https://bugzilla.redhat.com/show_bug.cgi?id=1221688

Bug ID: 1221688 Summary: Docker fails mounting a volume as readonly on files located under /usr Product: Red Hat Enterprise Linux 7 Version: 7.1 Component: docker Severity: high Priority: high Assignee: dwalsh@redhat.com Reporter: jhunsaker@redhat.com QA Contact: lsu@redhat.com CC: adimania@gmail.com, admiller@redhat.com, bugzilla.redhat.com@trancecode.co.uk, dustymabe@redhat.com, extras-qa@fedoraproject.org, golang@lists.fedoraproject.org, hushan.jia@gmail.com, ichavero@redhat.com, jchaloup@redhat.com, jperrin@centos.org, lsm5@redhat.com, mattdm@redhat.com, mgoldman@redhat.com, miminar@redhat.com, s@shk.io, thrcka@redhat.com, vbatts@redhat.com, yann.robert@anantaplex.fr Depends On: 1216151 Group: redhat

+++ This bug was initially created as a clone of Bug #1216151 +++

Description of problem:

Docker fails to run a container with a volume on files located under /usr (or on symbolic link to files located under /usr) if the ":ro" specification is used to mount it as readonly

Version-Release number of selected component (if applicable): docker-io-1.6.0-2.git3eac457.fc21.x86_64

How reproducible: 100%

Steps to Reproduce: 1. install docker package docker-io-1.6.0-2.git3eac457.fc21.x86_64 2. restart the docker service 3. run the following command docker run -ti -v /etc/localtime:/etc/localtime:ro busybox echo hello

Actual results: get exit code 1 and message FATA[0000] Error response from daemon: Cannot start container 4bb87515e4eb828b295eb4718a7159c958a1154ed839b29fd213a597b91a200e: [8] System error: Relabeling content in /usr is not allowed.

Expected results: get exit code 0 and message "hello"

Additional info:

please refer to initial bug report on docker repository at github https://github.com/docker/docker/issues/12811

--- Additional comment from colin on 2015-05-12 17:48:40 EDT ---

I see this also on F22

[root@kvm124 ~]# rpm -q docker docker-1.6.0-3.git9d26a07.fc22.x86_64

This no longer works

docker run -d --sig-proxy --name $CT_name --net=none \ -v /etc/localtime:/etc/localtime:ro \

Editing out the :ro stops the Failure

docker run -d --sig-proxy --name $CT_name --net=none \ -v /etc/localtime:/etc/localtime \

FATA[0000] Error response from daemon: Cannot start container 925387bd2b2988b1a10ff87e68e188f3a579e68d3d5fc1f31d40a648cd9cb6d2: [8] System error: Relabeling content in /usr is not allowed.

-------------------------------------------

Cloning this to RHEL as I didn't see a RHEL BZ for this. This also affects RHEL Atomic Host 7.1.2.

Version: docker-1.6.0-11.el7.x86_64

How reproducible: 100%

Steps to reproduce:

1. Use the :ro parameter when volume mounting something like /etc/localtime to a container

Actual results:

# docker run --rm -ti -v /etc/localtime:/etc/localtime:ro rhel7 /bin/bash Timestamp: 2015-05-14 09:24:34.832162133 -0400 EDT Code: System error

Message: Relabeling content in /usr is not allowed.

Frames: --- 0: setupRootfs Package: github.com/docker/libcontainer File: rootfs_linux.go@34 --- 1: Init Package: github.com/docker/libcontainer.(*linuxStandardInit) File: standard_init_linux.go@52 --- 2: StartInitialization Package: github.com/docker/libcontainer.(*LinuxFactory) File: factory_linux.go@223 --- 3: initializer Package: FATA[0002] Error response from daemon: Cannot start container 7be2ae04a120232345b5edbf18e487965b5418bb1ee9354e406d7b9f675c6091: [8] System error: Relabeling content in /usr is not allowed.

Excepted results:

Container should start normally

Additional notes:

As mentioned in the Fedora bug, removing the :ro will allow the container to start, however this is not desirable for things like /etc/localtime as we don't want the container to be able to change that.

Referenced Bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=1216151 [Bug 1216151] Docker fails mounting a volume as readonly on files located under /usr