Skip to content

[19.03 backport] docker-ce.spec: bump container-selinux req#340

Closed
kolyshkin wants to merge 1 commit intodocker:19.03from
kolyshkin:19.03-bump-container-selinux
Closed

[19.03 backport] docker-ce.spec: bump container-selinux req#340
kolyshkin wants to merge 1 commit intodocker:19.03from
kolyshkin:19.03-bump-container-selinux

Conversation

@kolyshkin
Copy link
Copy Markdown
Contributor

@kolyshkin kolyshkin commented Jun 9, 2019

Recent runc now requires container-selinux >= 2.95 for write access
to /proc/self/attr/keycreate. In case of older version, the error is:

docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "process_linux.go:430: container init caused "write /proc/self/attr/keycreate: permission denied"": unknown.

Signed-off-by: Kir Kolyshkin kolyshkin@gmail.com
(cherry picked from commit 9606895c37f68b06fc88a44801f5e7f49f927857)

@kolyshkin
docker-ce.spec: up req for container-selinux
0b5d6d3 
Recent runc now requires container-selinux >= 2.95 for write access
to /proc/self/attr/keycreate. In case of older version, the error is:

> docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "process_linux.go:430: container init caused \"write /proc/self/attr/keycreate: permission denied\"": unknown.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 9606895c37f68b06fc88a44801f5e7f49f927857)
@kolyshkin kolyshkin mentioned this pull request Jun 9, 2019
Closed
@kolyshkin
Copy link
Copy Markdown
Contributor Author

kolyshkin commented Jun 9, 2019

PR to master is #339
More details at moby/moby#39109

@kolyshkin kolyshkin changed the title [19.03 backport] docker-ce.spec: up req for container-selinux [19.03 backport] docker-ce.spec: bump container-selinux req Jun 9, 2019
@kolyshkin
Copy link
Copy Markdown
Contributor Author

kolyshkin commented Jun 9, 2019

@thaJeztah @seemethere PTAL

@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Jun 10, 2019

@clemenko could you double-check? I think there was a separate regression in that package (exposed ports being blocked) that required downgrading (or do versions > 2.95 work as well?))

@clemenko
Copy link
Copy Markdown

clemenko commented Jun 10, 2019

This also applies to the 19.03.0-rc2.

[root@beta-a105 ~]# docker -v
Docker version 19.03.0-rc2, build 674d742
[root@beta-a105 ~]# getenforce 
Enforcing
[root@beta-a105 ~]# ucp_ver=docker/ucp:3.2.0-beta4
[root@beta-a105 ~]# yum list|grep container-selinux
container-selinux.noarch                    2:2.95-2.el7_6             @extras  
[root@beta-a105 ~]# docker run --rm -i --name ucp  -v /var/run/docker.sock:/var/run/docker.sock $ucp_ver install --host-address $controller1 --admin-password $password --san ucp.dockr.life --force-minimums 
standard_init_linux.go:211: exec user process caused "permission denied"
[root@beta-a105 ~]# cat /etc/docker/daemon.json |grep selinux
 "selinux-enabled": true,

and downgrading works.

[root@beta-a105 ~]# yum list|grep container-selinux
container-selinux.noarch                    2:2.74-1.el7               @extras  
container-selinux.noarch                    2:2.95-2.el7_6             extras   
[root@beta-a105 ~]# docker run --rm -i --name ucp  -v /var/run/docker.sock:/var/run/docker.sock $ucp_ver install --host-address $controller1 --admin-password $password --san ucp.dockr.life --force-minimums 
time="2019-06-10T13:12:02Z" level=info msg="Your Docker daemon version 19.03.0-rc2, build 674d742 (3.10.0-957.12.2.el7.x86_64) is compatible with UCP 3.2.0-beta4 (93be304)"
time="2019-06-10T13:12:02Z" level=info msg="Initializing New Docker Swarm"

@clemenko
Copy link
Copy Markdown

clemenko commented Jun 10, 2019

Actually downgrading does not work.

[root@beta-a105 ~]# docker -v
Docker version 19.03.0-rc2, build 674d742
[root@beta-a105 ~]# cat /etc/docker/daemon.json |grep selinux
 "selinux-enabled": true, 
[root@beta-a105 ~]# getenforce 
Enforcing
[root@beta-a105 ~]# docker run --rm -i --name ucp  -v /var/run/docker.sock:/var/run/docker.sock $ucp_ver install --host-address $controller1 --admin-password $password --san ucp.dockr.life --force-minimums 
time="2019-06-10T13:20:26Z" level=info msg="Your Docker daemon version 19.03.0-rc2, build 674d742 (3.10.0-957.12.2.el7.x86_64) is compatible with UCP 3.2.0-beta4 (93be304)"
time="2019-06-10T13:20:26Z" level=warning msg="Your system does not have enough memory. UCP suggests a minimum of 4.00 GB, but you only have 3.88 GB. You may have unexpected errors."
time="2019-06-10T13:20:28Z" level=info msg="Checking required ports for connectivity"
time="2019-06-10T13:20:42Z" level=info msg="Checking required container images"
time="2019-06-10T13:20:42Z" level=info msg="Running install agent container ..."
time="2019-06-10T13:20:42Z" level=fatal msg="unable to start container ucp-installer: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused \"process_linux.go:430: container init caused \\\"write /proc/self/attr/keycreate: permission denied\\\"\": unknown"
[root@beta-a105 ~]# yum list|grep container-selinux
container-selinux.noarch                    2:2.74-1.el7               @extras  
container-selinux.noarch                    2:2.95-2.el7_6             extras

even with the --security-opt label=disable.

[root@beta-a105 ~]# docker run --rm -i --name ucp  -v /var/run/docker.sock:/var/run/docker.sock --security-opt label=disable $ucp_ver install --host-address $controller1 --admin-password $password --san ucp.dockr.life --force-minimums 
docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "process_linux.go:430: container init caused \"write /proc/self/attr/keycreate: permission denied\"": unknown.

seemethere
seemethere approved these changes Jun 10, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@seemethere seemethere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but do note that container-selinux >= 2.95 is not yet released for fedora 28:

❯ docker run --rm -it fedora:28 sh -c 'dnf list --showduplicates container-selinux | tail -1'
container-selinux.noarch            2:2.85-1.git92af7fd.fc28             updates

@kolyshkin
Copy link
Copy Markdown
Contributor Author

kolyshkin commented Jun 11, 2019

OK this does not seem to be the fix. To my best understanding, the fix belongs to the kernel (see https://bugzilla.redhat.com/show_bug.cgi?id=1719067), and the workaround belongs to runc (see opencontainers/runc#2070)

@kolyshkin kolyshkin closed this Jun 11, 2019
@tao12345666333
Copy link
Copy Markdown
Contributor

tao12345666333 commented Jun 12, 2019

do note that container-selinux >= 2.95 is not yet released for fedora 28:

@seemethere fedora 28 is EOL. https://fedoramagazine.org/fedora-28-end-of-life/ I also recently upgraded the system from fedora 28 to 29. ref: moby/moby#39109 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@seemethere seemethere seemethere approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kolyshkin @thaJeztah @clemenko @tao12345666333 @seemethere