0016997: Cannot start containers with latest Docker version 1.13.1-108.git4ef4b30.el7.centos

ID	Project	Category	View Status	Date Submitted	Last Update

0016997	CentOS-7	docker	public	2020-02-01 15:59	2020-04-24 14:22

Reporter	xoxys	Assigned To
Priority	normal	Severity	major	Reproducibility	always
Status	new	Resolution	open
Product Version	7.7-1908

Summary	0016997: Cannot start containers with latest Docker version 1.13.1-108.git4ef4b30.el7.centos
Description	After upgrading to the latest docker version from CentOS Extras repo (1.13.1-108.git4ef4b30.el7.centos) docker failed to start containers: docker run -it alpine /bin/sh /usr/bin/docker-current: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:359: container init caused \"rootfs_linux.go:53: mounting \\\"mqueue\\\" to rootfs \\\"/var/lib/docker/231072.231072/overlay2/bbaa6e0727fa53dc6577913353875aa0eb9b73723668c2452d590e6c81f4232e/merged\\\" at \\\"/dev/mqueue\\\" caused \\\"operation not permitted\\\"\"". Seems to be an issue related to SELinux or User Namespace remapping or maybe a combination of both. The error only occurs if both settings --selinux-enabled and --userns-remap=dockremap:dockremap enabled. Removing one of these options and restart docker the docker engine "fixed" the issue.
Steps To Reproduce	1. Upgrade to latest docker version 1.13.1-108.git4ef4b30.el7.centos 2. Enable userns-remap and selinux 3. Try to start a container
Tags	docker, selinux

abrt_hash
URL

tsteiner 2020-02-02 15:41 reporter ~0036181	I am also seeing this issue after the docker update. OPTIONS in /etc/sysconfig/docker is set to "--selinux-enabled --log-driver=journald --signature-verification=false --userns-remap=default" and /etc/docker/daemon.json contains {"live-restore": true} Running any container gives the above error, including hello-world.

mab 2020-03-03 13:58 reporter ~0036437	hello together we had the same problem with Docker and Redhat. Redhat has now released a fix for this problem. Concerns Bugzilla entry: https://bugzilla.redhat.com/show_bug.cgi?id=1793486 Unfortunately this entry is not public record. Fixed packages: docker.x86_64 2:1.13.1-109.gitcccb291.el7_7 docker-client.x86_64 2:1.13.1-109.gitcccb291.el7_7 docker-common.x86_64 2:1.13.1-109.gitcccb291.el7_7 I hope this is helpful so the Centos team can fix this problem as well.

wholevinski-nov 2020-04-24 14:22 reporter ~0036765	@mab Can you try to relabel your filesystem then reboot and see if you can start containers after that? I noticed that all of the /usr/bin/docker* binaries had incorrect labels on them. Doing a restorecon on each one gave it the correct label, so it looks like some package chcon'ed them to be incorrect. Do a: $> touch /.autorelabel $> reboot And let me know if that helps.

Date Modified	Username	Field
2020-02-01 15:59	xoxys	New Issue
2020-02-01 15:59	xoxys	Tag Attached: docker
2020-02-01 15:59	xoxys	Tag Attached: selinux
2020-02-02 15:41	tsteiner	Note Added: 0036181
2020-03-03 13:58	mab	Note Added: 0036437
2020-04-24 14:22	wholevinski-nov	Note Added: 0036765