1509880 – oci runtime error: permission denied while enabling docker system container

Bug 1509880 - oci runtime error: permission denied while enabling docker system container

Summary: oci runtime error: permission denied while enabling docker system container

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	3.7.z
Assignee:	Giuseppe Scrivano
QA Contact:	Gan Huang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-11-06 09:22 UTC by Gan Huang
Modified:	2017-11-28 22:21 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: wrong label on /var/lib/containers Consequence: prevented the Docker system container to run with the correct SELinux label Fix: Ensure /var/lib/containers is correctly labelled
Clone Of:
Environment:
Last Closed:	2017-11-28 22:21:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3188	0	normal	SHIPPED_LIVE	Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update	2017-11-29 02:34:54 UTC

Description Gan Huang 2017-11-06 09:22:14 UTC

Description of problem:

Task failed while enabling docker system container:

RUNNING HANDLER [openshift_master : restart master api] ************************
Monday 06 November 2017  08:38:32 +0000 (0:00:00.015)       0:11:12.414 ******* 

fatal: [host-8-247-60.host.centralci.eng.rdu2.redhat.com]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to restart service atomic-openshift-master-api: Job for atomic-openshift-master-api.service failed because the control process exited with error code. See \"systemctl status atomic-openshift-master-api.service\" and \"journalctl -xe\" for details.\n"}              : ok=12   changed=0    unreachable=0    failed=0   


Version-Release number of the following components:
openshift-ansible-3.7.0-0.191.0.git.0.bc2ff60.el7.noarch.rpm

container-engine:v3.7.0-0.195.0.0

How reproducible:

Steps to Reproduce:
1.Trigger installation on RHEL with docker system container enabled
#cat inventory_host

openshift_docker_use_system_container=true
openshift_docker_systemcontainer_image_override=http:brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/container-engine:v3.7.0


Actual results:
# journalctl -u atomic-openshift-master-api --no-pager | less
Nov 06 03:36:14 host-172-16-120-59 atomic-openshift-master-api[4924]: /usr/bin/docker-current: Error response from daemon: invalid header field value "oci runtime error: permission denied\n".

Expected results:

Additional info:

type=AVC msg=audit(1509957728.327:19370): avc:  denied  { setattr } for  pid=15997 comm="docker-runc-cur" name="" dev="pipefs" ino=221505 scontext=system_u:system_r:spc_t:s0

# ls -lZ /var/lib/containers/atomic/container-engine.0
-rw-r--r--. root root unconfined_u:object_r:var_lib_t:s0 config.json
-rw-r--r--. root root unconfined_u:object_r:var_lib_t:s0 container-engine.service
-rw-r--r--. root root unconfined_u:object_r:var_lib_t:s0 info
drwxr-xr-x. root root unconfined_u:object_r:var_lib_t:s0 rootfs
-rw-r--r--. root root unconfined_u:object_r:var_lib_t:s0 tmpfiles-container-engine.conf

Comment 2 Scott Dodson 2017-11-06 17:44:51 UTC

Can you confirm which version of atomic host and/or atomic, docker, container-selinux packages was used when the problem was encountered? If all of those are updated to the latest does the problem go away?

Setting this to 3.7.z.

Comment 3 Giuseppe Scrivano 2017-11-06 19:11:41 UTC

PR here:

https://github.com/openshift/openshift-ansible/pull/6030

Comment 4 Gan Huang 2017-11-07 04:09:30 UTC

@Steve, it was a containerized installation on RHEL-7.4.

Issue still persists while re-testing with latest RHEL7.4 and packages:

# rpm -qa |grep atomic
atomic-openshift-excluder-3.7.0-0.191.0.git.0.2533484.el7.noarch
atomic-openshift-docker-excluder-3.7.0-0.191.0.git.0.2533484.el7.noarch
atomic-registries-1.19.1-5.git48c224b.el7.x86_64
atomic-1.19.1-5.git48c224b.el7.x86_64

# rpm -qa |grep container
container-storage-setup-0.8.0-3.git1d27ecf.el7.noarch
skopeo-containers-0.1.24-1.dev.git28d4e08.el7.x86_64
container-selinux-2.28-1.git85ce147.el7.noarch
subscription-manager-plugin-container-1.19.23-1.el7_4.x86_64

# uname -r
3.10.0-693.5.2.el7.x86_64

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.4 (Maipo)

The installation is able to proceed while using the patch above.

Comment 6 Gan Huang 2017-11-09 08:52:41 UTC

Verified in openshift-ansible-3.7.4-1.git.0.254e849.el7.noarch.rpm

Comment 9 errata-xmlrpc 2017-11-28 22:21:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188

Note You need to log in before you can comment on or make changes to this bug.