[Bug 1230192] New: Docker fails mounting a volume as readonly on files located under /usr

[bugzilla]

https://bugzilla.redhat.com/show_bug.cgi?id=1230192

            Bug ID: 1230192
           Summary: Docker fails mounting a volume as readonly on files
                    located under /usr
           Product: Layered Product Common for RHEL 7
           Version: RHEL 7.1
         Component: distribution
          Assignee: drie...@redhat.com
          Reporter: dwa...@redhat.com
                CC: adima...@gmail.com, admil...@redhat.com,
                    bugzilla.redhat....@trancecode.co.uk,
                    dec...@redhat.com, dustym...@redhat.com,
                    dwa...@redhat.com, extras...@fedoraproject.org,
                    golang@lists.fedoraproject.org, hushan....@gmail.com,
                    ichav...@redhat.com, jchal...@redhat.com,
                    jper...@centos.org, l...@redhat.com, l...@redhat.com,
                    mat...@redhat.com, mgold...@redhat.com,
                    mimi...@redhat.com, patryk.kub...@gmail.com, s...@shk.io,
                    sna...@redhat.com, thr...@redhat.com,
                    vba...@redhat.com, yann.rob...@anantaplex.fr
        Depends On: 1216151
            Blocks: 1221688
             Group: redhat



+++ This bug was initially created as a clone of Bug #1216151 +++

Description of problem:

Docker fails to run a container with a volume on files located under /usr (or
on symbolic link to files located under /usr) if the ":ro" specification is
used to mount it as readonly

Version-Release number of selected component (if applicable):
docker-io-1.6.0-2.git3eac457.fc21.x86_64

How reproducible: 100%


Steps to Reproduce:
1. install docker package docker-io-1.6.0-2.git3eac457.fc21.x86_64
2. restart the docker service
3. run the following command
docker run -ti -v /etc/localtime:/etc/localtime:ro busybox echo hello


Actual results:
get exit code 1
and message FATA[0000] Error response from daemon: Cannot start container
4bb87515e4eb828b295eb4718a7159c958a1154ed839b29fd213a597b91a200e: [8] System
error: Relabeling content in /usr is not allowed.

Expected results:
get exit code 0
and message "hello"

Additional info:

please refer to initial bug report on docker repository at github
https://github.com/docker/docker/issues/12811

--- Additional comment from colin on 2015-05-12 17:48:40 EDT ---

I see this also on F22

[root@kvm124 ~]# rpm -q docker
docker-1.6.0-3.git9d26a07.fc22.x86_64

This no longer works

 docker run  -d --sig-proxy --name $CT_name --net=none \
  -v /etc/localtime:/etc/localtime:ro \

Editing out the :ro stops the Failure

 docker run  -d --sig-proxy --name $CT_name --net=none \
  -v /etc/localtime:/etc/localtime \

FATA[0000] Error response from daemon: Cannot start container
925387bd2b2988b1a10ff87e68e188f3a579e68d3d5fc1f31d40a648cd9cb6d2: [8] System
error: Relabeling content in /usr is not allowed.

--- Additional comment from Yann Robert on 2015-05-20 05:09:21 EDT ---

Hi, is there any news on this?

docker 1.6.0 on CentOS is working fine with:
# rpm -q docker
docker-1.6.0-11.0.1.el7.centos.x86_64

it still does not work on Fedora with:
$ rpm -q docker-io
docker-io-1.6.0-4.git350a636.fc21.x86_64

--- Additional comment from Derek Carr on 2015-05-26 20:47:55 EDT ---

I am working on moving the Vagrant environment for Kubernetes to Fedora 21.

Kubernetes runs the master services in pods that mount in /usr

To get around this problem, I have to disable selinux on the master server, but
would like to avoid having to do that if possible.

--- Additional comment from Patryk Kubiak on 2015-06-03 06:25:02 EDT ---

It does not work on CentOS 7 OS as well with docker 1.6.0 from EPEL repo:

$ rpm -qi docker
Name        : docker
Version     : 1.6.0
Release     : 11.0.1.el7.centos
Architecture: x86_64
Install Date: Wed 03 Jun 2015 11:15:06 AM CEST
Group       : Unspecified
Size        : 33835427
License     : ASL 2.0
Signature   : RSA/SHA256, Thu 14 May 2015 01:50:02 AM CEST, Key ID
24c6a8a7f4a80eb5
Source RPM  : docker-1.6.0-11.0.1.el7.centos.src.rpm
Build Date  : Thu 14 May 2015 01:47:06 AM CEST
Build Host  : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://www.docker.com
Summary     : Automates deployment of containerized applications

$ docker run -ti -v /etc/localtime:/etc/localtime:ro busybox echo hello
Unable to find image 'busybox:latest' locally
latest: Pulling from docker.io/busybox
cf2616975b4a: Pull complete 
6ce2e90b0bc7: Pull complete 
8c2e06607696: Already exists 
docker.io/busybox:latest: The image you are pulling has been verified.
Important: image verification is a tech preview feature and should not be
relied on to provide security.
Digest: sha256:38a203e1986cf79639cfb9b2e1d6e773de84002feea2d4eb006b52004ee8502d
Status: Downloaded newer image for docker.io/busybox:latest
Timestamp: 2015-06-03 12:16:19.569470822 +0200 CEST
Code: System error

Message: Relabeling content in /usr is not allowed.

Frames:
---
0: setupRootfs
Package: github.com/docker/libcontainer
File: rootfs_linux.go@34
---
1: Init
Package: github.com/docker/libcontainer.(*linuxStandardInit)
File: standard_init_linux.go@52
---
2: StartInitialization
Package: github.com/docker/libcontainer.(*LinuxFactory)
File: factory_linux.go@223
---
3: initializer
Package: github.com/docker/docker/daemon/execdriver/native
File: init.go@35
---
4: FATA[0004] Error response from daemon: Cannot start container
a9e9dcf572b52fc40a8f6a802fe45e5e461e92a3d9c537cb8c5859e3bff9cc31: [8] System
error: Relabeling content in /usr is not allowed. 

It requires to remove ":ro" flag in order to work properly.

--- Additional comment from Daniel Walsh on 2015-06-03 08:14:11 EDT ---

Should be fixed in docker-1.6.2

--- Additional comment from Patryk Kubiak on 2015-06-09 18:02:22 EDT ---

After upgrading to 1.6.2 from virt7-testing repo 
(http://wiki.centos.org/Cloud/Docker) problem still seem to exists:

Trying to mount following volume is still not possible:
 -v /etc/localtime:/etc/localtime:ro

docker version: 

Client version: 1.6.2.el7
Client API version: 1.18
Go version (client): go1.4.2
Git commit (client): c3ca5bb/1.6.2
OS/Arch (client): linux/amd64
Server version: 1.6.2.el7
Server API version: 1.18
Go version (server): go1.4.2
Git commit (server): c3ca5bb/1.6.2
OS/Arch (server): linux/amd64

Running test container was stopped & removed. 
Then docker service was restarted via systemctl. 
A new container was started to verify the problem. 
Problem still exist with version 1.6.2

--- Additional comment from Daniel Walsh on 2015-06-10 08:20:19 EDT ---

Lokesh I just fixed this issue in docker-1.6.2 repo.  Please rebuild for RHEL7
Fedora 21, 22.


Referenced Bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=1216151
[Bug 1216151] Docker fails mounting a volume as readonly on files located
under /usr
https://bugzilla.redhat.com/show_bug.cgi?id=1221688
[Bug 1221688] Docker fails mounting a volume as readonly on files located
under /usr
-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
golang mailing list
golang@lists.fedoraproject.org
https://lists.fedoraproject.org/mailman/listinfo/golang