moby: Installing older version of docker-engine on CentOS 7.2.1511 (without some updates) fails
Description
When installing on CentOS 7.2 any version of Docker using the docker provided packages fails due to a failure to meet the selinux-policy* packages version requirement if you have updates pegged to a certain point (i.e. you’re not directly following the upstream updates repo). This is occurring due to two reasons:
-
The docker-engine package has a requirement on the docker-engine-selinux package of greater than or equal to the same version of the docker-engine package. This means trying to install an older version of docker-engine installs the latest version of the docker-engine-selinux.
-
The docker-engine-selinux package for 1.13.0 has a requirement on a version (3.13.1-102) of the selinux packages which was only recently put out (January 18th 2017). Granted this package is in the generic CentOS 7 updates repo, that does not mean that everyone has it available.
This breaks the ability to easily install older docker versions on older OS versions where you’re managing when you roll out updates (e.g. an enterprise environment). The problem can be worked around by specifying an explicit version of docker-engine and docker-engine-selinux. But I believe that this is something an end user really shouldn’t need to be concerned with.
Steps to reproduce the issue:
- docker run --rm -it centos:7.2.1511
- sed -i -e “s/mirrorlist=/#mirrorlist=/” -e “s/#baseurl=/baseurl=/” -e “s/\$releasever/7.2.1511/” /etc/yum.repos.d/CentOS-Base.repo
- yum install -y yum-utils
- yum-config-manager --add-repo https://docs.docker.com/engine/installation/linux/repo_files/centos/docker.repo
- yum makecache fast
- yum -y install docker-engine-1.12.6-1.el7.centos
The sed command modifies the baseurl for the yum repos so it’ll use the version specific repos rather than the generic CentOS 7 ones which have CentOS 7.3 in them. This mirrors an environment where you might be managing package upgrades and providing a snapshot of these repos and rolling out updated snapshots in a reliable way.
Describe the results you received:
Docker fails to install due to the failed dependency of docker-engine-selinux-1.13.0-1 even though I told yum to install docker-engine-1.12.6-1.
Error: Package: docker-engine-selinux-1.13.0-1.el7.centos.noarch (docker-main)
Requires: selinux-policy-base >= 3.13.1-102
Available: selinux-policy-minimum-3.13.1-60.el7.noarch (base)
selinux-policy-base = 3.13.1-60.el7
Available: selinux-policy-minimum-3.13.1-60.el7_2.3.noarch (updates)
selinux-policy-base = 3.13.1-60.el7_2.3
Available: selinux-policy-minimum-3.13.1-60.el7_2.7.noarch (updates)
selinux-policy-base = 3.13.1-60.el7_2.7
Available: selinux-policy-minimum-3.13.1-60.el7_2.9.noarch (updates)
selinux-policy-base = 3.13.1-60.el7_2.9
Available: selinux-policy-mls-3.13.1-60.el7.noarch (base)
selinux-policy-base = 3.13.1-60.el7
Available: selinux-policy-mls-3.13.1-60.el7_2.3.noarch (updates)
selinux-policy-base = 3.13.1-60.el7_2.3
Available: selinux-policy-mls-3.13.1-60.el7_2.7.noarch (updates)
selinux-policy-base = 3.13.1-60.el7_2.7
Available: selinux-policy-mls-3.13.1-60.el7_2.9.noarch (updates)
selinux-policy-base = 3.13.1-60.el7_2.9
Available: selinux-policy-targeted-3.13.1-60.el7.noarch (base)
selinux-policy-base = 3.13.1-60.el7
Available: selinux-policy-targeted-3.13.1-60.el7_2.3.noarch (updates)
selinux-policy-base = 3.13.1-60.el7_2.3
Available: selinux-policy-targeted-3.13.1-60.el7_2.7.noarch (updates)
selinux-policy-base = 3.13.1-60.el7_2.7
Available: selinux-policy-targeted-3.13.1-60.el7_2.9.noarch (updates)
selinux-policy-base = 3.13.1-60.el7_2.9
Error: Package: docker-engine-selinux-1.13.0-1.el7.centos.noarch (docker-main)
Requires: selinux-policy-targeted >= 3.13.1-102
Available: selinux-policy-targeted-3.13.1-60.el7.noarch (base)
selinux-policy-targeted = 3.13.1-60.el7
Available: selinux-policy-targeted-3.13.1-60.el7_2.3.noarch (updates)
selinux-policy-targeted = 3.13.1-60.el7_2.3
Available: selinux-policy-targeted-3.13.1-60.el7_2.7.noarch (updates)
selinux-policy-targeted = 3.13.1-60.el7_2.7
Available: selinux-policy-targeted-3.13.1-60.el7_2.9.noarch (updates)
selinux-policy-targeted = 3.13.1-60.el7_2.9
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
Describe the results you expected:
Yum to install docker-engine and docker-engine-selinux 1.12.6 without error.
Additional information you deem important (e.g. issue happens only occasionally):
This means that the release of 1.13.0 has now broken fully functional deployment setups for previous versions in certain setups. Ideally docker-engine would require the exact version of docker-engine-selinux. That could certainly be fixed for going forward but that doesn’t really solve the existing problem.
This commit that upgraded the selinux policies to the 3.13.1-102 version could be reverted to resolve the problem, but I’m under the impression there’s a pretty good reason for changing that since people were having issues with selinux policies.
That doesn’t leave a very good fix path for anyone in this situation. I suppose the Docker project could go put out new revs of the old versions of Docker that are broken by this (e.g. 1.12.6-2) with the explicit requires on the exact version of docker-engine-selinux. But I’m not sure if that would break anyone that upgrades to the newest version of the package to their specified version of docker-engine which in turn downgrades their docker-engine-selinux.
But at a minimum I think it’s necessary to make the docker-engine requirement on docker-engine-selinux be = rather than >=. To allow changes like this to be made.
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Reactions: 13
- Comments: 18 (6 by maintainers)
Workaround for local users is instead of running:
Run:
This works because the docker-engine-selinux of the same version still meets the requirement, but yum prefers installing the newest version that will still meet the requirement. Which means if you let it select it then it will select docker-engine-selinux-1.13.0, which fails.
The only good way forward to unbreak existing users and not require them to use a workaround would be to put out new releases of the older versions with the the requirement between docker-engine and docker-engine-selinux set to be an exact version requirement rather than an >= requirement.
That could be done by merging the change from pull request #30380 onto the various release branches and then cutting new releases from there. I’d expect rather than bumping the version of docker you’d just bump the release of the RPMs. I.E. 1.12.6-1 would become 1.12.6-2.
That’s not a perfect solution to end users because if they were using 1.12.6-1 in their configurations they’d have to update them to 1.12.6-2. But it would be far better than forcing them to specify both docker-engine and docker-engine-selinux for any of these older versions.
At my place of employment we’ve updated our Puppet configuration to downgrade all the docker-engine-selinux packages to match the version-release of the docker-engine package we have installed on the systems. While for systems that we’re just installing Docker for we’ve made it install both with the same version. But this code is rather ugly compared to what we had before.
If we had fixed releases of the packages we could simply remove that code and go back to just installing a specified version of docker-engine.
The version of
selinux-policyspecified is unfortunately the minimum version required to installdocker-engine-selinuxfor 1.13.0.One way to get around this would be to remove the requirement of
docker-engine-selinuxfrom thedocker-enginepackage, but then there’s no way for yum to handle these pseudo-depdendencies… deb handles this sort of issue with recommends, but rpm does not have such a concept AFAIK.We should update the required version of
docker-engine-selinuxto match thedocker-enginepackage, though.