moby: Host volume mount fails when using SElinux and a mountpoint as source

Output of docker version:

Client:
 Version:      1.11.2
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   b9f10c9
 Built:        Wed Jun  1 21:23:11 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.11.2
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   b9f10c9
 Built:        Wed Jun  1 21:23:11 2016
 OS/Arch:      linux/amd64

Output of docker info:

Images: 13
Server Version: 1.11.2
Storage Driver: devicemapper
 Pool Name: docker-253:3-1048580-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: xfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 400.3 MB
 Data Space Total: 107.4 GB
 Data Space Available: 20.55 GB
 Metadata Space Used: 1.413 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.146 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/data/docker/devicemapper/devicemapper/data
 WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
 Metadata loop file: /var/data/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.107-RHEL7 (2015-12-01)
Logging Driver: syslog
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge null host
Kernel Version: 3.10.0-327.10.1.el7.x86_64
Operating System: Red Hat Enterprise Linux
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 1.797 GiB
Name: host.example.com
ID: DFFW:KL3Y:NJDM:R576:R4OH:A6ZS:PGED:QCG6:7T5J:HNEK:4MTT:E32K
Docker Root Dir: /var/data/docker
Debug mode (client): false
Debug mode (server): false
Http Proxy: http://proxy.example.com:80
Https Proxy: http://proxy.example.com:80
No Proxy: localhost,127.0.0.1,example.com
Registry: https://index.docker.io/v1/

Additional environment details (AWS, VirtualBox, physical, etc.):

Red Hat EL7.2, VMware hypervisor

Steps to reproduce the issue:

  1. Run Docker Engine /w --selinux-enabled=true on a SElinux enforcing host.
  2. Mount a disk or logical-volume on a mountpoint, let’s say /foo/bar
  3. Volume-mount the mountpoint inside a container: docker run -ti -v /foo/bar:/foo:z ubuntu /bin/bash

Describe the results you received:

The container startup fails, showing:

docker: Error response from daemon: operation not supported.

Describe the results you expected:

The expected result is a running container. This fails when using a mountpoint on the host as entrypoint for the volume mount. Starting a container using a subdirectory on the mountpoint (eg. docker run -ti -v /foo/bar/baz:/foo:z ubuntu /bin/bash) is succesful.

Using mount -o defcontext="system_u:object_r:svirt_sandbox_file_t:s0" or running chcon -R -t svirt_sandbox_file_t /foo/bar on the mountpoint to implicitly set SElinux labels, before starting the container results in the same behavior on container startup:

docker: Error response from daemon: operation not supported.

Additional information you deem important (e.g. issue happens only occasionally):

Same result when using Docker 1.12.0-rc2

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Comments: 15 (8 by maintainers)

Most upvoted comments

Outside the container try to do

chcon -t svirt_sandbox_file_t /var/foo

Does this give you an error?

+1
rhatdan on Jul 1, 2016
Read more comments on GitHub
← moby: Hijack is incompatible with use of CloseNotifier
moby: how to solve it? docker: error creating overlay mount to invalid argument →