View Issue Details

IDProjectCategoryView StatusLast Update
0016997CentOS-7dockerpublic2020-04-24 14:22
Reporterxoxys 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version7.7-1908 
Target VersionFixed in Version 
Summary0016997: Cannot start containers with latest Docker version 1.13.1-108.git4ef4b30.el7.centos
DescriptionAfter upgrading to the latest docker version from CentOS Extras repo (1.13.1-108.git4ef4b30.el7.centos) docker failed to start containers:

docker run -it alpine /bin/sh
/usr/bin/docker-current: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:359: container init caused \"rootfs_linux.go:53: mounting \\\"mqueue\\\" to rootfs \\\"/var/lib/docker/231072.231072/overlay2/bbaa6e0727fa53dc6577913353875aa0eb9b73723668c2452d590e6c81f4232e/merged\\\" at \\\"/dev/mqueue\\\" caused \\\"operation not permitted\\\"\"".

Seems to be an issue related to SELinux or User Namespace remapping or maybe a combination of both. The error only occurs if both settings --selinux-enabled and --userns-remap=dockremap:dockremap enabled. Removing one of these options and restart docker the docker engine "fixed" the issue.
Steps To Reproduce1. Upgrade to latest docker version 1.13.1-108.git4ef4b30.el7.centos
2. Enable userns-remap and selinux
3. Try to start a container
Tagsdocker, selinux
abrt_hash
URL

Activities

tsteiner

tsteiner

2020-02-02 15:41

reporter   ~0036181

I am also seeing this issue after the docker update.

OPTIONS in /etc/sysconfig/docker is set to "--selinux-enabled --log-driver=journald --signature-verification=false --userns-remap=default"
and /etc/docker/daemon.json contains {"live-restore": true}

Running any container gives the above error, including hello-world.
mab

mab

2020-03-03 13:58

reporter   ~0036437

hello together

we had the same problem with Docker and Redhat. Redhat has now released a fix for this problem.

Concerns Bugzilla entry: https://bugzilla.redhat.com/show_bug.cgi?id=1793486
Unfortunately this entry is not public record.

Fixed packages:
docker.x86_64 2:1.13.1-109.gitcccb291.el7_7
docker-client.x86_64 2:1.13.1-109.gitcccb291.el7_7
docker-common.x86_64 2:1.13.1-109.gitcccb291.el7_7

I hope this is helpful so the Centos team can fix this problem as well.
wholevinski-nov

wholevinski-nov

2020-04-24 14:22

reporter   ~0036765

@mab Can you try to relabel your filesystem then reboot and see if you can start containers after that? I noticed that all of the /usr/bin/docker* binaries had incorrect labels on them. Doing a restorecon on each one gave it the correct label, so it looks like some package chcon'ed them to be incorrect.

Do a:

$> touch /.autorelabel
$> reboot

And let me know if that helps.

Issue History

Date Modified Username Field Change
2020-02-01 15:59 xoxys New Issue
2020-02-01 15:59 xoxys Tag Attached: docker
2020-02-01 15:59 xoxys Tag Attached: selinux
2020-02-02 15:41 tsteiner Note Added: 0036181
2020-03-03 13:58 mab Note Added: 0036437
2020-04-24 14:22 wholevinski-nov Note Added: 0036765