1461574 – docker run --read-only : fails when user namespaces enabled

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1461574 - docker run --read-only : fails when user namespaces enabled

Summary: docker run --read-only : fails when user namespaces enabled

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	docker
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Tom Sweeney
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-06-14 20:06 UTC by Ed Santiago
Modified:	2021-01-15 07:38 UTC (History)
CC List:	4 users (show)
Fixed In Version:	docker-latest-1.13.1-36.git9a813fa.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-01-15 07:38:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Ed Santiago 2017-06-14 20:06:16 UTC

Setup: RHEL 7.4, docker daemon running with--userns-remap=default:

    # docker run --read-only centos date
    /usr/bin/docker-current: Error response from daemon: Cannot use the --read-only option when user namespaces are enabled.
    See '/usr/bin/docker-current run --help'.

It succeeds if you add --userns=host to docker run, but it's not clear why this is required.

Full setup details:

    # echo 100 >/proc/sys/user/max_user_namespaces
    # for i in uid gid; do echo "dockremap:100000:65536" > /etc/sub$i;done
    # vi /etc/sysconfig/docker
    [ add --userns-remap=default to OPTIONS ]
    # systemctl stop docker
    # rm -rf /var/lib/docker
    # docker-storage-setup --reset
    # docker-storage-setup
    # systemctl start docker

Comment 2 Daniel Walsh 2017-06-15 11:39:29 UTC

Tom could you figure out what is going on here?

Comment 3 Tom Sweeney 2017-06-21 19:15:15 UTC

The docker daemon code was returning this error whenever the --read-only switch was used and user namespaces were enable unless as Ed noted the '--userns=host' parameter was included.  I found this in git commit 301bfbdd21c7795c41611bf8a8c31a0136b91bde and earlier.  The most recent docker daemon code no longer includes that if statement.

This can be seen:  http://pastebin.test.redhat.com/496452

I'm trying to figure out the easiest way to get the latest docker/moby installed on a 7.4 test system as it's not yet in the repos apparently.

Comment 4 Ed Santiago 2017-06-21 21:38:45 UTC

This is the commit that removed it: 

  https://github.com/moby/moby/commit/6062ae5742e49ec1a79073c327f3d1343c218a12

It's from August 2016, tagged in v1.13.0-rc1, so the obvious test is to try the reproducer on docker-latest. Unfortunately I can't seem to get userns to work at all on docker-latest-1.13.1-19.1.git19ea2d3.el7. I will need to pursue this tomorrow.

Comment 5 Tom Sweeney 2017-06-22 12:34:45 UTC

I installed docker-latest-1.13.1-19.1.git19ea2d3.el7 on my test machine and it's no longer failing with the --read-only error.  I did run into an error that I think is unrelated.  I'd trouble pulling centos, but if I changed to rhel, it worked.

Also before installing the docker, I first did:

yum remove docker*
yum remove oci-*

Then I installed docker-latest.  I've found things go a little south if you don't first remove the images.

[root@rhelbz ~]# docker run --read-only centos date
Unable to find image 'centos:latest' locally
Trying to pull repository registry.access.redhat.com/centos ... 
Trying to pull repository docker.io/library/centos ... 
latest: Pulling from docker.io/library/centos
d5e46245fe40: Pulling fs layer 
/usr/bin/docker-latest: error pulling image configuration: Get https://dseasb33srnrn.cloudfront.net/registry-v2/docker/registry/v2/blobs/sha256/3b/3bee3060bfc81c061ce7069df35ce090593bda584d4ef464bc0f38086c11371d/data?Expires=1498135692&Signature=Htg2XOo1U3IkVPOgRRVDfDO9xR1lO5l5lD-nqjd0KqW5u3HWJNLzMWwJ9q4ZSSjJqo1PYK3OwrOjccVApHQQHlvoXsi7P7LGwTmXmffLWHqGsHP1bITXJIJ6oUMoQLriNTEwJra4zRZbkhhQHv9Ie4NtGqHHbHdaK5n-fdQFcco_&Key-Pair-Id=APKAJECH5M7VWIS5YZ6Q: dial tcp: lookup dseasb33srnrn.cloudfront.net on 192.168.122.1:53: read udp 192.168.122.108:40182->192.168.122.1:53: i/o timeout.
See '/usr/bin/docker-latest run --help'.
[root@rhelbz ~]# docker run --read-only rhel7 date
Thu Jun 22 12:30:38 UTC 2017

Comment 6 Tom Sweeney 2017-06-22 13:39:34 UTC

And fwiw, I just tried the centos variant and it now works:

[root@rhelbz ~]# docker run --read-only centos date
Unable to find image 'centos:latest' locally
Trying to pull repository registry.access.redhat.com/centos ... 
Trying to pull repository docker.io/library/centos ... 
latest: Pulling from docker.io/library/centos
d5e46245fe40: Pull complete 
Digest: sha256:aebf12af704307dfa0079b3babdca8d7e8ff6564696882bcb5d11f1d461f9ee9
Status: Downloaded newer image for docker.io/centos:latest
Thu Jun 22 13:38:37 UTC 2017

Looks like a network/registry issue earlier.

Comment 7 Ed Santiago 2017-06-22 15:13:18 UTC

Kernel regression in 3.10.0-681 breaks userns. Bug 1463072 , bug 1462124

Comment 8 Tom Sweeney 2017-06-22 20:28:29 UTC

Ed, based on what we've found/seen, ok to close out this Bugzilla?  I think it's covered in one or both of the bugzilla's that you found.

Comment 9 Ed Santiago 2017-06-22 20:46:59 UTC

Tough call. I don't think I can decide this.

My hope yesterday was to confirm that docker-1.13 fixes this, and then ask the     team if we can live with the limitation in 1.12. The kernel bug throws a monkey wrench because right now no testing is possible.

I would like to leave this open until such time as the kernel bug is fixed. At that time, I would like to double-confirm that docker-latest, run with user namespaces enabled on a RHEL 7.4 system, running a container with --read-only works as expected. I can't in good conscience close this when it's not working.

Comment 10 Tom Sweeney 2017-06-22 21:01:32 UTC

Valid points, let's keep it open then.

Comment 14 RHEL Program Management 2021-01-15 07:38:09 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Note You need to log in before you can comment on or make changes to this bug.