https://bugzilla.redhat.com/show_bug.cgi?id=1094664
Bug ID: 1094664 Summary: docker-io-0.10.0-2 disables access to /dev/shm Product: Fedora Version: 20 Component: docker-io Assignee: lsm5@redhat.com Reporter: jpazdziora@redhat.com QA Contact: extras-qa@fedoraproject.org CC: admiller@redhat.com, golang@lists.fedoraproject.org, lsm5@redhat.com, mattdm@redhat.com, mgoldman@redhat.com, s@shk.io, vbatts@redhat.com
Description of problem:
While testing FreeIPA server and the 389 server in Docker container, I started to see errors like Failed to create semaphore for stats file/Permission denied with docker-io from updates-testing. Upon closer look, /dev/shm seems to be mounted with 1755, which is different from what docker-io 0.9.1 does and what you get on bare metal.
Version-Release number of selected component (if applicable):
docker-io-0.10.0-2.fc20.x86_64
How reproducible:
Deterministic.
Steps to Reproduce: 1. docker run -ti fedora:20 /bin/bash 2. In the container shell, run mount | grep /dev/shm ls -la /dev/shm exit 3. Downgrade to docker-io-0.9.1 and repeat.
Actual results:
# docker run -ti fedora:20 /bin/bash bash-4.2# mount | grep /dev/shm shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,seclabel,size=65536k,mode=1755) # docker run -ti fedora:20 /bin/bash bash-4.2# ls -la /dev/shm total 4 drwxrwxrwt. 2 root root 40 May 6 08:06 . drwxr-xr-x. 4 root root 4096 May 6 08:06 .. bash-4.2# exit # rpm -q docker-io docker-io-0.9.1-1.fc20.x86_64
# yum downgrade docker-io -y [...]
# rpm -q docker-io docker-io-0.9.1-1.fc20.x86_64 # docker run -ti fedora:20 /bin/bash bash-4.2# mount | grep /dev/shm shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,seclabel,size=65536k) bash-4.2# ls -la /dev/shm total 4 drwxrwxrwt. 2 root root 40 May 6 09:16 . drwxr-xr-x. 4 root root 4096 May 6 09:16 .. bash-4.2# exit exit #
Expected results:
Permissions on /dev/shm the same as on docker-io-0.9.1.
Additional info:
https://bugzilla.redhat.com/show_bug.cgi?id=1094664
Daniel Walsh dwalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dwalsh@redhat.com
--- Comment #1 from Daniel Walsh dwalsh@redhat.com --- Is this an SELinux issue?
Could you attach the avc messages.
ausearch -m avc -ts recent -i
https://bugzilla.redhat.com/show_bug.cgi?id=1094664
Jan Pazdziora jpazdziora@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jpazdziora@redhat.com
--- Comment #2 from Jan Pazdziora jpazdziora@redhat.com --- SELinux is disabled in the container (as reported by getenforce).
Command
ausearch -m avc -ts recent -i
when run on the host says
<no matches>
https://bugzilla.redhat.com/show_bug.cgi?id=1094664
--- Comment #3 from Daniel Walsh dwalsh@redhat.com --- SELinux is lying inside of the container.
Put the machine into permissive mode and see if you can write to /dev/shm.
ls -lZ /dev/shm from inside of the container.
https://bugzilla.redhat.com/show_bug.cgi?id=1094664
--- Comment #4 from Jan Pazdziora jpazdziora@redhat.com --- # rpm -q docker-io docker-io-0.9.1-1.fc20.x86_64 # getenforce Permissive # docker run -ti fedora:20 /bin/bash bash-4.2# ls -laZ /dev/shm drwxrwxrwt. root root system_u:object_r:docker_tmpfs_t:s0 . drwxr-xr-x. root root system_u:object_r:file_t:s0 .. bash-4.2# ls -la /dev/shm total 4 drwxrwxrwt. 2 root root 40 May 7 07:06 . drwxr-xr-x. 4 root root 4096 May 7 07:06 .. bash-4.2# touch /dev/shm/a bash-4.2# adduser test bash-4.2# su - test [test@c05cc1c52ec1 ~]$ id uid=1000(test) gid=1000(test) groups=1000(test) [test@c05cc1c52ec1 ~]$ touch /dev/shm/b [test@c05cc1c52ec1 ~]$ ls -la /dev/shm total 4 drwxrwxrwt. 2 root root 80 May 7 07:06 . drwxr-xr-x. 4 root root 4096 May 7 07:06 .. -rw-r--r--. 1 root root 0 May 7 07:06 a -rw-rw-r--. 1 test test 0 May 7 07:06 b [test@c05cc1c52ec1 ~]$ logout bash-4.2# exit #
Back on the host:
# ausearch -m avc -ts recent -i <no matches>
Now upgraded to:
# rpm -q docker-io docker-io-0.10.0-2.fc20.x86_64
Restarted docker service and did:
# docker run -ti fedora:20 /bin/bash bash-4.2# ls -laZ /dev/shm drwxr-xr-t. root root system_u:object_r:docker_tmpfs_t:s0 . drwxr-xr-x. root root system_u:object_r:file_t:s0 .. bash-4.2# ls -la /dev/shm total 4 drwxr-xr-t. 2 root root 40 May 7 07:10 . drwxr-xr-x. 4 root root 4096 May 7 07:10 .. bash-4.2# touch /dev/shm/a bash-4.2# adduser test bash-4.2# su - test [test@e13c9240f149 ~]$ id uid=1000(test) gid=1000(test) groups=1000(test) [test@e13c9240f149 ~]$ touch /dev/shm/b touch: cannot touch ‘/dev/shm/b’: Permission denied [test@e13c9240f149 ~]$ ls -la /dev/shm total 4 drwxr-xr-t. 2 root root 60 May 7 07:10 . drwxr-xr-x. 4 root root 4096 May 7 07:10 .. -rw-r--r--. 1 root root 0 May 7 07:10 a [test@e13c9240f149 ~]$ logout bash-4.2# exit #
Back on the host:
# ausearch -m avc -ts recent -i <no matches> #
I don't think it's SELinux, the mode=1755 of the mountpoint seems to be an explicit indication that non-roots shouldn't be allowed do /dev/shm.
https://bugzilla.redhat.com/show_bug.cgi?id=1094664
--- Comment #5 from Daniel Walsh dwalsh@redhat.com --- Ah ok. I will see about this. # docker run --rm -t -i fedora sh sh-4.2# ls -lZ /dev/shm -d drwxrwxrwt. root root system_u:object_r:svirt_sandbox_file_t:s0:c319,c682 /dev/shm sh-4.2# exit sh-4.3# rpm -q docker-io docker-io-0.10.0-4.fc21.x86_64
Seems like latest docker-io package has this fixed.
https://bugzilla.redhat.com/show_bug.cgi?id=1094664
--- Comment #6 from Daniel Walsh dwalsh@redhat.com --- Lokesh can you push a new version to f20?
https://bugzilla.redhat.com/show_bug.cgi?id=1094664
Jan Pazdziora jpazdziora@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |VERIFIED Fixed In Version| |docker-io-0.11.1-1.fc20.x86 | |_64
--- Comment #7 from Jan Pazdziora jpazdziora@redhat.com --- I confirm that docker-io-0.11.1-1.fc20.x86_64 fixes the problem and that I can install FreeIPA server in Docker container with docker-io-0.11 just like I could with docker-io-0.9.
https://bugzilla.redhat.com/show_bug.cgi?id=1094664
Lokesh Mandvekar lsm5@switzerlandmail.ch changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|VERIFIED |CLOSED CC| |lsm5@switzerlandmail.ch Resolution|--- |CURRENTRELEASE Last Closed| |2014-06-24 15:37:55
--- Comment #8 from Lokesh Mandvekar lsm5@switzerlandmail.ch --- Closing this since 1.0.0-1 is already in f20 stable and this bug was fixed in 0.11.1 as per Comment 7
golang@lists.fedoraproject.org