https://bugzilla.redhat.com/show_bug.cgi?id=1221688 Bug ID: 1221688 Summary: Docker fails mounting a volume as readonly on files located under /usr Product: Red Hat Enterprise Linux 7 Version: 7.1 Component: docker Severity: high Priority: high Assignee: dwalsh(a)redhat.com Reporter: jhunsaker(a)redhat.com QA Contact: lsu(a)redhat.com CC: adimania(a)gmail.com, admiller(a)redhat.com, bugzilla.redhat.com(a)trancecode.co.uk, dustymabe(a)redhat.com, extras-qa(a)fedoraproject.org, golang(a)lists.fedoraproject.org, hushan.jia(a)gmail.com, ichavero(a)redhat.com, jchaloup(a)redhat.com, jperrin(a)centos.org, lsm5(a)redhat.com, mattdm(a)redhat.com, mgoldman(a)redhat.com, miminar(a)redhat.com, s(a)shk.io, thrcka(a)redhat.com, vbatts(a)redhat.com, yann.robert(a)anantaplex.fr Depends On: 1216151 Group: redhat +++ This bug was initially created as a clone of Bug #1216151 +++ Description of problem: Docker fails to run a container with a volume on files located under /usr (or on symbolic link to files located under /usr) if the ":ro" specification is used to mount it as readonly Version-Release number of selected component (if applicable): docker-io-1.6.0-2.git3eac457.fc21.x86_64 How reproducible: 100% Steps to Reproduce: 1. install docker package docker-io-1.6.0-2.git3eac457.fc21.x86_64 2. restart the docker service 3. run the following command docker run -ti -v /etc/localtime:/etc/localtime:ro busybox echo hello Actual results: get exit code 1 and message FATA[0000] Error response from daemon: Cannot start container 4bb87515e4eb828b295eb4718a7159c958a1154ed839b29fd213a597b91a200e: [8] System error: Relabeling content in /usr is not allowed. Expected results: get exit code 0 and message "hello" Additional info: please refer to initial bug report on docker repository at github https://github.com/docker/docker/issues/12811 --- Additional comment from colin on 2015-05-12 17:48:40 EDT --- I see this also on F22 [root@kvm124 ~]# rpm -q docker docker-1.6.0-3.git9d26a07.fc22.x86_64 This no longer works docker run -d --sig-proxy --name $CT_name --net=none \ -v /etc/localtime:/etc/localtime:ro \ Editing out the :ro stops the Failure docker run -d --sig-proxy --name $CT_name --net=none \ -v /etc/localtime:/etc/localtime \ FATA[0000] Error response from daemon: Cannot start container 925387bd2b2988b1a10ff87e68e188f3a579e68d3d5fc1f31d40a648cd9cb6d2: [8] System error: Relabeling content in /usr is not allowed. ------------------------------------------- Cloning this to RHEL as I didn't see a RHEL BZ for this. This also affects RHEL Atomic Host 7.1.2. Version: docker-1.6.0-11.el7.x86_64 How reproducible: 100% Steps to reproduce: 1. Use the :ro parameter when volume mounting something like /etc/localtime to a container Actual results: # docker run --rm -ti -v /etc/localtime:/etc/localtime:ro rhel7 /bin/bash Timestamp: 2015-05-14 09:24:34.832162133 -0400 EDT Code: System error Message: Relabeling content in /usr is not allowed. Frames: --- 0: setupRootfs Package: github.com/docker/libcontainer File: rootfs_linux.go@34 --- 1: Init Package: github.com/docker/libcontainer.(*linuxStandardInit) File: standard_init_linux.go@52 --- 2: StartInitialization Package: github.com/docker/libcontainer.(*LinuxFactory) File: factory_linux.go@223 --- 3: initializer Package: FATA[0002] Error response from daemon: Cannot start container 7be2ae04a120232345b5edbf18e487965b5418bb1ee9354e406d7b9f675c6091: [8] System error: Relabeling content in /usr is not allowed. Excepted results: Container should start normally Additional notes: As mentioned in the Fedora bug, removing the :ro will allow the container to start, however this is not desirable for things like /etc/localtime as we don't want the container to be able to change that. Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1216151 [Bug 1216151] Docker fails mounting a volume as readonly on files located under /usr -- You are receiving this mail because: You are on the CC list for the bug.