New subject: [Bug 1230192] Docker fails mounting a volume as readonly on files located under /usr

10 Jun 2015


      https://bugzilla.redhat.com/show_bug.cgi?id=1230192
Bug ID: 1230192
           Summary: Docker fails mounting a volume as readonly on files
                    located under /usr
           Product: Layered Product Common for RHEL 7
           Version: RHEL 7.1
         Component: distribution
          Assignee: drieden@redhat.com
          Reporter: dwalsh@redhat.com
                CC: adimania@gmail.com, admiller@redhat.com,
                    bugzilla.redhat.com@trancecode.co.uk,
                    decarr@redhat.com, dustymabe@redhat.com,
                    dwalsh@redhat.com, extras-qa@fedoraproject.org,
                    golang@lists.fedoraproject.org, hushan.jia@gmail.com,
                    ichavero@redhat.com, jchaloup@redhat.com,
                    jperrin@centos.org, lhh@redhat.com, lsm5@redhat.com,
                    mattdm@redhat.com, mgoldman@redhat.com,
                    miminar@redhat.com, patryk.kubiak@gmail.com, s@shk.io,
                    snagar@redhat.com, thrcka@redhat.com,
                    vbatts@redhat.com, yann.robert@anantaplex.fr
        Depends On: 1216151
            Blocks: 1221688
             Group: redhat
+++ This bug was initially created as a clone of Bug #1216151 +++
Description of problem:
Docker fails to run a container with a volume on files located under /usr (or
on symbolic link to files located under /usr) if the ":ro" specification is
used to mount it as readonly
Version-Release number of selected component (if applicable):
docker-io-1.6.0-2.git3eac457.fc21.x86_64
How reproducible: 100%
Steps to Reproduce:
1. install docker package docker-io-1.6.0-2.git3eac457.fc21.x86_64
2. restart the docker service
3. run the following command
docker run -ti -v /etc/localtime:/etc/localtime:ro busybox echo hello
Actual results:
get exit code 1
and message FATA[0000] Error response from daemon: Cannot start container
4bb87515e4eb828b295eb4718a7159c958a1154ed839b29fd213a597b91a200e: [8] System
error: Relabeling content in /usr is not allowed.
Expected results:
get exit code 0
and message "hello"
Additional info:
please refer to initial bug report on docker repository at github
https://github.com/docker/docker/issues/12811
--- Additional comment from colin on 2015-05-12 17:48:40 EDT ---
I see this also on F22
[root@kvm124 ~]# rpm -q docker
docker-1.6.0-3.git9d26a07.fc22.x86_64
This no longer works
docker run  -d --sig-proxy --name $CT_name --net=none \
  -v /etc/localtime:/etc/localtime:ro \
Editing out the :ro stops the Failure
docker run  -d --sig-proxy --name $CT_name --net=none \
  -v /etc/localtime:/etc/localtime \
FATA[0000] Error response from daemon: Cannot start container
925387bd2b2988b1a10ff87e68e188f3a579e68d3d5fc1f31d40a648cd9cb6d2: [8] System
error: Relabeling content in /usr is not allowed.
--- Additional comment from Yann Robert on 2015-05-20 05:09:21 EDT ---
Hi, is there any news on this?
docker 1.6.0 on CentOS is working fine with:
# rpm -q docker
docker-1.6.0-11.0.1.el7.centos.x86_64
it still does not work on Fedora with:
$ rpm -q docker-io
docker-io-1.6.0-4.git350a636.fc21.x86_64
--- Additional comment from Derek Carr on 2015-05-26 20:47:55 EDT ---
I am working on moving the Vagrant environment for Kubernetes to Fedora 21.
Kubernetes runs the master services in pods that mount in /usr
To get around this problem, I have to disable selinux on the master server, but
would like to avoid having to do that if possible.
--- Additional comment from Patryk Kubiak on 2015-06-03 06:25:02 EDT ---
It does not work on CentOS 7 OS as well with docker 1.6.0 from EPEL repo:
$ rpm -qi docker
Name        : docker
Version     : 1.6.0
Release     : 11.0.1.el7.centos
Architecture: x86_64
Install Date: Wed 03 Jun 2015 11:15:06 AM CEST
Group       : Unspecified
Size        : 33835427
License     : ASL 2.0
Signature   : RSA/SHA256, Thu 14 May 2015 01:50:02 AM CEST, Key ID
24c6a8a7f4a80eb5
Source RPM  : docker-1.6.0-11.0.1.el7.centos.src.rpm
Build Date  : Thu 14 May 2015 01:47:06 AM CEST
Build Host  : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem http://bugs.centos.org
Vendor      : CentOS
URL         : http://www.docker.com
Summary     : Automates deployment of containerized applications
$ docker run -ti -v /etc/localtime:/etc/localtime:ro busybox echo hello
Unable to find image 'busybox:latest' locally
latest: Pulling from docker.io/busybox
cf2616975b4a: Pull complete 
6ce2e90b0bc7: Pull complete 
8c2e06607696: Already exists 
docker.io/busybox:latest: The image you are pulling has been verified.
Important: image verification is a tech preview feature and should not be
relied on to provide security.
Digest: sha256:38a203e1986cf79639cfb9b2e1d6e773de84002feea2d4eb006b52004ee8502d
Status: Downloaded newer image for docker.io/busybox:latest
Timestamp: 2015-06-03 12:16:19.569470822 +0200 CEST
Code: System error
Message: Relabeling content in /usr is not allowed.
Frames:
---
0: setupRootfs
Package: github.com/docker/libcontainer
File: rootfs_linux.go@34
---
1: Init
Package: github.com/docker/libcontainer.(*linuxStandardInit)
File: standard_init_linux.go@52
---
2: StartInitialization
Package: github.com/docker/libcontainer.(*LinuxFactory)
File: factory_linux.go@223
---
3: initializer
Package: github.com/docker/docker/daemon/execdriver/native
File: init.go@35
---
4: FATA[0004] Error response from daemon: Cannot start container
a9e9dcf572b52fc40a8f6a802fe45e5e461e92a3d9c537cb8c5859e3bff9cc31: [8] System
error: Relabeling content in /usr is not allowed.
It requires to remove ":ro" flag in order to work properly.
--- Additional comment from Daniel Walsh on 2015-06-03 08:14:11 EDT ---
Should be fixed in docker-1.6.2
--- Additional comment from Patryk Kubiak on 2015-06-09 18:02:22 EDT ---
After upgrading to 1.6.2 from virt7-testing repo 
(http://wiki.centos.org/Cloud/Docker) problem still seem to exists:
Trying to mount following volume is still not possible:
 -v /etc/localtime:/etc/localtime:ro
docker version:
Client version: 1.6.2.el7
Client API version: 1.18
Go version (client): go1.4.2
Git commit (client): c3ca5bb/1.6.2
OS/Arch (client): linux/amd64
Server version: 1.6.2.el7
Server API version: 1.18
Go version (server): go1.4.2
Git commit (server): c3ca5bb/1.6.2
OS/Arch (server): linux/amd64
Running test container was stopped & removed. 
Then docker service was restarted via systemctl. 
A new container was started to verify the problem. 
Problem still exist with version 1.6.2
--- Additional comment from Daniel Walsh on 2015-06-10 08:20:19 EDT ---
Lokesh I just fixed this issue in docker-1.6.2 repo.  Please rebuild for RHEL7
Fedora 21, 22.
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1216151
[Bug 1216151] Docker fails mounting a volume as readonly on files located
under /usr
https://bugzilla.redhat.com/show_bug.cgi?id=1221688
[Bug 1221688] Docker fails mounting a volume as readonly on files located
under /usr
-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug 1230192] New: Docker fails mounting a volume as readonly on files located under /usr