Description of problem: Basically trying to get a non-privileged system container in 27: https://developers.redhat.com/blog/2014/05/05/running-systemd-within-docker-container/ I boot a f27 cloud image (vagrant box here) and build a docker container from: ``` FROM registry.fedoraproject.org/fedora:26 ENV container docker RUN dnf -y install httpd; dnf clean all; systemctl enable httpd STOPSIGNAL SIGRTMIN+3 EXPOSE 80 CMD [ "/sbin/init" ] ``` and then try to run it just as in the article: ``` sudo docker run -p 80:80 httpd ``` I never get any output on the terminal and apache never gets started. Version-Release number of selected component (if applicable): docker-1.13.1-26.gitb5e3294.fc27.x86_64 oci-umount-2.0.0-2.gitf90b64c.fc27.x86_64 oci-register-machine-0-5.11.gitcd1e331.fc27.x86_64 oci-systemd-hook-0.1.13-1.gitafe4b4a.fc27.x86_64 the cloud image is: https://kojipkgs.fedoraproject.org/compose/27/Fedora-27-20171105.0/compose/CloudImages/x86_64/images/Fedora-Cloud-Base-Vagrant-27-1.6.x86_64.vagrant-libvirt.box How reproducible: Always Steps to Reproduce: 1. dnf install -y docker 2. systemctl start docker 3. docker build 4. docker run Additional info:
I was able to reproduce this on F26 as well. $ cat Dockerfile FROM registry.fedoraproject.org/fedora:26 ENV container docker RUN dnf -y install httpd && \ dnf clean all && \ systemctl enable httpd STOPSIGNAL SIGRTMIN+3 EXPOSE 80 CMD [ "/sbin/init" ] $ sudo docker build -t httpd-systemd . $ sudo docker run -ti --tmpfs /run --tmpfs /tmp -v /sys/fs/cgroup:/sys/fs/cgroup:ro httpd-systemd Saw some SELinux denials/errors in the journal: -- Logs begin at Mon 2017-09-11 14:22:23 EDT, end at Mon 2017-11-06 14:55:05 EST. -- Nov 06 14:43:45 dhcp-41-99.bos.redhat.com sudo[30418]: miabbott : TTY=pts/4 ; PWD=/sysroot/tmp/tmp.M2Q7OYEwZH ; USER=root ; COMMAND=/bin/docker run -ti --tmpfs /run --tmpfs /tmp -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80 miabbott/httpd-systemd Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit[30418]: USER_CMD pid=30418 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/sysroot/tmp/tmp.M2Q7OYEwZH" cmd=646F636B65722072756E202D7469202D2D746D706673202F72756E202D2D746D706673202F746D70202D76202F7379732F66732F6367726F75703A2F7379732F66732F6367726F75703A726F202D70203830206D696162626F74742F68747470642D73797374656D64 terminal=pts/4 res=success' Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit[30418]: CRED_REFR pid=30418 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/4 res=success' Nov 06 14:43:45 dhcp-41-99.bos.redhat.com sudo[30418]: pam_systemd(sudo:session): Cannot create session: Already occupied by a session Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit[30418]: USER_START pid=30418 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/4 res=success' Nov 06 14:43:45 dhcp-41-99.bos.redhat.com sudo[30418]: pam_unix(sudo:session): session opened for user root by (uid=0) Nov 06 14:43:45 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T14:43:45.573472170-05:00" level=info msg="{Action=_ping, Username=miabbott, LoginUID=1000, PID=30419}" Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='hostname=? user=miabbott auid=1000 exe=? vm-pid=? reason=api op=_ping vm=? exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Nov 06 14:43:45 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T14:43:45.574889128-05:00" level=info msg="{Action=create, Username=miabbott, LoginUID=1000, PID=30419}" Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='op=create exe=? reason=api vm=? vm-pid=? user=miabbott auid=1000 hostname=? exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Nov 06 14:43:45 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T14:43:45.620209594-05:00" level=info msg="{Action=attach, ID=efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867, Username=miabbott, LoginUID=1000, PID=30419}" Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='reason=api exe=/sbin/init op=attach vm=miabbott/httpd-systemd vm-pid=0 user=miabbott auid=1000 hostname=efd6765418a9 exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Nov 06 14:43:45 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T14:43:45.621492267-05:00" level=info msg="{Action=start, ID=efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867, Username=miabbott, LoginUID=1000, PID=30419, Config={Hostname=efd6765418a9, AttachStdin=true, AttachStdout=true, AttachStderr=true, ExposedPorts=map[80/tcp:{}], Tty=true, OpenStdin=true, StdinOnce=true, Env=[DISTTAG=f26container FGC=f26 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin container=docker], Cmd=[/sbin/init], ArgsEscaped=true, Image=miabbott/httpd-systemd, NetworkDisabled=false, Labels=map[version:26 license:MIT name:fedora vendor:Fedora Project], StopSignal=SIGRTMIN+3}, HostConfig={Binds=[/sys/fs/cgroup:/sys/fs/cgroup:ro], LogConfig={Type:journald Config:map[]}, NetworkMode=default, PortBindings=map[80/tcp:[{HostIP: HostPort:}]], RestartPolicy={Name:no MaximumRetryCount:0}, AutoRemove=false, DNS=[], DNSOptions=[], DNSSearch=[], Privileged=false, PublishAllPorts=false, ReadonlyRootfs=false, Tmpfs=map[/run: /tmp:], ShmSize=67108864, Runtime=oci, Resources={CPUShares:0 Memory:0 NanoCPUs:0 CgroupParent: BlkioWeight:0 BlkioWeightDevice:[] BlkioDeviceReadBps:[] BlkioDeviceWriteBps:[] BlkioDeviceReadIOps:[] BlkioDeviceWriteIOps:[] CPUPeriod:0 CPUQuota:0 CPURealtimePeriod:0 CPURealtimeRuntime:0 CpusetCpus: CpusetMems: Devices:[] DiskQuota:0 KernelMemory:0 MemoryReservation:0 MemorySwap:0 MemorySwappiness:0xc420b4e368 OomKillDisable:0xc420b4e372 PidsLimit:0 Ulimits:[] CPUCount:0 CPUPercent:0 IOMaximumIOps:0 IOMaximumBandwidth:0}}}" Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='reason=api auid=1000 hostname=efd6765418a9 op=start vm=miabbott/httpd-systemd vm-pid=0 user=miabbott exe=/sbin/init exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: docker0: port 3(vethc873255) entered blocking state Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: docker0: port 3(vethc873255) entered disabled state Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit: ANOM_PROMISCUOUS dev=vethc873255 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 Nov 06 14:43:45 dhcp-41-99.bos.redhat.com systemd-udevd[30429]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: device vethc873255 entered promiscuous mode Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: IPv6: ADDRCONF(NETDEV_UP): vethc873255: link is not ready Nov 06 14:43:45 dhcp-41-99.bos.redhat.com systemd-udevd[30430]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. Nov 06 14:43:45 dhcp-41-99.bos.redhat.com systemd-udevd[30429]: Could not generate persistent MAC address for vethd284ce9: No such file or directory Nov 06 14:43:45 dhcp-41-99.bos.redhat.com systemd-udevd[30430]: Could not generate persistent MAC address for vethc873255: No such file or directory Nov 06 14:43:45 dhcp-41-99.bos.redhat.com NetworkManager[1209]: <info> [1509997425.6279] manager: (vethd284ce9): new Veth device (/org/freedesktop/NetworkManager/Devices/32) Nov 06 14:43:45 dhcp-41-99.bos.redhat.com NetworkManager[1209]: <info> [1509997425.6294] manager: (vethc873255): new Veth device (/org/freedesktop/NetworkManager/Devices/33) Nov 06 14:43:45 dhcp-41-99.bos.redhat.com firewalld[1141]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 0/0 --dport 32769 -j DNAT --to-destination 172.17.0.4:80 ! -i docker0' failed: Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit: NETFILTER_CFG table=nat family=2 entries=70 Nov 06 14:43:45 dhcp-41-99.bos.redhat.com firewalld[1141]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.4 --dport 80 -j ACCEPT' failed: Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit: NETFILTER_CFG table=filter family=2 entries=116 Nov 06 14:43:45 dhcp-41-99.bos.redhat.com firewalld[1141]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.17.0.4 -d 172.17.0.4 --dport 80 -j MASQUERADE' failed: Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit: NETFILTER_CFG table=nat family=2 entries=71 Nov 06 14:43:45 dhcp-41-99.bos.redhat.com systemd[1]: Started libcontainer container efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867. Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: SELinux: mount invalid. Same superblock, different security settings for (dev mqueue, type mqueue) Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: eth0: renamed from vethd284ce9 Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: IPv6: ADDRCONF(NETDEV_CHANGE): vethc873255: link becomes ready Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: docker0: port 3(vethc873255) entered blocking state Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: docker0: port 3(vethc873255) entered forwarding state Nov 06 14:43:45 dhcp-41-99.bos.redhat.com NetworkManager[1209]: <info> [1509997425.7291] device (vethc873255): link connected Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-register-machine[30479]: 2017/11/06 14:43:45 Register machine: prestart efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867 30464 /var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged Nov 06 14:43:45 dhcp-41-99.bos.redhat.com systemd-machined[2107]: New machine efd6765418a94123e8cd32caa2763a2e. Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: rootfs=/var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: gidMappings not found in config Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: GID: 0 Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: uidMappings not found in config Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: UID: 0 Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: /run already present as a mount point in container configuration, skipping Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 11:pids:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :pids:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 10:cpuset:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :cpuset:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 9:blkio:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :blkio:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 8:devices:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :devices:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 7:perf_event:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :perf_event:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 6:cpu,cpuacct:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :cpu,cpuacct:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 5:memory:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :memory:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: Found cgroup Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: PATH: /system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: SUBSYSTEM_PATH: /sys/fs/cgroup/memory/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: memory path: /sys/fs/cgroup/memory/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/memory.limit_in_bytes Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: LIMIT: 9223372036854771712 Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: Limit in bytes: 9223372036854771712 Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: /tmp already present as a mount point in container configuration, skipping Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: /sys/fs/cgroup already present as a mount point in container configuration, skipping Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 11:pids:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :pids:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 10:cpuset:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :cpuset:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 9:blkio:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :blkio:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 8:devices:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :devices:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 7:perf_event:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :perf_event:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 6:cpu,cpuacct:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :cpu,cpuacct:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 5:memory:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :memory:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 4:freezer:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :freezer:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 3:hugetlb:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :hugetlb:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 2:net_cls,net_prio:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :net_cls,net_prio:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 1:name=systemd:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :name=systemd:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: Found cgroup Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: PATH: /system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: SUBSYSTEM_PATH: /sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged//sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/.: Operation not supported Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged//sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/..: Read-only file system Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged//sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/cgroup.clone_children: Operation not supported Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged//sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/tasks: Operation not supported Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged//sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/notify_on_release: Operation not supported Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged//sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/cgroup.procs: Operation not supported Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/.: Operation not supported Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/..: Operation not supported Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/cgroup.clone_children: Operation not supported Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/tasks: Operation not supported Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/notify_on_release: Operation not supported Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/cgroup.procs: Operation not supported Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: prestart /var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/docker/overlay]: No such file or directory. Skipping. Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/docker/devicemapper]: No such file or directory. Skipping. Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/overlay2]: No such file or directory. Skipping. Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/overlay]: No such file or directory. Skipping. Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/devicemapper]: No such file or directory. Skipping. Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/containers/]: No such file or directory. Skipping. Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/lvm]: No such file or directory. Skipping. Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/devicemapper]: No such file or directory. Skipping. Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/overlay]: No such file or directory. Skipping. Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/run/containers/storage]: No such file or directory. Skipping. Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Could not find mapping for mount [/var/lib/docker/overlay2] from host to conatiner. Skipping. Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Could not find mapping for mount [/var/lib/docker/containers] from host to conatiner. Skipping. Nov 06 14:43:45 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T14:43:45.787776744-05:00" level=info msg="{Action=resize, ID=efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867, Username=miabbott, LoginUID=1000, PID=30419}" Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='vm-pid=30464 user=miabbott op=resize vm=miabbott/httpd-systemd auid=1000 exe=/sbin/init hostname=efd6765418a9 reason=api exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Nov 06 14:43:46 dhcp-41-99.bos.redhat.com gnome-shell[2661]: Source ID 124500 was not found when attempting to remove it Nov 06 14:43:47 dhcp-41-99.bos.redhat.com avahi-daemon[1146]: Joining mDNS multicast group on interface vethc873255.IPv6 with address fe80::58eb:f8ff:fee7:1a28. Nov 06 14:43:47 dhcp-41-99.bos.redhat.com avahi-daemon[1146]: New relevant interface vethc873255.IPv6 for mDNS. Nov 06 14:43:47 dhcp-41-99.bos.redhat.com avahi-daemon[1146]: Registering new address record for fe80::58eb:f8ff:fee7:1a28 on vethc873255.*. Nov 06 14:43:47 dhcp-41-99.bos.redhat.com dockerd-current[1406]: [12.2K blob data] Nov 06 14:43:48 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T14:43:48.632415324-05:00" level=info msg="{Action=resize, ID=efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867, Username=miabbott, LoginUID=1000, PID=30419}" Nov 06 14:43:48 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='reason=api op=resize vm-pid=30464 user=miabbott exe=/sbin/init hostname=efd6765418a9 vm=miabbott/httpd-systemd auid=1000 exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Nov 06 14:43:48 dhcp-41-99.bos.redhat.com audit[30464]: AVC avc: denied { write } for pid=30464 comm="systemd" name="docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope" dev="cgroup2" ino=295 scontext=system_u:system_r:container_t:s0:c24,c647 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 Nov 06 14:43:50 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T14:43:50.833640238-05:00" level=info msg="{Action=resize, ID=efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867, Username=miabbott, LoginUID=1000, PID=30419}" Nov 06 14:43:50 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='hostname=efd6765418a9 reason=api vm=miabbott/httpd-systemd auid=1000 exe=/sbin/init op=resize vm-pid=30464 user=miabbott exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Nov 06 14:43:51 dhcp-41-99.bos.redhat.com dockerd-current[1406]: [12.4K blob data]
What do you see if you just run docker run -ti httpd-systemd
(In reply to Daniel Walsh from comment #2) > What do you see if you just run > > docker run -ti httpd-systemd Looks like the same to me: -- Logs begin at Mon 2017-09-11 14:22:23 EDT, end at Mon 2017-11-06 15:05:38 EST. -- Nov 06 15:02:00 dhcp-41-99.bos.redhat.com sudo[3914]: miabbott : TTY=pts/3 ; PWD=/var/home/miabbott/workspaces/miabbott/files/dockerfiles ; USER=root ; COMMAND=/bin/docker run -it httpd-systemd Nov 06 15:02:00 dhcp-41-99.bos.redhat.com audit[3914]: USER_CMD pid=3914 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/var/home/miabbott/workspaces/miabbott/files/dockerfiles" cmd=646F636B65722072756E202D69742068747470642D73797374656D64 terminal=pts/3 res=success' Nov 06 15:02:00 dhcp-41-99.bos.redhat.com audit[3914]: CRED_REFR pid=3914 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success' Nov 06 15:02:00 dhcp-41-99.bos.redhat.com sudo[3914]: pam_systemd(sudo:session): Cannot create session: Already occupied by a session Nov 06 15:02:00 dhcp-41-99.bos.redhat.com audit[3914]: USER_START pid=3914 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success' Nov 06 15:02:00 dhcp-41-99.bos.redhat.com sudo[3914]: pam_unix(sudo:session): session opened for user root by (uid=0) Nov 06 15:02:00 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T15:02:00.935143213-05:00" level=info msg="{Action=_ping, Username=miabbott, LoginUID=1000, PID=3915}" Nov 06 15:02:00 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='hostname=? reason=api op=_ping vm=? vm-pid=? user=miabbott auid=1000 exe=? exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Nov 06 15:02:00 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T15:02:00.936279574-05:00" level=info msg="{Action=create, Username=miabbott, LoginUID=1000, PID=3915}" Nov 06 15:02:00 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='op=create exe=? hostname=? reason=api vm-pid=? user=miabbott auid=1000 vm=? exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Nov 06 15:02:00 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T15:02:00.987340943-05:00" level=info msg="{Action=attach, ID=652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941, Username=miabbott, LoginUID=1000, PID=3915}" Nov 06 15:02:00 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='auid=1000 hostname=652426008f97 vm-pid=0 user=miabbott vm=httpd-systemd exe=/sbin/init reason=api op=attach exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Nov 06 15:02:00 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T15:02:00.988874867-05:00" level=info msg="{Action=start, ID=652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941, Username=miabbott, LoginUID=1000, PID=3915, Config={Hostname=652426008f97, AttachStdin=true, AttachStdout=true, AttachStderr=true, ExposedPorts=map[80/tcp:{}], Tty=true, OpenStdin=true, StdinOnce=true, Env=[DISTTAG=f26container FGC=f26 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin container=docker], Cmd=[/sbin/init], ArgsEscaped=true, Image=httpd-systemd, NetworkDisabled=false, Labels=map[version:26 license:MIT name:fedora vendor:Fedora Project], StopSignal=SIGRTMIN+3}, HostConfig={LogConfig={Type:journald Config:map[]}, NetworkMode=default, PortBindings=map[], RestartPolicy={Name:no MaximumRetryCount:0}, AutoRemove=false, DNS=[], DNSOptions=[], DNSSearch=[], Privileged=false, PublishAllPorts=false, ReadonlyRootfs=false, ShmSize=67108864, Runtime=oci, Resources={CPUShares:0 Memory:0 NanoCPUs:0 CgroupParent: BlkioWeight:0 BlkioWeightDevice:[] BlkioDeviceReadBps:[] BlkioDeviceWriteBps:[] BlkioDeviceReadIOps:[] BlkioDeviceWriteIOps:[] CPUPeriod:0 CPUQuota:0 CPURealtimePeriod:0 CPURealtimeRuntime:0 CpusetCpus: CpusetMems: Devices:[] DiskQuota:0 KernelMemory:0 MemoryReservation:0 MemorySwap:0 MemorySwappiness:0xc420f6a558 OomKillDisable:0xc420f6a572 PidsLimit:0 Ulimits:[] CPUCount:0 CPUPercent:0 IOMaximumIOps:0 IOMaximumBandwidth:0}}}" Nov 06 15:02:00 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='vm-pid=0 user=miabbott auid=1000 op=start vm=httpd-systemd exe=/sbin/init hostname=652426008f97 reason=api exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Nov 06 15:02:00 dhcp-41-99.bos.redhat.com systemd-udevd[3925]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. Nov 06 15:02:00 dhcp-41-99.bos.redhat.com systemd-udevd[3924]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. Nov 06 15:02:00 dhcp-41-99.bos.redhat.com systemd-udevd[3925]: Could not generate persistent MAC address for veth4de4939: No such file or directory Nov 06 15:02:00 dhcp-41-99.bos.redhat.com systemd-udevd[3924]: Could not generate persistent MAC address for veth2c07857: No such file or directory Nov 06 15:02:00 dhcp-41-99.bos.redhat.com NetworkManager[1209]: <info> [1509998520.9974] manager: (veth2c07857): new Veth device (/org/freedesktop/NetworkManager/Devices/34) Nov 06 15:02:00 dhcp-41-99.bos.redhat.com NetworkManager[1209]: <info> [1509998520.9987] manager: (veth4de4939): new Veth device (/org/freedesktop/NetworkManager/Devices/35) Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: docker0: port 4(veth4de4939) entered blocking state Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: docker0: port 4(veth4de4939) entered disabled state Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: device veth4de4939 entered promiscuous mode Nov 06 15:02:00 dhcp-41-99.bos.redhat.com audit: ANOM_PROMISCUOUS dev=veth4de4939 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: IPv6: ADDRCONF(NETDEV_UP): veth4de4939: link is not ready Nov 06 15:02:01 dhcp-41-99.bos.redhat.com systemd[1]: Started libcontainer container 652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941. Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: SELinux: mount invalid. Same superblock, different security settings for (dev mqueue, type mqueue) Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: eth0: renamed from veth2c07857 Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: IPv6: ADDRCONF(NETDEV_CHANGE): veth4de4939: link becomes ready Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: docker0: port 4(veth4de4939) entered blocking state Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: docker0: port 4(veth4de4939) entered forwarding state Nov 06 15:02:01 dhcp-41-99.bos.redhat.com NetworkManager[1209]: <info> [1509998521.0901] device (veth4de4939): link connected Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-register-machine[3983]: 2017/11/06 15:02:01 Register machine: prestart 652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941 3946 /var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged Nov 06 15:02:01 dhcp-41-99.bos.redhat.com systemd-machined[2107]: New machine 652426008f97893eb849d6766d1b7c0f. Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: rootfs=/var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: gidMappings not found in config Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: GID: 0 Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: uidMappings not found in config Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: UID: 0 Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 11:pids:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :pids:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 10:cpuset:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :cpuset:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 9:blkio:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :blkio:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 8:devices:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :devices:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 7:perf_event:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :perf_event:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 6:cpu,cpuacct:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :cpu,cpuacct:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 5:memory:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :memory:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: Found cgroup Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: PATH: /system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: SUBSYSTEM_PATH: /sys/fs/cgroup/memory/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: memory path: /sys/fs/cgroup/memory/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/memory.limit_in_bytes Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: LIMIT: 9223372036854771712 Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: Limit in bytes: 9223372036854771712 Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: /sys/fs/cgroup already present as a mount point in container configuration, skipping Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 11:pids:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :pids:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 10:cpuset:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :cpuset:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 9:blkio:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :blkio:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 8:devices:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :devices:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 7:perf_event:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :perf_event:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 6:cpu,cpuacct:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :cpu,cpuacct:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 5:memory:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :memory:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 4:freezer:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :freezer:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 3:hugetlb:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :hugetlb:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 2:net_cls,net_prio:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :net_cls,net_prio:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 1:name=systemd:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :name=systemd:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: Found cgroup Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: PATH: /system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: SUBSYSTEM_PATH: /sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged//sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/.: Operation not supported Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged//sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/..: Read-only file system Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged//sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/cgroup.clone_children: Operation not supported Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged//sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/tasks: Operation not supported Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged//sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/notify_on_release: Operation not supported Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged//sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/cgroup.procs: Operation not supported Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/.: Operation not supported Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/..: Operation not supported Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/cgroup.clone_children: Operation not supported Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/tasks: Operation not supported Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/notify_on_release: Operation not supported Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/cgroup.procs: Operation not supported Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: prestart /var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/docker/overlay]: No such file or directory. Skipping. Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/docker/devicemapper]: No such file or directory. Skipping. Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/overlay2]: No such file or directory. Skipping. Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/overlay]: No such file or directory. Skipping. Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/devicemapper]: No such file or directory. Skipping. Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/containers/]: No such file or directory. Skipping. Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/lvm]: No such file or directory. Skipping. Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/devicemapper]: No such file or directory. Skipping. Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/overlay]: No such file or directory. Skipping. Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/run/containers/storage]: No such file or directory. Skipping. Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Could not find mapping for mount [/var/lib/docker/overlay2] from host to conatiner. Skipping. Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Could not find mapping for mount [/var/lib/docker/containers] from host to conatiner. Skipping. Nov 06 15:02:01 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T15:02:01.156180986-05:00" level=info msg="{Action=resize, ID=652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941, Username=miabbott, LoginUID=1000, PID=3915}" Nov 06 15:02:01 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='vm=httpd-systemd exe=/sbin/init hostname=652426008f97 reason=api op=resize auid=1000 vm-pid=3946 user=miabbott exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Nov 06 15:02:02 dhcp-41-99.bos.redhat.com gnome-shell[2661]: Source ID 134440 was not found when attempting to remove it Nov 06 15:02:02 dhcp-41-99.bos.redhat.com avahi-daemon[1146]: Joining mDNS multicast group on interface veth4de4939.IPv6 with address fe80::ece1:10ff:fe13:c2f2. Nov 06 15:02:02 dhcp-41-99.bos.redhat.com avahi-daemon[1146]: New relevant interface veth4de4939.IPv6 for mDNS. Nov 06 15:02:02 dhcp-41-99.bos.redhat.com avahi-daemon[1146]: Registering new address record for fe80::ece1:10ff:fe13:c2f2 on veth4de4939.*. Nov 06 15:02:02 dhcp-41-99.bos.redhat.com dockerd-current[1406]: [12.4K blob data] Nov 06 15:02:03 dhcp-41-99.bos.redhat.com audit[3946]: AVC avc: denied { write } for pid=3946 comm="systemd" name="release_agent" dev="cgroup" ino=7 scontext=system_u:system_r:container_t:s0:c703,c717 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0 Nov 06 15:02:03 dhcp-41-99.bos.redhat.com audit[3946]: AVC avc: denied { write } for pid=3946 comm="systemd" name="docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope" dev="cgroup" ino=1019 scontext=system_u:system_r:container_t:s0:c703,c717 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
Micah does enabling container_manage_cgroup boolean fix anything? setsebool -P container_manage_cgroup 1
(In reply to Daniel Walsh from comment #4) > Micah does enabling container_manage_cgroup boolean fix anything? > > setsebool -P container_manage_cgroup 1 I tried this on F27 Cloud host using a F27 base image and the Dockerfile from before: # cat Dockerfile FROM registry.fedoraproject.org/fedora:27 ENV container docker RUN dnf -y install httpd && \ dnf clean all && \ systemctl enable httpd STOPSIGNAL SIGRTMIN+3 EXPOSE 80 CMD [ "/sbin/init" ] The container can be run, but there is no output from systemd on the console showing the container coming up. However, in the journal you can see the the various services starting. And eventually you can 'curl <container IP>:80' successfully. -- Logs begin at Thu 2017-11-16 18:51:58 UTC, end at Thu 2017-11-16 19:23:53 UTC. -- Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain dockerd-current[2121]: time="2017-11-16T19:23:06.288755155Z" level=info msg="{Action=_ping, Username=cloud-user, LoginUID=1000, PID=4485}" Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[2121]: VIRT_CONTROL pid=2121 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='auid=1000 exe=? reason=api vm-pid=? user=cloud-user hostname=? op=_ping vm=? exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain dockerd-current[2121]: time="2017-11-16T19:23:06.290886636Z" level=info msg="{Action=create, Username=cloud-user, LoginUID=1000, PID=4485}" Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[2121]: VIRT_CONTROL pid=2121 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='reason=api vm=? op=create vm-pid=? user=cloud-user auid=1000 exe=? hostname=? exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain dockerd-current[2121]: time="2017-11-16T19:23:06.309414458Z" level=info msg="{Action=attach, ID=b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f, Username=cloud-user, LoginUID=1000, PID=4485}" Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[2121]: VIRT_CONTROL pid=2121 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='reason=api vm=httpd-systemd vm-pid=0 user=cloud-user auid=1000 op=attach exe=/sbin/init hostname=b0c564e5c21c exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain dockerd-current[2121]: time="2017-11-16T19:23:06.311602861Z" level=info msg="{Action=start, ID=b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f, Username=cloud-user, LoginUID=1000, PID=4485, Config={Hostname=b0c564e5c21c, AttachStdin=true, AttachStdout=true, AttachStderr=true, ExposedPorts=map[80/tcp:{}], Tty=true, OpenStdin=true, StdinOnce=true, Env=[DISTTAG=f27container FGC=f27 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin container=docker], Cmd=[/sbin/init], ArgsEscaped=true, Image=httpd-systemd, NetworkDisabled=false, Labels=map[license:MIT name:fedora vendor:Fedora Project version:27], StopSignal=SIGRTMIN+3}, HostConfig={Binds=[/sys/fs/cgroup:/sys/fs/cgroup:ro], LogConfig={Type:journald Config:map[]}, NetworkMode=default, PortBindings=map[], RestartPolicy={Name:no MaximumRetryCount:0}, AutoRemove=false, DNS=[], DNSOptions=[], DNSSearch=[], Privileged=false, PublishAllPorts=false, ReadonlyRootfs=false, Tmpfs=map[/run: /tmp:], ShmSize=67108864, Runtime=oci, Resources={CPUShares:0 Memory:0 NanoCPUs:0 CgroupParent: BlkioWeight:0 BlkioWeightDevice:[] BlkioDeviceReadBps:[] BlkioDeviceWriteBps:[] BlkioDeviceReadIOps:[] BlkioDeviceWriteIOps:[] CPUPeriod:0 CPUQuota:0 CPURealtimePeriod:0 CPURealtimeRuntime:0 CpusetCpus: CpusetMems: Devices:[] DiskQuota:0 KernelMemory:0 MemoryReservation:0 MemorySwap:0 MemorySwappiness:0xc420814040 OomKillDisable:0xc42081404a PidsLimit:0 Ulimits:[] CPUCount:0 CPUPercent:0 IOMaximumIOps:0 IOMaximumBandwidth:0}}}" Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[2121]: VIRT_CONTROL pid=2121 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='op=start vm-pid=0 exe=/sbin/init reason=api vm=httpd-systemd user=cloud-user auid=1000 hostname=b0c564e5c21c exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: docker0: port 1(vethdd3808f) entered blocking state Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: docker0: port 1(vethdd3808f) entered disabled state Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit: ANOM_PROMISCUOUS dev=vethdd3808f prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: device vethdd3808f entered promiscuous mode Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: IPv6: ADDRCONF(NETDEV_UP): vethdd3808f: link is not ready Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain dockerd-current[2121]: time="2017-11-16T19:23:06.338377237Z" level=warning msg="SUSE:secrets :: dangling symlink: /usr/share/rhel/secrets/etc-pki-entitlement" Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain dockerd-current[2121]: time="2017-11-16T19:23:06.338630425Z" level=warning msg="SUSE:secrets :: dangling symlink: /usr/share/rhel/secrets/rhel7.repo" Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[1]: AVC avc: denied { create } for pid=1 comm="systemd" name="docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0:c493,c776 tclass=dir permissive=0 Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain systemd[1]: Failed to create compat systemd cgroup /system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope: Permission denied Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain systemd[1]: Failed to attach 4511 to compat systemd cgroup /system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope: No such file or directory Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain systemd[1]: Started libcontainer container b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f. Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[1]: AVC avc: denied { create } for pid=1 comm="systemd" name="var-lib-docker-containers-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f-shm.mount" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0:c493,c776 tclass=dir permissive=0 Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[1]: AVC avc: denied { create } for pid=1 comm="systemd" name="var-lib-docker-overlay2-36e0ced5c033d09edfbc496829408c2fce880696c3c34e4954af9d56c6309f48-merged.mount" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0:c493,c776 tclass=dir permissive=0 Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[1]: AVC avc: denied { create } for pid=1 comm="systemd" name="var-lib-docker-containers-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f-secrets.mount" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0:c493,c776 tclass=dir permissive=0 Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain systemd[1]: Failed to create compat systemd cgroup /system.slice/var-lib-docker-containers-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f-shm.mount: Permission denied Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain systemd[1]: Failed to create compat systemd cgroup /system.slice/var-lib-docker-overlay2-36e0ced5c033d09edfbc496829408c2fce880696c3c34e4954af9d56c6309f48-merged.mount: Permission denied Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain systemd[1]: Failed to create compat systemd cgroup /system.slice/var-lib-docker-containers-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f-secrets.mount: Permission denied Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: SELinux: mount invalid. Same superblock, different security settings for (dev mqueue, type mqueue) Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: eth0: renamed from veth8078cbd Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: IPv6: ADDRCONF(NETDEV_CHANGE): vethdd3808f: link becomes ready Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: docker0: port 1(vethdd3808f) entered blocking state Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: docker0: port 1(vethdd3808f) entered forwarding state Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-register-machine[4520]: 2017/11/16 19:23:06 Register machine: prestart b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f 4511 /var/lib/docker/overlay2/36e0ced5c033d09edfbc496829408c2fce880696c3c34e4954af9d56c6309f48/merged Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain systemd-machined[2933]: New machine b0c564e5c21ca9638b0231d47729165d. Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: rootfs=/var/lib/docker/overlay2/36e0ced5c033d09edfbc496829408c2fce880696c3c34e4954af9d56c6309f48/merged Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: gidMappings not found in config Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: GID: 0 Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: uidMappings not found in config Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: UID: 0 Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: /run already present as a mount point in container configuration, skipping Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 11:net_cls,net_prio:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :net_cls,net_prio:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 10:perf_event:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :perf_event:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 9:hugetlb:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :hugetlb:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 8:cpuset:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :cpuset:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 7:pids:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :pids:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 6:memory:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :memory:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: Found cgroup Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: PATH: /system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: SUBSYSTEM_PATH: /sys/fs/cgroup/memory/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: memory path: /sys/fs/cgroup/memory/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope/memory.limit_in_bytes Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: LIMIT: 9223372036854771712 Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: Limit in bytes: 9223372036854771712 Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: /tmp already present as a mount point in container configuration, skipping Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: /sys/fs/cgroup already present as a mount point in container configuration, skipping Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 11:net_cls,net_prio:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :net_cls,net_prio:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 10:perf_event:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :perf_event:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 9:hugetlb:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :hugetlb:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 8:cpuset:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :cpuset:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 7:pids:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :pids:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 6:memory:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :memory:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 5:freezer:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :freezer:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 4:blkio:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :blkio:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 3:devices:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :devices:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 2:cpu,cpuacct:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :cpu,cpuacct:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 1:name=systemd:/system.slice/docker-containerd.service Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :name=systemd:/system.slice/docker-containerd.service Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: Found cgroup Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: PATH: /system.slice/docker-containerd.service Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: SUBSYSTEM_PATH: /sys/fs/cgroup/systemd/system.slice/docker-containerd.service Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c713,c983 on /var/lib/docker/overlay2/36e0ced5c033d09edfbc496829408c2fce880696c3c34e4954af9d56c6309f48/merged//sys/fs/cgroup/systemd/system.slice/docker-containerd.service/..: Read-only file system Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: prestart /var/lib/docker/overlay2/36e0ced5c033d09edfbc496829408c2fce880696c3c34e4954af9d56c6309f48/merged Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/docker/overlay]: No such file or directory. Skipping. Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/docker/devicemapper]: No such file or directory. Skipping. Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/overlay2]: No such file or directory. Skipping. Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/overlay]: No such file or directory. Skipping. Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/devicemapper]: No such file or directory. Skipping. Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/containers/]: No such file or directory. Skipping. Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/lvm]: No such file or directory. Skipping. Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/devicemapper]: No such file or directory. Skipping. Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/overlay]: No such file or directory. Skipping. Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/run/containers/storage]: No such file or directory. Skipping. Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Could not find mapping for mount [/var/lib/docker/overlay2] from host to conatiner. Skipping. Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Could not find mapping for mount [/var/lib/docker/containers] from host to conatiner. Skipping. Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[2121]: VIRT_CONTROL pid=2121 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='vm=httpd-systemd user=cloud-user exe=/sbin/init hostname=b0c564e5c21c reason=api op=resize vm-pid=4511 auid=1000 exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success' Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain dockerd-current[2121]: time="2017-11-16T19:23:06.454861576Z" level=info msg="{Action=resize, ID=b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f, Username=cloud-user, LoginUID=1000, PID=4485}" Nov 16 19:23:27 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-journald comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 16 19:23:28 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-sysusers comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 16 19:23:29 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=ldconfig comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 16 19:23:30 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-journal-catalog-update comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 16 19:23:33 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-update-done comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 16 19:23:34 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-journal-flush comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 16 19:23:36 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-tmpfiles-setup comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 16 19:23:36 micah-f27cloud-vm1116a.localdomain audit[4546]: SYSTEM_BOOT pid=4546 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg=' comm="systemd-update-utmp" exe="/usr/lib/systemd/systemd-update-utmp" hostname=? addr=? terminal=? res=success' Nov 16 19:23:38 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-update-utmp comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 16 19:23:48 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=dbus comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 16 19:23:49 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 16 19:23:50 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-user-sessions comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 16 19:23:52 micah-f27cloud-vm1116a.localdomain audit[4767]: SYSTEM_RUNLEVEL pid=4767 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='old-level=N new-level=3 comm="systemd-update-utmp" exe="/usr/lib/systemd/systemd-update-utmp" hostname=? addr=? terminal=? res=success' Nov 16 19:23:53 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-update-utmp-runlevel comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 16 19:23:53 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_STOP pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-update-utmp-runlevel comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Could you update your version of docker. docker-1.13.1-41.git0861eff.fc27
docker-1.13.1-42.git4402c09.fc27 skopeo-0.1.25-2.git7fd6f66.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-3da8ad596a
I updated to docker-1.13.1-42.git4402c09.fc27.x86_64 and tried running the httpd systemd container again, but hit the same AVC denials from comment #1: Nov 20 15:39:14 micah-f27cloud-vm1120a.localdomain audit[2392]: AVC avc: denied { write } for pid=2392 comm="systemd" name="release_agent" dev="cgroup" ino=7 scontext=system_u:system_r:container_t:s0:c15,c48 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0 Nov 20 15:39:14 micah-f27cloud-vm1120a.localdomain audit[2392]: AVC avc: denied { write } for pid=2392 comm="systemd" name="cgroup.procs" dev="cgroup" ino=377 scontext=system_u:system_r:container_t:s0:c15,c48 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0 If I enable the 'container_manage_cgroup' SEboolean, the container starts successfully. The following SELinux packages were installed: container-selinux-2.29-1.fc27.noarch selinux-policy-3.13.1-283.16.fc27.noarch
We need and update of SELinux policy, I belive to get this to work without turning on the boolean.
docker-1.13.1-42.git4402c09.fc27, skopeo-0.1.25-2.git7fd6f66.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Fedora Update System from comment #10) > docker-1.13.1-42.git4402c09.fc27, skopeo-0.1.25-2.git7fd6f66.fc27 has been > pushed to the Fedora 27 stable repository. If problems still persist, please > make note of it in this bug report. I was adding a comment regarding testing I was undertaking on a vm running on VirtualBox with F26 when the quoted update was sent. On F26 I had updated to docker-1.13.1-44.git584d391.fc26.x86_64.rpm. I was still required to execute: $sudo setsebool container_manage_cgroup 1 in order to successfully start the container. However, once I set the bool the container appeared to start successfully. I identified this by monitoring the journal live because there was still no tty/console output still. I expected output of the init process. I confirmed that the container was running apache by opening Firefox and accessing the test web page successfully. Since the issue still existed with docker-1.13.1-44.git584d391.fc26.x86_64.rpm on F26, and I was not testing the update that I've quoted here (ie. "docker-1.13.1-42.git4402c09.fc27, skopeo-0.1.25-2.git7fd6f66.fc27") I decided I would download F27 and test the updated specifically identified. After freshly installing F27 in a virtualbox vm and updating the system I encountered the following problems/issues: 1. When running $ sudo dnf install docker-1.13.1-42.git4402c09.fc27 I received an error regarding a dependency problem. "Result: Error: Problem: conflicting requests -nothing provides atomic-registries >= 1.19.1-6 needed by docker-2:1.13.1-42.git4402c09.fc27.x86_64" In order to continue with testing I downloaded and installed the following: - atomic-1.20.1-3.fc27.x86_64.rpm - atomic-registries-1.20.1-3.fc27.x86_64.rpm from Koji: https://koji.fedoraproject.org/koji/buildinfo?buildID=1003143 by doing: $koji download-build --arch=x86_64 --arch=noarch 1003143 $sudo dnf -y install atomic-1.20.1-3.fc27.x86_64.rpm $sudo dnf -y install atomic-registries-1.20.1-3.fc27.x86_64.rpm Once I did this I could install docker-1.13.1-42.git4402c09.fc27. 2. I built an image using the following in a Dockerfile: FROM fedora:26 ENV container docker RUN dnf -y install httpd; dnf clean all; systemctl enable httpd STOPSIGNAL SIGRTMIN+3 EXPOSE 80 CMD [ "/sbin/init" ] After I ran the resulting image I still couldn't successfully start the container without running $ setsebool -P container_manage_cgroup 1. Is this to be expected? What are the ramifications of setting this bool? My apologies I'm relatively new to Linux/Unix, and the Fedora distribution. Note that I still had no tty/console output using fedora:26 as the base image. I managed to identify that the container appeared to start successfully by monitoring the journal live in another terminal window (ie $ journalctl -f). Also note that if you change out the base image to fedora:24 (ie. changing FROM fedora:26 to fedora:24 in the Dockerfile) then there is tty/console output and after running $ setsebool -P container_manage_cgroup 1, everything appears to work just fine. Does this suggest that the issue regarding no tty/console output lies in the underlying base image? I have logs from both before I ran $ setsebool -P container_manage_cgroup 1 and after in case they are helpful. I have included them because I hit the 65536 character limit if I do.
(In reply to Darren Gansberg from comment #11) > After I ran the resulting image I still couldn't successfully start the > container without running > $ setsebool -P container_manage_cgroup 1. > > Is this to be expected? > > What are the ramifications of setting this bool? My apologies I'm relatively > new to Linux/Unix, and the Fedora distribution. Based on comment #9 from Dan, to get this working as expected, we need a separate fix to selinux-policy. I've filed the following BZ for that change: https://bugzilla.redhat.com/show_bug.cgi?id=1517831
*** Bug 1517831 has been marked as a duplicate of this bug. ***
I'm closing the other BZ I opened (1517831) as a duplicate and re-categorizing this as a 'selinux-policy' issue based on comment #9.
lvrabec, what version is this fixed in?
I'll create build with this fix today.
selinux-policy-3.13.1-283.18.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
I'm still unable to run the systemd container with the build of 'selinux-policy' in comment #17. I still have to use 'setsebool -P container_manage_cgroup 1' in order to make the container successfully start/run. Without that boolean enabled, I observe the following AVC denials: # journalctl -b | grep 'avc: denied' Dec 13 16:33:34 micah-f27cloud-vm1213a.localdomain audit[1165]: AVC avc: denied { write } for pid=1165 comm="systemd" name="docker-4d7db7aeebe02c2e307c6fd117c0716a4ba815bc5cfbd443e2e152c63a111454.scope" dev="cgroup2" ino=1149 scontext=system_u:system_r:container_t:s0:c176,c382 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 Dec 13 16:39:33 micah-f27cloud-vm1213a.localdomain audit[1322]: AVC avc: denied { write } for pid=1322 comm="systemd" name="release_agent" dev="cgroup" ino=7 scontext=system_u:system_r:container_t:s0:c315,c979 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0 Dec 13 16:39:33 micah-f27cloud-vm1213a.localdomain audit[1322]: AVC avc: denied { write } for pid=1322 comm="systemd" name="cgroup.procs" dev="cgroup" ino=629 scontext=system_u:system_r:container_t:s0:c315,c979 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0 The testing of the build was done on Fedora 27 Cloud, updated to latest in 'updates-testing' # rpm -q docker selinux-policy docker-1.13.1-44.git584d391.fc27.x86_64 selinux-policy-3.13.1-283.18.fc27.noarch
rpm -q oci-systemd-hook Any message in dmesg about no support for labeling?
(In reply to Daniel Walsh from comment #19) > rpm -q oci-systemd-hook > Any message in dmesg about no support for labeling? Doesn't look like it. # rpm -q oci-systemd-hook oci-systemd-hook-0.1.13-1.gitafe4b4a.fc27.x86_64 # dmesg | grep label [ 0.125741] NetLabel: unlabeled traffic allowed by default [ 1.568726] SELinux: policy capability cgroup_seclabel=1 [ 1.605100] systemd[1]: Relabelled /dev and /run in 17.999ms. [ 911.098205] SELinux: policy capability cgroup_seclabel=1 [ 940.347369] SELinux: policy capability cgroup_seclabel=1 [ 1012.432674] SELinux: policy capability cgroup_seclabel=1 # journalctl -b | grep label Dec 13 16:23:49 localhost kernel: NetLabel: unlabeled traffic allowed by default Dec 13 16:23:50 micah-f27cloud-vm1213a.localdomain kernel: SELinux: policy capability cgroup_seclabel=1 Dec 13 16:23:50 micah-f27cloud-vm1213a.localdomain systemd[1]: Relabelled /dev and /run in 17.999ms. Dec 13 16:23:54 micah-f27cloud-vm1213a.localdomain dbus-daemon[428]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.8' (uid=0 pid=617 comm="hostnamectl --transient " label="system_u:system_r:dhcpc_t:s0") Dec 13 16:31:07 micah-f27cloud-vm1213a.localdomain dbus-daemon[428]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service' requested by ':1.21' (uid=0 pid=1048 comm="/usr/libexec/oci/hooks.d/oci-register-machine pres" label="system_u:system_r:container_runtime_t:s0") Dec 13 16:38:59 micah-f27cloud-vm1213a.localdomain kernel: SELinux: policy capability cgroup_seclabel=1 Dec 13 16:39:29 micah-f27cloud-vm1213a.localdomain kernel: SELinux: policy capability cgroup_seclabel=1 Dec 13 16:40:41 micah-f27cloud-vm1213a.localdomain kernel: SELinux: policy capability cgroup_seclabel=1 [root@micah-f27cloud-vm1213a ~]#
selinux-policy-3.13.1-283.18.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
selinux-policy-3.13.1-283.19.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
The Fixed In Version docker-1.13.1-42.git4402c09.fc27 seems wrong for component selinux-policy.
selinux-policy-3.13.1-283.19.fc27.noarch does not fix this issue either.
Which commit in which repo is supposed to carry the fix?
(In reply to Jan Pazdziora from comment #23) > The Fixed In Version docker-1.13.1-42.git4402c09.fc27 seems wrong for > component selinux-policy. did that version of docker deliver a new container-selinux package with the fix in it?
selinux-policy-3.13.1-283.19.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
The issue is still present with docker-1.13.1-44.git584d391.fc27.x86_64 selinux-policy-3.13.1-283.19.fc27.noarch oci-systemd-hook-0.1.15-1.git2d0b8a3.fc27.x86_64 The exact reproducer for bug 1520033 with container_manage_cgroup not set still fails.
Can you please clear the Fixed In Version field?
selinux-policy-3.13.1-283.19.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Not fixed, reopening.
Lukas, What's the current status of this issue?
(In reply to Steve Milner from comment #33) > Lukas, > > What's the current status of this issue? Not fixed / unresolved.
I've just tried reproducing this on Fedora 27 that was installed today and updated. I did: #dnf install docker # rpm -qa | grep selinux selinux-policy-3.13.1-283.24.fc27.noarch # rpm -qa | grep docker docker-1.13.1-44.git584d391.fc27.x86_64 # rpm -qa | grep hook oci-systemd-hook-0.1.15-1.git2d0b8a3.fc27.x86_64 # cat Dockerfile FROM registry.fedoraproject.org/fedora:26 ENV container docker RUN dnf -y install httpd; dnf clean all; systemctl enable httpd STOPSIGNAL SIGRTMIN+3 EXPOSE 80 CMD [ "/sbin/init" ] # systemctl start docker # docker build . Sending build context to Docker daemon 10.24 kB Step 1/6 : FROM registry.fedoraproject.org/fedora:26 Trying to pull repository registry.fedoraproject.org/fedora ... sha256:f5da7776116ff89d4563cd668b5c87d84f5023300c1a235c537e2bd11d37bd39: Pulling from registry.fedoraproject.org/fedora f731d4d7fe41: Pull complete Digest: sha256:f5da7776116ff89d4563cd668b5c87d84f5023300c1a235c537e2bd11d37bd39 {Removed a lot of package install verbiage} Step 6/6 : CMD /sbin/init ---> Running in aed4e094ac22 ---> c64e10594dbc Removing intermediate container aed4e094ac22 Successfully built c64e10594dbc # docker run -p 80:80 httpd Unable to find image 'httpd:latest' locally Trying to pull repository docker.io/library/httpd ... sha256:643ca2ed9f6caf1f392184aee05a8f2cd478bdacbd350ea6b4dbc8f5b8e400a8: Pulling from docker.io/library/httpd f49cf87b52c1: Pull complete 02ca099fb6cd: Pull complete de7acb18da57: Pull complete 770c8edb393d: Pull complete 0e252730aeae: Pull complete 6288e83d58fa: Pull complete a91ad03b2178: Pull complete Digest: sha256:643ca2ed9f6caf1f392184aee05a8f2cd478bdacbd350ea6b4dbc8f5b8e400a8 Status: Downloaded newer image for docker.io/httpd:latest AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message [Wed Feb 14 19:39:46.454372 2018] [mpm_event:notice] [pid 1:tid 139902487709568] AH00489: Apache/2.4.29 (Unix) configured -- resuming normal operations [Wed Feb 14 19:39:46.455233 2018] [core:notice] [pid 1:tid 139902487709568] AH00094: Command line: 'httpd -D FOREGROUND' Which seems to be OK. On a second terminal, I did: # curl http://192.168.122.128:80 <html><body><h1>It works!</h1></body></html> And as that was invoked, this line was printed out on the first terminal: 192.168.122.128 - - [14/Feb/2018:19:45:33 +0000] "GET / HTTP/1.1" 200 45 Checking journalctl, I'm seeing no hits: # journalctl -b | grep 'avc: denied' # What you see above is all I did on the freshly installed machine. If I missed a step in configuration or installation, please let me know and I'll retry. Otherwise it seems to be working for me.
(In reply to Tom Sweeney from comment #35) > # cat Dockerfile > FROM registry.fedoraproject.org/fedora:26 > ENV container docker > RUN dnf -y install httpd; dnf clean all; systemctl enable httpd > STOPSIGNAL SIGRTMIN+3 > EXPOSE 80 > CMD [ "/sbin/init" ] > > # systemctl start docker > # docker build . > Sending build context to Docker daemon 10.24 kB > Step 1/6 : FROM registry.fedoraproject.org/fedora:26 > Trying to pull repository registry.fedoraproject.org/fedora ... > sha256:f5da7776116ff89d4563cd668b5c87d84f5023300c1a235c537e2bd11d37bd39: > Pulling from registry.fedoraproject.org/fedora > f731d4d7fe41: Pull complete > Digest: > sha256:f5da7776116ff89d4563cd668b5c87d84f5023300c1a235c537e2bd11d37bd39 > {Removed a lot of package install verbiage} > Step 6/6 : CMD /sbin/init > ---> Running in aed4e094ac22 > ---> c64e10594dbc > Removing intermediate container aed4e094ac22 > Successfully built c64e10594dbc So you build a container with no tag? and then right below here you try to run 'httpd' which pulls from docker hub and runs (I'm pretty sure no systemd in that container). Is this really testing systemd in a container? > > # docker run -p 80:80 httpd > Unable to find image 'httpd:latest' locally > Trying to pull repository docker.io/library/httpd ... > sha256:643ca2ed9f6caf1f392184aee05a8f2cd478bdacbd350ea6b4dbc8f5b8e400a8: > Pulling from docker.io/library/httpd > f49cf87b52c1: Pull complete > 02ca099fb6cd: Pull complete > de7acb18da57: Pull complete > 770c8edb393d: Pull complete > 0e252730aeae: Pull complete > 6288e83d58fa: Pull complete > a91ad03b2178: Pull complete
Dusty/Michah, Thanks for the off-line info via IRC this morning. I've retested using docker build -t syscontain . docker run syscontain I'm now seeing a hang. without the 'setsebool -P container_manage_cgroup 1' in play, I'm seeing avc's Feb 15 14:29:16 localhost.localdomain oci-systemd-hook[5928]: systemdhook <debug>: 2c5847668005: Found cgroup Feb 15 14:29:16 localhost.localdomain oci-systemd-hook[5928]: systemdhook <debug>: 2c5847668005: PATH: /system.slice/docker-2c5847668005af5165ab2dd0e0654c340e8c972f018c175a5b362112bea1af6 e.scope Feb 15 14:29:16 localhost.localdomain oci-systemd-hook[5928]: systemdhook <debug>: 2c5847668005: SUBSYSTEM_PATH: /sys/fs/cgroup/systemd/system.slice/docker-2c5847668005af5165ab2dd0e0654c340e8c972f018c175a5b362112bea1af6e.scope Feb 15 14:29:16 localhost.localdomain oci-systemd-hook[5928]: systemdhook <error>: 2c5847668005: Failed to set context system_u:object_r:container_file_t:s0:c587,c933 on /var/lib/docker/overlay2/58b0e47747376616120785928a54612bcbc44797f8212e5e5d56fd32ae9cd6c5/merged//sys/fs/cgroup/systemd/system.slice/docker-2c5847668005af5165ab2dd0e0654c340e8c972f018c175a5b362112bea1af6e.scope/..: Read-only file system Feb 15 14:29:16 localhost.localdomain oci-umount[5929]: umounthook <debug>: prestart container_id:2c5847668005 rootfs:/var/lib/docker/overlay2/58b0e47747376616120785928a54612bcbc44797f8212e5e5d56fd32ae9cd6c5/merged qa:qFeb 15 14:29:16 localhost.localdomain audit[5915]: AVC avc: denied { write } for pid=5915 comm="systemd" name="release_agent" dev="cgroup" ino=7 scontext=system_u:system_r:container_t:s0:c587,c933 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0 Feb 15 14:29:16 localhost.localdomain audit[5915]: AVC avc: denied { write } for pid=5915 comm="systemd" name="cgroup.procs" dev="cgroup" ino=1989 scontext=system_u:system_r:container_t:s0:c587,c933 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0 With the 'setsebool -P container_manage_cgroup 1' I'm only seeing some progress in the httpd server starting and it never appears to be responsive. This is slightly different than Micah I think. I did note a similar error in systemdhoo for both. Feb 15 14:33:32 localhost.localdomain oci-systemd-hook[6025]: systemdhook <debug>: 64917b89c788: Found cgroup Feb 15 14:33:32 localhost.localdomain oci-systemd-hook[6025]: systemdhook <debug>: 64917b89c788: PATH: /system.slice/docker-64917b89c7883646fbfc06a3202f8e2d33422bf810c34a44c1fdd2d9c7bb313 3.scope Feb 15 14:33:32 localhost.localdomain oci-systemd-hook[6025]: systemdhook <debug>: 64917b89c788: SUBSYSTEM_PATH: /sys/fs/cgroup/systemd/system.slice/docker-64917b89c7883646fbfc06a3202f8e2 d33422bf810c34a44c1fdd2d9c7bb3133.scope Feb 15 14:33:32 localhost.localdomain oci-systemd-hook[6025]: systemdhook <error>: 64917b89c788: Failed to set context system_u:object_r:container_file_t:s0:c125,c750 on /var/lib/docker/o verlay2/bb1f6866c4199203a79252042a06224e6e15f3c5f07390a099b5231d6b2f11e0/merged//sys/fs/cgroup/systemd/system.slice/docker-64917b89c7883646fbfc06a3202f8e2d33422bf810c34a44c1fdd2d9c7bb3133 .scope/..: Read-only file system Feb 15 14:33:32 localhost.localdomain oci-umount[6026]: umounthook <debug>: prestart container_id:64917b89c788 rootfs:/var/lib/docker/overlay2/bb1f6866c4199203a79252042a06224e6e15f3c5f073 90a099b5231d6b2f11e0/merged More digging, thanks again for the earlier info
(In reply to Tom Sweeney from comment #37) > > More digging, thanks again for the earlier info no problem.. did you make any progress today?
Nope, unfortunately not smoking gun yet.
Moving to oci-systemd-hook. After discussion with Dan Walsh, oci-systemd-hook should set correct label to cgroups.
Just a quick note, Dan spotted that it looks like oci-systemd-hook was setting the labels correctly on one directory tree, but not a few others that were needed. I'm working up a fix now, hope to have it out tomorrow.
Correct. Running a test with podman we see all of the scopes that systemd might want to write to. We were only labeling the systemd one, all of these directories need to be labeled correctly. cat /proc/self/cgroup 11:hugetlb:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4 10:freezer:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4 9:blkio:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4 8:cpu,cpuacct:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4 7:net_cls,net_prio:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4 6:pids:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4 5:cpuset:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4 4:memory:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4 3:devices:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4 2:perf_event:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4 1:name=systemd:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4
any updates?
Unfortunately still digging. We've made progress, the logs were showing a number AVC's and a readonly error. Dan spotted a probable cause and I put a patch together to address it. It took care of the readonly error and the AVCs, but now we've run into other AVC's that we're trying to figure out. The httpd server is responsive now, but no output is being put out terminal where the container is running.
Thanks tom.. Anything new since then?
Besides headbanging on the keyboard, not much more to report. I spent the past couple of days toggling a number of files via oci-systemd-mount to try and kill the AVC's that are going on. At the moment the httpd server is up and responsive, but no output is being shown on the terminal that it's being run from. I've got four or five AVC's that I keep chasing, but it's a bit like the kid at the dike in Amsterdan. I seem to cure one and another one or two pops. I talked with Dan briefly this morning he thinks the latest container-selinux kit might fix the issues I'm trying to run down. I just finished installing that on my test VM and I've run into yet another issue and can't right that at the moment. Going to try on a fresh VM with the latest container-selinux kit and see if that gives us different results.
Quick update. Dan and I found that there's a kernel issue. The patch that we've put together for oci-systemd-hook sets the directories permissions appropriately, but the kernel is not letting the perms propagate down the tree as they should. Dan's putting together a separate BZ and we'll link it here once it's put together.
(In reply to Tom Sweeney from comment #47) > Quick update. Dan and I found that there's a kernel issue. The patch that > we've put together for oci-systemd-hook sets the directories permissions > appropriately, but the kernel is not letting the perms propagate down the > tree as they should. > Dan's putting together a separate BZ and we'll link it here once it's put > together. Was the separate BZ ever opened?
https://bugzilla.redhat.com/show_bug.cgi?id=1553803
oci-systemd-hook-0.1.16-1.git05bd9a0.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-70716263e7
oci-systemd-hook-0.1.16-1.git05bd9a0.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-f239057b7b
oci-systemd-hook-0.1.16-1.git05bd9a0.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-f239057b7b
oci-systemd-hook-0.1.16-1.git05bd9a0.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-70716263e7
oci-systemd-hook-0.1.16-1.git05bd9a0.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
oci-systemd-hook-0.1.16-1.git05bd9a0.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.