https://bugzilla.redhat.com/show_bug.cgi?id=1216151
Bug ID: 1216151 Summary: Docker fails mounting a volume as readonly on files located under /usr Product: Fedora Version: 21 Component: docker-io Assignee: ichavero@redhat.com Reporter: yann.robert@anantaplex.fr QA Contact: extras-qa@fedoraproject.org CC: adimania@gmail.com, admiller@redhat.com, golang@lists.fedoraproject.org, hushan.jia@gmail.com, ichavero@redhat.com, jchaloup@redhat.com, jperrin@centos.org, lsm5@redhat.com, mattdm@redhat.com, mgoldman@redhat.com, miminar@redhat.com, s@shk.io, thrcka@redhat.com, vbatts@redhat.com
Description of problem:
Docker fails to run a container with a volume on files located under /usr (or on symbolic link to files located under /usr) if the ":ro" specification is used to mount it as readonly
Version-Release number of selected component (if applicable): docker-io-1.6.0-2.git3eac457.fc21.x86_64
How reproducible: 100%
Steps to Reproduce: 1. install docker package docker-io-1.6.0-2.git3eac457.fc21.x86_64 2. restart the docker service 3. run the following command docker run -ti -v /etc/localtime:/etc/localtime:ro busybox echo hello
Actual results: get exit code 1 and message FATA[0000] Error response from daemon: Cannot start container 4bb87515e4eb828b295eb4718a7159c958a1154ed839b29fd213a597b91a200e: [8] System error: Relabeling content in /usr is not allowed.
Expected results: get exit code 0 and message "hello"
Additional info:
please refer to initial bug report on docker repository at github https://github.com/docker/docker/issues/12811
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
colin bugzilla.redhat.com@trancecode.co.uk changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bugzilla.redhat.com@trancec | |ode.co.uk
--- Comment #1 from colin bugzilla.redhat.com@trancecode.co.uk --- I see this also on F22
[root@kvm124 ~]# rpm -q docker docker-1.6.0-3.git9d26a07.fc22.x86_64
This no longer works
docker run -d --sig-proxy --name $CT_name --net=none \ -v /etc/localtime:/etc/localtime:ro \
Editing out the :ro stops the Failure
docker run -d --sig-proxy --name $CT_name --net=none \ -v /etc/localtime:/etc/localtime \
FATA[0000] Error response from daemon: Cannot start container 925387bd2b2988b1a10ff87e68e188f3a579e68d3d5fc1f31d40a648cd9cb6d2: [8] System error: Relabeling content in /usr is not allowed.
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
Jake Hunsaker jhunsaker@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1221688
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1221688 [Bug 1221688] Docker fails mounting a volume as readonly on files located under /usr
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
--- Comment #2 from Yann Robert yann.robert@anantaplex.fr --- Hi, is there any news on this?
docker 1.6.0 on CentOS is working fine with: # rpm -q docker docker-1.6.0-11.0.1.el7.centos.x86_64
it still does not work on Fedora with: $ rpm -q docker-io docker-io-1.6.0-4.git350a636.fc21.x86_64
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
Derek Carr decarr@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |decarr@redhat.com
--- Comment #3 from Derek Carr decarr@redhat.com --- I am working on moving the Vagrant environment for Kubernetes to Fedora 21.
Kubernetes runs the master services in pods that mount in /usr
To get around this problem, I have to disable selinux on the master server, but would like to avoid having to do that if possible.
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
Patryk Kubiak patryk.kubiak@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |patryk.kubiak@gmail.com
--- Comment #4 from Patryk Kubiak patryk.kubiak@gmail.com --- It does not work on CentOS 7 OS as well with docker 1.6.0 from EPEL repo:
$ rpm -qi docker Name : docker Version : 1.6.0 Release : 11.0.1.el7.centos Architecture: x86_64 Install Date: Wed 03 Jun 2015 11:15:06 AM CEST Group : Unspecified Size : 33835427 License : ASL 2.0 Signature : RSA/SHA256, Thu 14 May 2015 01:50:02 AM CEST, Key ID 24c6a8a7f4a80eb5 Source RPM : docker-1.6.0-11.0.1.el7.centos.src.rpm Build Date : Thu 14 May 2015 01:47:06 AM CEST Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem http://bugs.centos.org Vendor : CentOS URL : http://www.docker.com Summary : Automates deployment of containerized applications
$ docker run -ti -v /etc/localtime:/etc/localtime:ro busybox echo hello Unable to find image 'busybox:latest' locally latest: Pulling from docker.io/busybox cf2616975b4a: Pull complete 6ce2e90b0bc7: Pull complete 8c2e06607696: Already exists docker.io/busybox:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security. Digest: sha256:38a203e1986cf79639cfb9b2e1d6e773de84002feea2d4eb006b52004ee8502d Status: Downloaded newer image for docker.io/busybox:latest Timestamp: 2015-06-03 12:16:19.569470822 +0200 CEST Code: System error
Message: Relabeling content in /usr is not allowed.
Frames: --- 0: setupRootfs Package: github.com/docker/libcontainer File: rootfs_linux.go@34 --- 1: Init Package: github.com/docker/libcontainer.(*linuxStandardInit) File: standard_init_linux.go@52 --- 2: StartInitialization Package: github.com/docker/libcontainer.(*LinuxFactory) File: factory_linux.go@223 --- 3: initializer Package: github.com/docker/docker/daemon/execdriver/native File: init.go@35 --- 4: FATA[0004] Error response from daemon: Cannot start container a9e9dcf572b52fc40a8f6a802fe45e5e461e92a3d9c537cb8c5859e3bff9cc31: [8] System error: Relabeling content in /usr is not allowed.
It requires to remove ":ro" flag in order to work properly.
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
Daniel Walsh dwalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |dwalsh@redhat.com Assignee|ichavero@redhat.com |lsm5@redhat.com
--- Comment #5 from Daniel Walsh dwalsh@redhat.com --- Should be fixed in docker-1.6.2
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
--- Comment #6 from Patryk Kubiak patryk.kubiak@gmail.com --- After upgrading to 1.6.2 from virt7-testing repo (http://wiki.centos.org/Cloud/Docker) problem still seem to exists:
Trying to mount following volume is still not possible: -v /etc/localtime:/etc/localtime:ro
docker version:
Client version: 1.6.2.el7 Client API version: 1.18 Go version (client): go1.4.2 Git commit (client): c3ca5bb/1.6.2 OS/Arch (client): linux/amd64 Server version: 1.6.2.el7 Server API version: 1.18 Go version (server): go1.4.2 Git commit (server): c3ca5bb/1.6.2 OS/Arch (server): linux/amd64
Running test container was stopped & removed. Then docker service was restarted via systemctl. A new container was started to verify the problem. Problem still exist with version 1.6.2
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
--- Comment #7 from Daniel Walsh dwalsh@redhat.com --- Lokesh I just fixed this issue in docker-1.6.2 repo. Please rebuild for RHEL7 Fedora 21, 22.
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
Daniel Walsh dwalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1230192
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1230192 [Bug 1230192] Docker fails mounting a volume as readonly on files located under /usr
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
Lokesh Mandvekar lsm5@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks|1230192 |
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1230192 [Bug 1230192] Docker fails mounting a volume as readonly on files located under /usr
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
Lokesh Mandvekar lsm5@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks|1221688 |
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1221688 [Bug 1221688] Docker fails mounting a volume as readonly on files located under /usr
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
Daniel Walsh dwalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution|--- |CURRENTRELEASE Last Closed| |2015-07-15 17:21:05
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
Yann Robert yann.robert@anantaplex.fr changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?
--- Comment #8 from Yann Robert yann.robert@anantaplex.fr --- The "Fedora 22 updates for x86_64" repository does not contain any 1.6.2 build.
# sudo dnf list docker --disableexcludes all Last metadata expiration check performed 0:00:40 ago on Tue Jul 21 12:53:29 2015. Installed Packages docker.x86_64 1.6.0-3.git9d26a07.fc22 @System Available Packages docker.x86_64 1.7.0-6.git74e7a7a.fc22 updates
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
Daniel Walsh dwalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo? |
--- Comment #9 from Daniel Walsh dwalsh@redhat.com --- It would also be fixed in docker-1.7
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
--- Comment #10 from Yann Robert yann.robert@anantaplex.fr --- Unfortunately, docker-1.7 comes with it's own batch of bugs. Would it be possible to publish docker-1.6.2 for Fedora 22 updates?
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
--- Comment #11 from Daniel Walsh dwalsh@redhat.com --- Which bugs are you talking about with docker-1.7?
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
--- Comment #12 from Yann Robert yann.robert@anantaplex.fr --- I just cannot use docker-1.7 because of https://bugzilla.redhat.com/show_bug.cgi?id=1244124 https://github.com/docker/docker/issues/14396
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
--- Comment #13 from Daniel Walsh dwalsh@redhat.com --- Ok, I have asked the firewalld team to look into this and see if they can fix it quickly. As soon as they have a fix, I will get it shipped into fedora.
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
--- Comment #14 from Yann Robert yann.robert@anantaplex.fr --- Thank you Daniel. However, I fear we are in a tunnel now. While we are waiting for a fix, a new major version will be released. When the fix will be found, it will not be released because we should upgrade to latest major version. So there will be no working docker-1.6.x binaries for Fedora 22?
golang@lists.fedoraproject.org