moby: cap_set_file not permitted on aufs storage driver only

When running this minimal Dockerfile:

FROM centos
RUN yum install -y httpd mod_ssl

The following error occurs only when using the aufs storage driver:

Installing : httpd-2.4.6-17.el7.centos.1.x86_64                           8/9
Error unpacking rpm package httpd-2.4.6-17.el7.centos.1.x86_64

error: unpacking of archive failed on file /usr/sbin/suexec: cpio: cap_set_file

When running with the devicemapper driver the command succeeds successfully. The capabilities listed for the process are identical under both storage drivers and include CAP_SETFCAP and CAP_FOWNER which are listed by set_cap_file as requirements.

Here is the full list of capabilities which both processes have:

Capabilities for `11004': =ep cap_chown,cap_dac_override,cap_fowner,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_setfcap+i cap_dac_read_search,cap_fsetid,cap_linux_immutable,cap_net_broadcast,cap_net_admin,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_lease,cap_audit_write,cap_audit_control,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend-ep

About this issue

Original URL
State: closed
Created 10 years ago
Reactions: 3
Comments: 71 (20 by maintainers)

Commits related to this issue

Correct devicemapper on ubuntu so Docker image can build ref: https://github.com/docker/docker/issues/6980 — committed to htmlgraphic/VPN by deleted user 9 years ago
Correct devicemapper on ubuntu so Docker image can build ref: https://github.com/docker/docker/issues/6980 push build to tutum package correction — committed to htmlgraphic/VPN by deleted user 9 years ago
start using Ubuntu device mapper issues with CentOS: https://github.com/docker/docker/issues/6980 package correction for ncurses should be libncurses5-dev incorrect cp location apt-get correction f... — committed to htmlgraphic/VPN by deleted user 9 years ago
disabled CentOS7 due https://github.com/docker/docker/issues/6980 — committed to weldpua2008/ansible-apache by weldpua2008 9 years ago
disabled CentOS7 due https://github.com/docker/docker/issues/6980 — committed to weldpua2008/ansible-nginx by weldpua2008 9 years ago
disabled CentOS7 due https://github.com/docker/docker/issues/6980 — committed to weldpua2008/ansible-php by weldpua2008 9 years ago
Change base image: `centos7` to `debian:wheezy` #3 similar issue https://github.com/docker/docker/issues/6980 and reduce docker image size — committed to namikingsoft/docker-restyaboard by namikingsoft 9 years ago
Fix: don't build master-centos7* under CircleCI to get around AUFS bug. See: https://github.com/docker/docker/issues/6980 — committed to William-Yeh/docker-ansible by William-Yeh 9 years ago
Work around https://github.com/docker/docker/issues/6980 and https://bugzilla.redhat.com/show_bug.cgi?id=648654 — committed to wtanaka/ansible-role-wireshark by wtanaka 8 years ago

Most upvoted comments

@crosbymichael is right. AUFS is the problem. I had a “solution” (workaround) on debian and maybe ubuntu…

Export your images and/or containers (because they will be unaccessibles unless you revert the following instructions)

service docker stop

Open “/etc/default/docker” and set DOCKER_OPTS with

DOCKER_OPTS="-s devicemapper"

Then relaunch docker service

service docker start

Now, Docker is using devicemapper and not AUFS, that should stop to complain with yum and httpd (or other problem with cap_set_file).

I was able to retrieve my images and containers by removing the modification in /etc/default/docker and restarting docker service. I guess that this modification can be dagerous, so please make images and containers backups before to test.

Now… who can manage this bug ? docker team ? AUFS team ?

metal3d on Nov 12, 2014

This problem isn’t fixed in ubuntu 16.04.

martinsbalodis on May 6, 2016

Has anybody here tested the workaround from https://github.com/docker/hub-feedback/issues/461#issuecomment-318786850 ?

Experienced same issue, cannot install httpd in a centos container

error unpacking rpm package httpd-2.4.6-45.el7.centos.4.x86_64 error: unpacking of archive failed on file /usr/sbin/suexec;597bcbad: cpio: cap_set_file error: httpd-2.4.6-45.el7.centos.4.x86_64: install failed

With the image centos/https, they set –setopt when installing the package:

RUN yum -y --setopt=tsflags=nodocs update && yum -y --setopt=tsflags=nodocs install httpd && yum clean all

Done so in my Dockerfile, now it works fine.

espoelstra on Sep 26, 2018

This issue went away for me when I upgraded to Ubuntu 16.04.1 and rebooted.

josdotso on Aug 2, 2016

I’ve also seen the problem building a centos:7 image on an ubuntu 16.04 host.

To use the devicemapper workaround on 16.04 you can do the following

systemctl stop docker

Edit /lib/systemd/system/docker.service to add -s devicemapper to the ExecStart command. See https://docs.docker.com/engine/admin/systemd/

reload the service file

systemctl daemon-reload

start docker

systemctl start docker

ttroy50 on May 7, 2016

Thanks for that hint! Missed it in all those configs. Added in my /etc/default/docker “-s devicemapper” to the DOCKER_OPTS and now I can build an image with httpd installed.

Thorndike on Apr 21, 2015

For boot2docker users, here’s how to change your storage driver: http://pkgfarm.tumblr.com/post/114104687791/fixing-yum-install-on-boot2docker

robbyt on Mar 20, 2015