Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1358340 - docker volumes permission denied
Summary: docker volumes permission denied
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: docker
Version: 24
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-20 14:36 UTC by geebme
Modified: 2016-07-29 13:40 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-26 20:40:48 UTC


Attachments (Terms of Use)

Description geebme 2016-07-20 14:36:57 UTC
Description of problem:
With the latest update (which incuded kernel-4.6.4, libselinux*-2.5-9, and docker*-2:1.10.3-24.git29066b4), docker volumes can no longer be accessed in the container due to "permission denied" issues unless "--privileged" is passed when starting the container.

Version-Release number of selected component (if applicable):
docker-selinux-1.10.3-24.git29066b4.fc24.x86_64
docker-1.10.3-24.git29066b4.fc24.x86_64


How reproducible:
Always

Steps to Reproduce:
1. mkdir /var/tmp/docker-volume-test
2. docker run -i -t --rm --volume=/var/tmp/docker-volume-test:/test busybox
3. ls /test # note: this is executed in the docker container

Actual results:
ls: can't open '/test': Permission denied

Expected results:
I get what I expect if I instead run "privileged", but I shouldn't need to do so:
$ docker run --privileged -i -t --rm --volume=/var/tmp/docker-volume-test:/test busybox
/ # ls /test
/ #


Additional info:
I'm unsure if it's the docker update, the kernel update, or the libselinux update that broke this.  I've tried downgrading docker, libselinux, and running with the previous kernel, but I still get the same error.  It's possible the issue preceded the update (and I just coincidentally noticed it), but I'd be surprised if I (and others) didn't notice it if it indeed occurred earlier.  It's also possible this in journalctl's logs may be related:

Jul 20 09:24:02 fedora-machine systemd[1]: Started docker container 405aeca70e61ad3ec1883678355d5e1e34016c69455f563c9a08a594e16ae809.
Jul 20 09:24:02 fedora-machine kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
Jul 20 09:24:03 fedora-machine oci-register-machine[4934]: 2016/07/20 09:24:02 Register machine: prestart 405aeca70e61ad3ec1883678355d5e1e34016c69455f563c9a08a594e16ae809 4909 /var/lib/docker/devicemapper/mnt/696c4c305d5b5ad5ff66b2d1f0d6629dcd347f2b8296f29f75e8d4480b237fff/rootfs

Comment 1 geebme 2016-07-26 14:24:00 UTC
Note that this completely breaks docker-compose when installed as a container (see "Install as a container" under "Alternative install options" in https://docs.docker.com/compose/install/) because passing "--privileged" is not an option here.  The result you'll get trying to run docker-compose in this manner is:

ERROR: 
        Can't find a suitable configuration file in this directory or any
        parent. Are you in the right directory?

        Supported filenames: docker-compose.yml, docker-compose.yaml

Comment 2 Daniel Walsh 2016-07-26 20:40:48 UTC
Try

docker run --privileged -i -t --rm --volume=/var/tmp/docker-volume-test:/test:Z busybox

http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/

It has always been this way.

Comment 3 geebme 2016-07-27 17:36:24 UTC
It's possible I didn't notice this "regression" when I switched back to Fedora images as part of upgrading to F24 (https://yum.dockerproject.org/repo/main/fedora/$releasever/ is missing for f24, and won't be officially available until the 1.12.0 release, so I reverted to Fedora images), but I suspect not.

In any case, I tried to the Docker project's "testing" images (https://yum.dockerproject.org/repo/testing/fedora/$releasever/) and have confirmed that docker-engine-1.12.0-0.5.rc5.fc24.x86_64 and docker-engine-selinux-1.12.0-0.5.rc5.fc24.noarch work as I expect.  I'm able to mount volumes (and use docker-compose) without having to pass "--privileged".

It seems possible, at least, mount volumes without having to run privileged.

Comment 4 geebme 2016-07-29 13:40:11 UTC
Docker just released 1.12.0 and put it up on yum.dockerproject.org for Fedora 24.  This RPM does not require the use of --privileged to mount volumes.  I'll use it, instead.  Thanks!


Note You need to log in before you can comment on or make changes to this bug.