Bug 1461024 - Docker: SELinux relabeling issue for a local nfs volume
Docker: SELinux relabeling issue for a local nfs volume
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker (Show other bugs)
7.3
x86_64 Linux
medium Severity low
: rc
: ---
Assigned To: Antonio Murdaca
atomic-bugs@redhat.com
: Extras
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-13 07:50 EDT by Suhaas Bhat
Modified: 2017-10-26 09:48 EDT (History)
9 users (show)

See Also:
Fixed In Version: docker-2:1.12.6-50.git0fdc778
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-09-05 06:35:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3080171 None None None 2017-09-01 02:02 EDT

  None (edit)
Description Suhaas Bhat 2017-06-13 07:50:50 EDT
Description of problem:

With the latest update of docker (rhel7 extra repo), we encounter a bug with nfs volumes (local driver).


Version-Release number of selected component (if applicable):
 docker-1.12.6-28.git1398f24.el7.x86_64
 

How reproducible:
Fully reproducable 

Steps to Reproduce:

1. docker volume create -d local --name xxx --opt type=nfs --opt o=addr=xxxx,rw,actimeo=0,sync --opt device=</path/to/dir> 

2. docker run --rm -ti -v xxx:xxx --name <container name> <image name> /bin/bash 


Actual results:

/usr/bin/docker-current: Error response from daemon: SELinux relabeling of /var/lib/docker/volumes/xxxx/_data is not allowed: "operation not supported".


Expected results:

Container should have been created with successful nfs mount.

Additional info:

There is a similar upstream issue which contains the workaround for the issue.
https://github.com/moby/moby/issues/31255

Workaround :

Run the 2nd command as 
docker run --rm -ti -v xxx:xxx:nocopy --name <container name> <image name> /bin/bash
Comment 2 Daniel Walsh 2017-06-13 17:54:12 EDT
Looks like we need 
https://github.com/opencontainers/selinux/pull/4

Back ported.
Comment 3 Daniel Walsh 2017-06-30 10:55:05 EDT
Antonio can we get this into RHEL7 Version?
Comment 6 Daniel Walsh 2017-07-13 08:39:05 EDT
Antonio any movement on getting this back ported?
Comment 9 Ryan Howe 2017-07-13 19:05:52 EDT
Thank you this make sense. The following fails: 
~~~
[root@ah-node ~]# mount.nfs 192.168.0.3:/share/docker /var/lib/docker/volumes  -o context="system_u:object_r:docker_var_lib_t:s0" 
[root@ah-node ~]# docker run -it --rm --name test  -v /mnt rhel7 
/usr/bin/docker-current: Error response from daemon: SELinux relabeling of /var/lib/docker/volumes/1fbd1daf0e7dc772d45e6a68acd57161cd4232889a690025f7a93b2f213a0a37/_data is not allowed: "operation not supported".
See '/usr/bin/docker-current run --help'

OR

[root@ah-node ~]# umount /var/lib/docker/volumes
[root@ah-node ~]# mount.nfs 192.168.0.3:/share/docker /var/lib/docker/volumes  -onosharecache,context="system_u:object_r:svirt_sandbox_file_t:s0" 
[root@ah-node ~]# docker run -it --rm --name test  -v /mnt rhel7 
/usr/bin/docker-current: Error response from daemon: SELinux relabeling of /var/lib/docker/volumes/b55bf8169de8bb08d87a9d857f238c51bd46af45ed7c6932f20d46f8bbf53a60/_data is not allowed: "operation not supported".
See '/usr/bin/docker-current run --help'.
~~~


To work around the issue a user should just avoid mounting a nfs share the /var/lib/docker/volumes. As well as use the mount invocation setting the context during mount of the nfs volume to be used. 


docker-1.12.6-32.git88a4867.el7.x86_64

~~~
[root@ah-node ~]# mkdir /var/lib/docker/nfsvolumes
[root@ah-node ~]# mount.nfs 192.168.0.3:/share/docker /var/lib/docker/nfsvolumes  -ocontext="system_u:object_r:svirt_sandbox_file_t:s0"
[root@ah-node ~]# mkdir /var/lib/docker/nfsvolumes/v1
[root@ah-node ~]# docker run -it --rm --name test -v /var/lib/docker/nfsvolumes/v1:/mnt:Z rhel7 touch /mnt/test 
~~~


I think you can also use `docker volume create` and pass the context option. I did not test this though .
Comment 10 Antonio Murdaca 2017-07-24 09:05:27 EDT
(In reply to Daniel Walsh from comment #2)
> Looks like we need 
> https://github.com/opencontainers/selinux/pull/4
> 
> Back ported.

Back ported.
Comment 13 Luwen Su 2017-08-25 03:35:36 EDT
In docker-1.12.6-55.gitc4618fb.el7.x86_64, move to verified.

/dev/sdb is a virtual device.

# docker volume create -d local --name test --opt type=nfs --opt o=addr=xxxx,rw,actimeo=0,sync --opt device=/dev/sdb
test

# docker run --rm -ti -v /var/lib/docker/volumes/test:/root --name test rhel7 /bin/bash
bash-4.2# ls
bin   dev  home  lib64	     media  opt   root	sbin  sys  usr
boot  etc  lib	 lost+found  mnt    proc  run	srv   tmp  var
bash-4.2# cd root
bash-4.2# ls
_data  opts.json
bash-4.2# exit
exit

# getenforce 
Enforcing
Comment 15 errata-xmlrpc 2017-09-05 06:35:14 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2599

Note You need to log in before you can comment on or make changes to this bug.