: 1:oci-systemd-hook-0.1.4-10.git0c91618.el7.x86_64
Feb 09 01:52:18 test.example.com yum[10391]: Installed: 1:oci-register-machine-0-1.11.gitdd0daef.el7.x86_64
Feb 09 01:52:19 test.example.com yum[10391]: Installed: 2:docker-rhel-push-plugin-1.12.6-2.el7.x86_64
Feb 09 01:52:21 test.example.com yum[10391]: Installed: 1:skopeo-containers-0.1.18-1.el7.x86_64
Feb 09 01:52:21 test.example.com useradd[10442]: new group: name=dockerroot, GID=993
Feb 09 01:52:21 test.example.com useradd[10442]: new user: name=dockerroot, UID=996, GID=993, home=/var/lib/docker, shell=/sbin/nologin
Feb 09 01:52:30 test.example.com systemd[1]: Reloading.
Feb 09 01:52:30 test.example.com systemd[1]: [/usr/lib/systemd/system/microcode.service:10] Trailing garbage, ignoring.
Feb 09 01:52:30 test.example.com systemd[1]: microcode.service lacks both ExecStart= and ExecStop= setting. Refusing.
Feb 09 01:52:30 test.example.com yum[10391]: Installed: 2:docker-1.12.6-2.el7.x86_64
Feb 09 01:52:48 test.example.com polkitd[618]: Registered Authentication Agent for unix-process:10464:116328 (system bus name :1.29 [/usr/bin/pkttyagent --notify-
Feb 09 01:52:48 test.example.com systemd[1]: Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.
Feb 09 01:52:48 test.example.com systemd[1]: Starting Docker Storage Setup...
-- Subject: Unit docker-storage-setup.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker-storage-setup.service has begun starting up.
Feb 09 01:52:48 test.example.com systemd[1]: Failed to set SELinux security context system_u:object_r:docker_var_run_t:s0 for /run/docker: Invalid argument
Feb 09 01:52:48 test.example.com systemd[1]: Failed to set SELinux security context system_u:object_r:docker_plugin_var_run_t:s0 for /run/docker/plugins/rhel-push
Feb 09 01:52:48 test.example.com systemd[1]: rhel-push-plugin.socket failed to listen on sockets: Invalid argument
Feb 09 01:52:48 test.example.com systemd[1]: Failed to listen on Docker Block RHEL push plugin Socket for the API.
-- Subject: Unit rhel-push-plugin.socket has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit rhel-push-plugin.socket has failed.
-- 
-- The result is failed.
Feb 09 01:52:48 test.example.com systemd[1]: Dependency failed for Docker Application Container Engine.
-- Subject: Unit docker.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker.service has failed.
-- 
-- The result is dependency.
Feb 09 01:52:48 test.example.com systemd[1]: Job docker.service/start failed with result 'dependency'.
...

Comment 6 Daniel Walsh 2017-02-09 17:12:16 UTC
container-selinux failed to install Looks like it is trying to use a boolean that does not exist in RHEL7.

Could someone run this command on a RHEL7 box to see what the issue is.

# getsebool virt_sandbox_use_sys_admin virt_sandbox_use_mknod virt_sandbox_use_all_caps virt_sandbox_use_netlink container_manage_cgroup virt_sandbox_use_audit

Comment 7 Gan Huang 2017-02-10 01:56:41 UTC
# getsebool virt_sandbox_use_sys_admin virt_sandbox_use_mknod virt_sandbox_use_all_caps virt_sandbox_use_netlink container_manage_cgroup virt_sandbox_use_audit
virt_sandbox_use_sys_admin --> off
virt_sandbox_use_mknod --> off
virt_sandbox_use_all_caps --> on
virt_sandbox_use_netlink --> off
Error getting active value for container_manage_cgroup

Comment 8 Alex Jia 2017-02-10 03:00:12 UTC
(In reply to Daniel Walsh from comment #6)
> container-selinux failed to install Looks like it is trying to use a boolean
> that does not exist in RHEL7.
> 
> Could someone run this command on a RHEL7 box to see what the issue is.
> 
> # getsebool virt_sandbox_use_sys_admin virt_sandbox_use_mknod
> virt_sandbox_use_all_caps virt_sandbox_use_netlink container_manage_cgroup
> virt_sandbox_use_audit

[root@localhost ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)

[root@localhost ~]# getsebool virt_sandbox_use_sys_admin virt_sandbox_use_mknod virt_sandbox_use_all_caps virt_sandbox_use_netlink container_manage_cgroup 
virt_sandbox_use_sys_admin --> off
virt_sandbox_use_mknod --> off
virt_sandbox_use_all_caps --> on
virt_sandbox_use_netlink --> off
Error getting active value for container_manage_cgroup

Comment 9 Alex Jia 2017-02-10 03:07:23 UTC
(In reply to Alex Jia from comment #8)
> (In reply to Daniel Walsh from comment #6)
> > container-selinux failed to install Looks like it is trying to use a boolean
> > that does not exist in RHEL7.


type=AVC msg=audit(1486695967.153:2424): avc:  denied  { transition } for  pid=18829 comm="exe" path="/usr/bin/openshift" dev="dm-3" ino=16798113 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c316,c911 tclass=process

Comment 10 Daniel Walsh 2017-02-10 13:37:08 UTC
Lokesh I removed the boolean and updated the RHEL-1.12 branch.  We need a new build of docker/container-selinux for rhel.

Comment 11 Micah Abbott 2017-02-10 21:40:30 UTC
We are also seeing this in the early compose of RHELAH 7.3.3


# atomic host status
State: idle
Deployments:
● custom:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.3 (2017-02-08 22:07:07)
        Commit: ae15dd3fc917e6147f72e0e209cc0864faaf3df1efe1b0ac9d55c8ee5c6fb8d4
        OSName: rhel-atomic-host

  rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.2 (2017-01-13 22:00:41)
        Commit: 96826a0d917d7ff10f9fd0289581649f2ffbddd76f3b80efd3d95cc11915cacb
        OSName: rhel-atomic-host

# rpm -q docker container-selinux selinux-policy
docker-1.12.6-2.el7.x86_64
container-selinux-2.7-1.el7.noarch
selinux-policy-3.13.1-102.el7_3.13.noarch

# docker run --rm busybox echo 'hello'
panic: standard_init_linux.go:178: exec user process caused "permission denied" [recovered]
        panic: standard_init_linux.go:178: exec user process caused "permission denied"

goroutine 1 [running, locked to thread]:
panic(0x6f3000, 0xc42012f1f0)
        /usr/lib/golang/src/runtime/panic.go:500 +0x1a1
github.com/urfave/cli.HandleAction.func1(0xc42007f748)
        /builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/app.go:478 +0x247
panic(0x6f3000, 0xc42012f1f0)
        /usr/lib/golang/src/runtime/panic.go:458 +0x243
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization.func1(0xc42007f198, 0xc42001e090, 0xc42007f238)
        /builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:259 
+0x18f
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization(0xc42004e730, 0xaac9c0, 0xc42012f1f0)
        /builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:277 
+0x353
main.glob..func8(0xc420082780, 0x0, 0x0)
        /builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/main_unix.go:26 +0x66
reflect.Value.call(0x6ddd80, 0x769ce8, 0x13, 0x73c1c9, 0x4, 0xc42007f708, 0x1, 0x1, 0x4d17a8, 0x732020, ...)
        /usr/lib/golang/src/reflect/value.go:434 +0x5c8
reflect.Value.Call(0x6ddd80, 0x769ce8, 0x13, 0xc42007f708, 0x1, 0x1, 0xac2700, 0xc42007f6e8, 0x4da786)
        /usr/lib/golang/src/reflect/value.go:302 +0xa4
github.com/urfave/cli.HandleAction(0x6ddd80, 0x769ce8, 0xc420082780, 0x0, 0x0)
        /builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/app.go:487 +0x1e0
github.com/urfave/cli.Command.Run(0x73c395, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74d9d9, 0x51, 0x0, ...)
        /builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/command.go:191 +0xc3b
github.com/urfave/cli.(*App).Run(0xc4200c6000, 0xc42000c120, 0x2, 0x2, 0x0, 0x0)
        /builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/Godeps/_workspace/src/github.com/urfave/cli/app.go:240 +0x611
main.main()
        /builddir/build/BUILD/docker-dfc4aea4ba81ecbe1ff8d58f4c4b6d192f82091b/runc-81b254244390bc636b20c87c34a3d9e1a8645069/main.go:137 +0xbd6

# journalctl --since "1 minutes ago" | grep denied                  
Feb 10 21:38:48 rhel-atomic-7.2-test kernel: type=1400 audit(1486762728.849:6): avc:  denied  { transition } for  pid=12507 comm="exe" path="/bin/echo" dev="dm-4" ino=6292481 scontext=system_u:system_r:unconfine
d_service_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c62,c980 tclass=process
Feb 10 21:38:48 rhel-atomic-7.2-test dockerd-current[3866]: panic: standard_init_linux.go:178: exec user process caused "permission denied" [recovered]
Feb 10 21:38:48 rhel-atomic-7.2-test dockerd-current[3866]:         panic: standard_init_linux.go:178: exec user process caused "permission denied"

# getsebool virt_sandbox_use_sys_admin virt_sandbox_use_mknod virt_sandbox_use_all_caps virt_sandbox_use_netlink container_manage_cgroup virt_sandbox_use_audit                              
virt_sandbox_use_sys_admin --> off
virt_sandbox_use_mknod --> off
virt_sandbox_use_all_caps --> on
virt_sandbox_use_netlink --> off
Error getting active value for container_manage_cgroup

Comment 13 Alex Jia 2017-02-14 02:40:39 UTC
To reisntall container-selinux-2.9-2.el7 and docker-1.12.6-3.el7 by yum in RHEL7.3, I still can see previous errors and it also doesn't work after running restorecon -R /usr/bin/docker*.

Comment 14 Alex Jia 2017-02-14 03:06:10 UTC
(In reply to Alex Jia from comment #13)
> To reisntall container-selinux-2.9-2.el7 and docker-1.12.6-3.el7 by yum in
> RHEL7.3, I still can see previous errors and it also doesn't work after
> running restorecon -R /usr/bin/docker*.

also update selinux-policy to selinux-policy-3.13.1-119.el7.noarch

Comment 15 Alex Jia 2017-02-15 03:21:22 UTC
The same issue is in docker-1.12.6-4.el7.x86_64 w/ selinux-policy-3.13.1-119.el7.noarch and container-selinux-2.9-2.el7.noarch.

Comment 18 Alex Jia 2017-02-16 02:22:05 UTC
It also doesn't work in docker-1.12.6-5.el7.

Comment 19 Steve Kuznetsov 2017-02-16 16:30:31 UTC
*** Bug 1422637 has been marked as a duplicate of this bug. ***

Comment 20 Micah Abbott 2017-02-16 17:02:24 UTC
Lokesh found that he was able to work around this by using 'setenforce 0' to re-install selinux-policy

# setenforce 0
# yum reinstall selinux-policy
# setenforce 1
# systemctl start docker

Comment 22 Alex Jia 2017-02-20 09:19:39 UTC
*** Bug 1423497 has been marked as a duplicate of this bug. ***

Comment 25 Alex Jia 2017-02-21 00:09:44 UTC
The  docker-1.12.6-8.el7 w/ container-selinux-2:2.9-3 works well for me,  Wenkai, please help double confirm this, thanks.

Comment 26 Wenkai Shi 2017-02-21 01:20:47 UTC
(In reply to Alex Jia from comment #25)
> The  docker-1.12.6-8.el7 w/ container-selinux-2:2.9-3 works well for me, 
> Wenkai, please help double confirm this, thanks.

Confirm with version docker-1.12.6-8.el7.x86_64 and container-selinux-2.9-3.el7.noarch. It works.
:)

Comment 27 Luwen Su 2017-02-21 07:59:42 UTC
Per comment25 and 26, move to verified.

Comment 29 errata-xmlrpc 2017-03-02 19:11:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2017-0416.html


Note You need to log in before you can comment on or make changes to this bug.