moby: Host volume mount fails when using SElinux and a mountpoint as source
Output of docker version
:
Client:
Version: 1.11.2
API version: 1.23
Go version: go1.5.4
Git commit: b9f10c9
Built: Wed Jun 1 21:23:11 2016
OS/Arch: linux/amd64
Server:
Version: 1.11.2
API version: 1.23
Go version: go1.5.4
Git commit: b9f10c9
Built: Wed Jun 1 21:23:11 2016
OS/Arch: linux/amd64
Output of docker info
:
Images: 13
Server Version: 1.11.2
Storage Driver: devicemapper
Pool Name: docker-253:3-1048580-pool
Pool Blocksize: 65.54 kB
Base Device Size: 10.74 GB
Backing Filesystem: xfs
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 400.3 MB
Data Space Total: 107.4 GB
Data Space Available: 20.55 GB
Metadata Space Used: 1.413 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.146 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /var/data/docker/devicemapper/devicemapper/data
WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
Metadata loop file: /var/data/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.107-RHEL7 (2015-12-01)
Logging Driver: syslog
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge null host
Kernel Version: 3.10.0-327.10.1.el7.x86_64
Operating System: Red Hat Enterprise Linux
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 1.797 GiB
Name: host.example.com
ID: DFFW:KL3Y:NJDM:R576:R4OH:A6ZS:PGED:QCG6:7T5J:HNEK:4MTT:E32K
Docker Root Dir: /var/data/docker
Debug mode (client): false
Debug mode (server): false
Http Proxy: http://proxy.example.com:80
Https Proxy: http://proxy.example.com:80
No Proxy: localhost,127.0.0.1,example.com
Registry: https://index.docker.io/v1/
Additional environment details (AWS, VirtualBox, physical, etc.):
Red Hat EL7.2, VMware hypervisor
Steps to reproduce the issue:
- Run Docker Engine /w
--selinux-enabled=true
on a SElinux enforcing host. - Mount a disk or logical-volume on a mountpoint, let’s say
/foo/bar
- Volume-mount the mountpoint inside a container:
docker run -ti -v /foo/bar:/foo:z ubuntu /bin/bash
Describe the results you received:
The container startup fails, showing:
docker: Error response from daemon: operation not supported.
Describe the results you expected:
The expected result is a running container. This fails when using a mountpoint on the host as entrypoint for the volume mount. Starting a container using a subdirectory on the mountpoint (eg. docker run -ti -v /foo/bar/baz:/foo:z ubuntu /bin/bash
) is succesful.
Using mount -o defcontext="system_u:object_r:svirt_sandbox_file_t:s0"
or running chcon -R -t svirt_sandbox_file_t /foo/bar
on the mountpoint to implicitly set SElinux labels, before starting the container results in the same behavior on container startup:
docker: Error response from daemon: operation not supported.
Additional information you deem important (e.g. issue happens only occasionally):
Same result when using Docker 1.12.0-rc2
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Comments: 15 (8 by maintainers)
Outside the container try to do
chcon -t svirt_sandbox_file_t /var/foo
Does this give you an error?