On Sep 12, 2016 2:45 PM, "Daniel J Walsh" <dwa...@redhat.com> wrote: > > > > On 09/11/2016 12:35 AM, Dusty Mabe wrote: > > In Fedora 25 I grabbed the new kernel with overlayfs support [1] and I > > configured docker to run with overlayfs by using DOCKER_STORAGE_OPTIONS="--storage-driver=overlay2" > > in /etc/sysconfig/docker-storage. > > > > [1] https://kojipkgs.fedoraproject.org//packages/kernel/4.8.0/0.rc5.git4.1.fc25/x86_64/kernel-core-4.8.0-0.rc5.git4.1.fc25.x86_64.rpm > > > > > > Trying to start up some containers now and getting some errors: > > > > ``` > > [root@cloudhost ~]# docker run -it --rm centos:7 > > standard_init_linux.go:175: exec user process caused "permission denied" > > ``` > > > > The journal output shows me: > > > > ``` > > Sep 11 03:28:53 cloudhost.localdomain systemd[1]: Started docker container 384a8d8b06c8895583b477a15bcfbe5864cdfa96c2c0f75efb752bb1022b562b. > > Sep 11 03:28:53 cloudhost.localdomain kernel: SELinux: mount invalid. Same superblock, different security settings for (dev mqueue, type mqueue) > > Sep 11 03:28:53 cloudhost.localdomain kernel: eth0: renamed from veth42eaf25 > > Sep 11 03:28:53 cloudhost.localdomain kernel: IPv6: ADDRCONF(NETDEV_CHANGE): veth67c0994: link becomes ready > > Sep 11 03:28:53 cloudhost.localdomain kernel: docker0: port 1(veth67c0994) entered blocking state > > Sep 11 03:28:53 cloudhost.localdomain kernel: docker0: port 1(veth67c0994) entered forwarding state > > Sep 11 03:28:53 cloudhost.localdomain oci-register-machine[1353]: 2016/09/11 03:28:53 Register machine: prestart 384a8d8b06c8895583b477a15bcfbe5864cdfa96c2c0f75efb752bb1022b562b 1336 /var/lib/docker/overlay2/e282c2e4f395fc9146152525394f428a0e05d7bd23022411b9dec5372624ce8c/merged > > Sep 11 03:28:53 cloudhost.localdomain systemd-machined[1102]: New machine 384a8d8b06c8895583b477a15bcfbe58. > > Sep 11 03:28:53 cloudhost.localdomain oci-systemd-hook[1357]: systemdhook <debug>: Skipping as container command is /bin/bash, not init or systemd > > Sep 11 03:28:53 cloudhost.localdomain systemd[1]: libcontainer-1360-systemd-test-default-dependencies.scope: Scope has no PIDs. Refusing. > > Sep 11 03:28:53 cloudhost.localdomain systemd[1]: libcontainer-1360-systemd-test-default-dependencies.scope: Scope has no PIDs. Refusing. > > Sep 11 03:28:53 cloudhost.localdomain audit[1336]: AVC avc: denied { entrypoint } for pid=1336 comm="exe" path="/usr/bin/bash" dev="overlay" ino=19026 scontext=system_u:system_r:svirt_lxc_net_t:s0:c130,c692 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file permissive=0 > > Sep 11 03:28:53 cloudhost.localdomain dockerd[875]: [73B blob data] > > Sep 11 03:28:53 cloudhost.localdomain systemd-machined[1102]: Machine 384a8d8b06c8895583b477a15bcfbe58 terminated. > > ``` > > > > some more information: > > > > ``` > > [root@cloudhost ~]# rpm -q kernel-core docker selinux-policy > > kernel-core-4.8.0-0.rc5.git4.1.fc25.x86_64 > > docker-1.12.1-10.git9a3752d.fc25.x86_64 > > selinux-policy-3.13.1-211.fc25.noarch > > [root@cloudhost ~]# docker info > > Containers: 0 > > Running: 0 > > Paused: 0 > > Stopped: 0 > > Images: 2 > > Server Version: 1.12.1 > > Storage Driver: overlay2 > > Backing Filesystem: extfs > > Logging Driver: journald > > Cgroup Driver: systemd > > Plugins: > > Volume: local > > Network: null host bridge overlay > > Swarm: inactive > > Runtimes: oci runc > > Default Runtime: oci > > Security Options: seccomp selinux > > Kernel Version: 4.8.0-0.rc5.git1.1.fc25.x86_64 > > Operating System: Fedora 25 (Cloud Edition) > > OSType: linux > > Architecture: x86_64 > > Number of Docker Hooks: 2 > > CPUs: 2 > > Total Memory: 3.859 GiB > > Name: cloudhost.localdomain > > ID: 4D6B:PZJU:4DF4:BUAW:3H3X:ILC3:MQ4V:2WWU:PWDQ:DMOA:TADT:EOKK > > Docker Root Dir: /var/lib/docker > > Debug Mode (client): false > > Debug Mode (server): false > > Registry: https://index.docker.io/v1/ > > Insecure Registries: > > 127.0.0.0/8 > > Registries: docker.io (secure) > > ``` > > > > > > If I setenforce 0, it works. > > > > Can someone else confirm the behavior? Should I open a bug? > > > > Dusty > > > You need an updated docker-selinux package in Rawhide we are running with > > docker-1.12.1-20.git2649fe1.fc26.x86_64 > > We need this update for F25. > > If you use > grep entrypoint /var/log/audit/audit.log | audit2allow -M myoverlay > semodule -i myoverlay.pp > > It should fix the problem for you. > > Lokesh and/or Antonio can you get an updated version of docker built in F25 to match the one in Rawhide.
I submitted an update for F25 two days ago which contains the fix needed https://bodhi.fedoraproject.org/updates/FEDORA-2016-d372e43d2a >