Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1510139 - Can't run systemd in non-privileged container
Summary: Can't run systemd in non-privileged container
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: oci-systemd-hook
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1517831 (view as bug list)
Depends On: 1553803
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-06 18:21 UTC by Dusty Mabe
Modified: 2018-05-11 21:13 UTC (History)
23 users (show)

Fixed In Version: oci-systemd-hook-0.1.16-1.git05bd9a0.fc27 oci-systemd-hook-0.1.16-1.git05bd9a0.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-11 20:27:28 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1517831 None CLOSED unable to run systemd in non-privileged container 2019-03-05 08:47:02 UTC

Internal Links: 1517831

Description Dusty Mabe 2017-11-06 18:21:32 UTC
Description of problem:

Basically trying to get a non-privileged system container in 27: 
https://developers.redhat.com/blog/2014/05/05/running-systemd-within-docker-container/

I boot a f27 cloud image (vagrant box here) and build a docker container from:

```
 FROM registry.fedoraproject.org/fedora:26
 ENV container docker
 RUN dnf -y install httpd; dnf clean all; systemctl enable httpd
 STOPSIGNAL SIGRTMIN+3
 EXPOSE 80
 CMD [ "/sbin/init" ]

```

and then try to run it just as in the article: 

```
sudo docker run -p 80:80 httpd

```

I never get any output on the terminal and apache never gets started. 

Version-Release number of selected component (if applicable):

docker-1.13.1-26.gitb5e3294.fc27.x86_64
oci-umount-2.0.0-2.gitf90b64c.fc27.x86_64
oci-register-machine-0-5.11.gitcd1e331.fc27.x86_64
oci-systemd-hook-0.1.13-1.gitafe4b4a.fc27.x86_64

the cloud image is: 
https://kojipkgs.fedoraproject.org/compose/27/Fedora-27-20171105.0/compose/CloudImages/x86_64/images/Fedora-Cloud-Base-Vagrant-27-1.6.x86_64.vagrant-libvirt.box

How reproducible:
Always

Steps to Reproduce:
1. dnf install -y docker
2. systemctl start docker
3. docker build
4. docker run 



Additional info:

Comment 1 Micah Abbott 2017-11-06 19:58:21 UTC
I was able to reproduce this on F26 as well.

$ cat Dockerfile 
FROM registry.fedoraproject.org/fedora:26
ENV container docker
RUN dnf -y install httpd && \
    dnf clean all && \
    systemctl enable httpd
STOPSIGNAL SIGRTMIN+3
EXPOSE 80
CMD [ "/sbin/init" ]

$ sudo docker build -t httpd-systemd .

$ sudo docker run -ti --tmpfs /run --tmpfs /tmp -v /sys/fs/cgroup:/sys/fs/cgroup:ro httpd-systemd

Saw some SELinux denials/errors in the journal:

-- Logs begin at Mon 2017-09-11 14:22:23 EDT, end at Mon 2017-11-06 14:55:05 EST. --
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com sudo[30418]: miabbott : TTY=pts/4 ; PWD=/sysroot/tmp/tmp.M2Q7OYEwZH ; USER=root ; COMMAND=/bin/docker run -ti --tmpfs /run --tmpfs /tmp -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80 miabbott/httpd-systemd
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit[30418]: USER_CMD pid=30418 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/sysroot/tmp/tmp.M2Q7OYEwZH" cmd=646F636B65722072756E202D7469202D2D746D706673202F72756E202D2D746D706673202F746D70202D76202F7379732F66732F6367726F75703A2F7379732F66732F6367726F75703A726F202D70203830206D696162626F74742F68747470642D73797374656D64 terminal=pts/4 res=success'
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit[30418]: CRED_REFR pid=30418 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/4 res=success'
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com sudo[30418]: pam_systemd(sudo:session): Cannot create session: Already occupied by a session
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit[30418]: USER_START pid=30418 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/4 res=success'
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com sudo[30418]: pam_unix(sudo:session): session opened for user root by (uid=0)
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T14:43:45.573472170-05:00" level=info msg="{Action=_ping, Username=miabbott, LoginUID=1000, PID=30419}"
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='hostname=? user=miabbott auid=1000 exe=? vm-pid=? reason=api op=_ping vm=?  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T14:43:45.574889128-05:00" level=info msg="{Action=create, Username=miabbott, LoginUID=1000, PID=30419}"
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='op=create exe=? reason=api vm=? vm-pid=? user=miabbott auid=1000 hostname=?  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T14:43:45.620209594-05:00" level=info msg="{Action=attach, ID=efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867, Username=miabbott, LoginUID=1000, PID=30419}"
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='reason=api exe=/sbin/init op=attach vm=miabbott/httpd-systemd vm-pid=0 user=miabbott auid=1000 hostname=efd6765418a9  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T14:43:45.621492267-05:00" level=info msg="{Action=start, ID=efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867, Username=miabbott, LoginUID=1000, PID=30419, Config={Hostname=efd6765418a9, AttachStdin=true, AttachStdout=true, AttachStderr=true, ExposedPorts=map[80/tcp:{}], Tty=true, OpenStdin=true, StdinOnce=true, Env=[DISTTAG=f26container FGC=f26 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin container=docker], Cmd=[/sbin/init], ArgsEscaped=true, Image=miabbott/httpd-systemd, NetworkDisabled=false, Labels=map[version:26 license:MIT name:fedora vendor:Fedora Project], StopSignal=SIGRTMIN+3}, HostConfig={Binds=[/sys/fs/cgroup:/sys/fs/cgroup:ro], LogConfig={Type:journald Config:map[]}, NetworkMode=default, PortBindings=map[80/tcp:[{HostIP: HostPort:}]], RestartPolicy={Name:no MaximumRetryCount:0}, AutoRemove=false, DNS=[], DNSOptions=[], DNSSearch=[], Privileged=false, PublishAllPorts=false, ReadonlyRootfs=false, Tmpfs=map[/run: /tmp:], ShmSize=67108864, Runtime=oci, Resources={CPUShares:0 Memory:0 NanoCPUs:0 CgroupParent: BlkioWeight:0 BlkioWeightDevice:[] BlkioDeviceReadBps:[] BlkioDeviceWriteBps:[] BlkioDeviceReadIOps:[] BlkioDeviceWriteIOps:[] CPUPeriod:0 CPUQuota:0 CPURealtimePeriod:0 CPURealtimeRuntime:0 CpusetCpus: CpusetMems: Devices:[] DiskQuota:0 KernelMemory:0 MemoryReservation:0 MemorySwap:0 MemorySwappiness:0xc420b4e368 OomKillDisable:0xc420b4e372 PidsLimit:0 Ulimits:[] CPUCount:0 CPUPercent:0 IOMaximumIOps:0 IOMaximumBandwidth:0}}}"
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='reason=api auid=1000 hostname=efd6765418a9 op=start vm=miabbott/httpd-systemd vm-pid=0 user=miabbott exe=/sbin/init  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: docker0: port 3(vethc873255) entered blocking state
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: docker0: port 3(vethc873255) entered disabled state
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit: ANOM_PROMISCUOUS dev=vethc873255 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com systemd-udevd[30429]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: device vethc873255 entered promiscuous mode
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: IPv6: ADDRCONF(NETDEV_UP): vethc873255: link is not ready
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com systemd-udevd[30430]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com systemd-udevd[30429]: Could not generate persistent MAC address for vethd284ce9: No such file or directory
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com systemd-udevd[30430]: Could not generate persistent MAC address for vethc873255: No such file or directory
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com NetworkManager[1209]: <info>  [1509997425.6279] manager: (vethd284ce9): new Veth device (/org/freedesktop/NetworkManager/Devices/32)
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com NetworkManager[1209]: <info>  [1509997425.6294] manager: (vethc873255): new Veth device (/org/freedesktop/NetworkManager/Devices/33)
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com firewalld[1141]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 0/0 --dport 32769 -j DNAT --to-destination 172.17.0.4:80 ! -i docker0' failed:
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit: NETFILTER_CFG table=nat family=2 entries=70
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com firewalld[1141]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.4 --dport 80 -j ACCEPT' failed:
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit: NETFILTER_CFG table=filter family=2 entries=116
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com firewalld[1141]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.17.0.4 -d 172.17.0.4 --dport 80 -j MASQUERADE' failed:
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit: NETFILTER_CFG table=nat family=2 entries=71
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com systemd[1]: Started libcontainer container efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: eth0: renamed from vethd284ce9
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: IPv6: ADDRCONF(NETDEV_CHANGE): vethc873255: link becomes ready
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: docker0: port 3(vethc873255) entered blocking state
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com kernel: docker0: port 3(vethc873255) entered forwarding state
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com NetworkManager[1209]: <info>  [1509997425.7291] device (vethc873255): link connected
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-register-machine[30479]: 2017/11/06 14:43:45 Register machine: prestart efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867 30464 /var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com systemd-machined[2107]: New machine efd6765418a94123e8cd32caa2763a2e.
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: rootfs=/var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: gidMappings not found in config
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: GID: 0
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: uidMappings not found in config
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: UID: 0
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: /run already present as a mount point in container configuration, skipping
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 11:pids:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :pids:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 10:cpuset:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :cpuset:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 9:blkio:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :blkio:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 8:devices:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :devices:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 7:perf_event:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :perf_event:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 6:cpu,cpuacct:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :cpu,cpuacct:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 5:memory:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :memory:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: Found cgroup
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: PATH: /system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: SUBSYSTEM_PATH: /sys/fs/cgroup/memory/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: memory path: /sys/fs/cgroup/memory/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/memory.limit_in_bytes
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: LIMIT: 9223372036854771712
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: Limit in bytes: 9223372036854771712
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: /tmp already present as a mount point in container configuration, skipping
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: /sys/fs/cgroup already present as a mount point in container configuration, skipping
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 11:pids:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :pids:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 10:cpuset:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :cpuset:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 9:blkio:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :blkio:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 8:devices:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :devices:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 7:perf_event:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :perf_event:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 6:cpu,cpuacct:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :cpu,cpuacct:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 5:memory:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :memory:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 4:freezer:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :freezer:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 3:hugetlb:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :hugetlb:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 2:net_cls,net_prio:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :net_cls,net_prio:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: 1:name=systemd:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: :name=systemd:/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: Found cgroup
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: PATH: /system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <debug>: SUBSYSTEM_PATH: /sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged//sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/.: Operation not supported
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged//sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/..: Read-only file system
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged//sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/cgroup.clone_children: Operation not supported
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged//sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/tasks: Operation not supported
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged//sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/notify_on_release: Operation not supported
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged//sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/cgroup.procs: Operation not supported
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/.: Operation not supported
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/..: Operation not supported
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/cgroup.clone_children: Operation not supported
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/tasks: Operation not supported
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/notify_on_release: Operation not supported
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-systemd-hook[30483]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c24,c647 on /sys/fs/cgroup/systemd/system.slice/docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope/cgroup.procs: Operation not supported
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: prestart /var/lib/docker/overlay2/24840f45193394c83c346ad01dd079e0322031bd85a286e998004861edec3da9/merged
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/docker/overlay]: No such file or directory. Skipping.
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/docker/devicemapper]: No such file or directory. Skipping.
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/overlay2]: No such file or directory. Skipping.
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/overlay]: No such file or directory. Skipping.
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/devicemapper]: No such file or directory. Skipping.
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/containers/]: No such file or directory. Skipping.
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/lvm]: No such file or directory. Skipping.
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/devicemapper]: No such file or directory. Skipping.
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/overlay]: No such file or directory. Skipping.
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Failed to canonicalize path [/var/run/containers/storage]: No such file or directory. Skipping.
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Could not find mapping for mount [/var/lib/docker/overlay2] from host to conatiner. Skipping.
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com oci-umount[30485]: umounthook <info>: Could not find mapping for mount [/var/lib/docker/containers] from host to conatiner. Skipping.
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T14:43:45.787776744-05:00" level=info msg="{Action=resize, ID=efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867, Username=miabbott, LoginUID=1000, PID=30419}"
Nov 06 14:43:45 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='vm-pid=30464 user=miabbott op=resize vm=miabbott/httpd-systemd auid=1000 exe=/sbin/init hostname=efd6765418a9 reason=api  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Nov 06 14:43:46 dhcp-41-99.bos.redhat.com gnome-shell[2661]: Source ID 124500 was not found when attempting to remove it
Nov 06 14:43:47 dhcp-41-99.bos.redhat.com avahi-daemon[1146]: Joining mDNS multicast group on interface vethc873255.IPv6 with address fe80::58eb:f8ff:fee7:1a28.
Nov 06 14:43:47 dhcp-41-99.bos.redhat.com avahi-daemon[1146]: New relevant interface vethc873255.IPv6 for mDNS.
Nov 06 14:43:47 dhcp-41-99.bos.redhat.com avahi-daemon[1146]: Registering new address record for fe80::58eb:f8ff:fee7:1a28 on vethc873255.*.
Nov 06 14:43:47 dhcp-41-99.bos.redhat.com dockerd-current[1406]: [12.2K blob data]
Nov 06 14:43:48 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T14:43:48.632415324-05:00" level=info msg="{Action=resize, ID=efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867, Username=miabbott, LoginUID=1000, PID=30419}"
Nov 06 14:43:48 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='reason=api op=resize vm-pid=30464 user=miabbott exe=/sbin/init hostname=efd6765418a9 vm=miabbott/httpd-systemd auid=1000  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Nov 06 14:43:48 dhcp-41-99.bos.redhat.com audit[30464]: AVC avc:  denied  { write } for  pid=30464 comm="systemd" name="docker-efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867.scope" dev="cgroup2" ino=295 scontext=system_u:system_r:container_t:s0:c24,c647 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
Nov 06 14:43:50 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T14:43:50.833640238-05:00" level=info msg="{Action=resize, ID=efd6765418a94123e8cd32caa2763a2eafbecda1a2843f5975cad2148dbaa867, Username=miabbott, LoginUID=1000, PID=30419}"
Nov 06 14:43:50 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='hostname=efd6765418a9 reason=api vm=miabbott/httpd-systemd auid=1000 exe=/sbin/init op=resize vm-pid=30464 user=miabbott  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Nov 06 14:43:51 dhcp-41-99.bos.redhat.com dockerd-current[1406]: [12.4K blob data]

Comment 2 Daniel Walsh 2017-11-06 20:00:39 UTC
What do you see if you just run 

docker run -ti  httpd-systemd

Comment 3 Micah Abbott 2017-11-06 20:06:22 UTC
(In reply to Daniel Walsh from comment #2)
> What do you see if you just run 
> 
> docker run -ti  httpd-systemd

Looks like the same to me:

-- Logs begin at Mon 2017-09-11 14:22:23 EDT, end at Mon 2017-11-06 15:05:38 EST. --
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com sudo[3914]: miabbott : TTY=pts/3 ; PWD=/var/home/miabbott/workspaces/miabbott/files/dockerfiles ; USER=root ; COMMAND=/bin/docker run -it httpd-systemd
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com audit[3914]: USER_CMD pid=3914 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/var/home/miabbott/workspaces/miabbott/files/dockerfiles" cmd=646F636B65722072756E202D69742068747470642D73797374656D64 terminal=pts/3 res=success'
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com audit[3914]: CRED_REFR pid=3914 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com sudo[3914]: pam_systemd(sudo:session): Cannot create session: Already occupied by a session
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com audit[3914]: USER_START pid=3914 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com sudo[3914]: pam_unix(sudo:session): session opened for user root by (uid=0)
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T15:02:00.935143213-05:00" level=info msg="{Action=_ping, Username=miabbott, LoginUID=1000, PID=3915}"
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='hostname=? reason=api op=_ping vm=? vm-pid=? user=miabbott auid=1000 exe=?  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T15:02:00.936279574-05:00" level=info msg="{Action=create, Username=miabbott, LoginUID=1000, PID=3915}"
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='op=create exe=? hostname=? reason=api vm-pid=? user=miabbott auid=1000 vm=?  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T15:02:00.987340943-05:00" level=info msg="{Action=attach, ID=652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941, Username=miabbott, LoginUID=1000, PID=3915}"
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='auid=1000 hostname=652426008f97 vm-pid=0 user=miabbott vm=httpd-systemd exe=/sbin/init reason=api op=attach  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T15:02:00.988874867-05:00" level=info msg="{Action=start, ID=652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941, Username=miabbott, LoginUID=1000, PID=3915, Config={Hostname=652426008f97, AttachStdin=true, AttachStdout=true, AttachStderr=true, ExposedPorts=map[80/tcp:{}], Tty=true, OpenStdin=true, StdinOnce=true, Env=[DISTTAG=f26container FGC=f26 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin container=docker], Cmd=[/sbin/init], ArgsEscaped=true, Image=httpd-systemd, NetworkDisabled=false, Labels=map[version:26 license:MIT name:fedora vendor:Fedora Project], StopSignal=SIGRTMIN+3}, HostConfig={LogConfig={Type:journald Config:map[]}, NetworkMode=default, PortBindings=map[], RestartPolicy={Name:no MaximumRetryCount:0}, AutoRemove=false, DNS=[], DNSOptions=[], DNSSearch=[], Privileged=false, PublishAllPorts=false, ReadonlyRootfs=false, ShmSize=67108864, Runtime=oci, Resources={CPUShares:0 Memory:0 NanoCPUs:0 CgroupParent: BlkioWeight:0 BlkioWeightDevice:[] BlkioDeviceReadBps:[] BlkioDeviceWriteBps:[] BlkioDeviceReadIOps:[] BlkioDeviceWriteIOps:[] CPUPeriod:0 CPUQuota:0 CPURealtimePeriod:0 CPURealtimeRuntime:0 CpusetCpus: CpusetMems: Devices:[] DiskQuota:0 KernelMemory:0 MemoryReservation:0 MemorySwap:0 MemorySwappiness:0xc420f6a558 OomKillDisable:0xc420f6a572 PidsLimit:0 Ulimits:[] CPUCount:0 CPUPercent:0 IOMaximumIOps:0 IOMaximumBandwidth:0}}}"
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='vm-pid=0 user=miabbott auid=1000 op=start vm=httpd-systemd exe=/sbin/init hostname=652426008f97 reason=api  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com systemd-udevd[3925]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com systemd-udevd[3924]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com systemd-udevd[3925]: Could not generate persistent MAC address for veth4de4939: No such file or directory
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com systemd-udevd[3924]: Could not generate persistent MAC address for veth2c07857: No such file or directory
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com NetworkManager[1209]: <info>  [1509998520.9974] manager: (veth2c07857): new Veth device (/org/freedesktop/NetworkManager/Devices/34)
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com NetworkManager[1209]: <info>  [1509998520.9987] manager: (veth4de4939): new Veth device (/org/freedesktop/NetworkManager/Devices/35)
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: docker0: port 4(veth4de4939) entered blocking state
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: docker0: port 4(veth4de4939) entered disabled state
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: device veth4de4939 entered promiscuous mode
Nov 06 15:02:00 dhcp-41-99.bos.redhat.com audit: ANOM_PROMISCUOUS dev=veth4de4939 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: IPv6: ADDRCONF(NETDEV_UP): veth4de4939: link is not ready
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com systemd[1]: Started libcontainer container 652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: eth0: renamed from veth2c07857
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: IPv6: ADDRCONF(NETDEV_CHANGE): veth4de4939: link becomes ready
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: docker0: port 4(veth4de4939) entered blocking state
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com kernel: docker0: port 4(veth4de4939) entered forwarding state
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com NetworkManager[1209]: <info>  [1509998521.0901] device (veth4de4939): link connected
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-register-machine[3983]: 2017/11/06 15:02:01 Register machine: prestart 652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941 3946 /var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com systemd-machined[2107]: New machine 652426008f97893eb849d6766d1b7c0f.
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: rootfs=/var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: gidMappings not found in config
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: GID: 0
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: uidMappings not found in config
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: UID: 0
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 11:pids:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :pids:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 10:cpuset:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :cpuset:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 9:blkio:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :blkio:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 8:devices:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :devices:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 7:perf_event:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :perf_event:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 6:cpu,cpuacct:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :cpu,cpuacct:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 5:memory:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :memory:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: Found cgroup
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: PATH: /system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: SUBSYSTEM_PATH: /sys/fs/cgroup/memory/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: memory path: /sys/fs/cgroup/memory/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/memory.limit_in_bytes
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: LIMIT: 9223372036854771712
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: Limit in bytes: 9223372036854771712
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: /sys/fs/cgroup already present as a mount point in container configuration, skipping
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 11:pids:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :pids:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 10:cpuset:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :cpuset:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 9:blkio:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :blkio:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 8:devices:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :devices:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 7:perf_event:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :perf_event:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 6:cpu,cpuacct:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :cpu,cpuacct:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 5:memory:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :memory:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 4:freezer:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :freezer:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 3:hugetlb:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :hugetlb:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 2:net_cls,net_prio:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :net_cls,net_prio:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: 1:name=systemd:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: :name=systemd:/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: Found cgroup
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: PATH: /system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <debug>: SUBSYSTEM_PATH: /sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged//sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/.: Operation not supported
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged//sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/..: Read-only file system
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged//sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/cgroup.clone_children: Operation not supported
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged//sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/tasks: Operation not supported
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged//sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/notify_on_release: Operation not supported
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged//sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/cgroup.procs: Operation not supported
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/.: Operation not supported
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/..: Operation not supported
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/cgroup.clone_children: Operation not supported
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/tasks: Operation not supported
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/notify_on_release: Operation not supported
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-systemd-hook[3989]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c703,c717 on /sys/fs/cgroup/systemd/system.slice/docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope/cgroup.procs: Operation not supported
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: prestart /var/lib/docker/overlay2/d1508041c79923abe654dfb50642147c3cfb3df5af24ef5b3a8f53a91b6d2c60/merged
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/docker/overlay]: No such file or directory. Skipping.
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/docker/devicemapper]: No such file or directory. Skipping.
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/overlay2]: No such file or directory. Skipping.
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/overlay]: No such file or directory. Skipping.
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/devicemapper]: No such file or directory. Skipping.
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/containers/]: No such file or directory. Skipping.
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/lvm]: No such file or directory. Skipping.
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/devicemapper]: No such file or directory. Skipping.
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/overlay]: No such file or directory. Skipping.
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Failed to canonicalize path [/var/run/containers/storage]: No such file or directory. Skipping.
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Could not find mapping for mount [/var/lib/docker/overlay2] from host to conatiner. Skipping.
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com oci-umount[3991]: umounthook <info>: Could not find mapping for mount [/var/lib/docker/containers] from host to conatiner. Skipping.
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com dockerd-current[1406]: time="2017-11-06T15:02:01.156180986-05:00" level=info msg="{Action=resize, ID=652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941, Username=miabbott, LoginUID=1000, PID=3915}"
Nov 06 15:02:01 dhcp-41-99.bos.redhat.com audit[1406]: VIRT_CONTROL pid=1406 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='vm=httpd-systemd exe=/sbin/init hostname=652426008f97 reason=api op=resize auid=1000 vm-pid=3946 user=miabbott  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Nov 06 15:02:02 dhcp-41-99.bos.redhat.com gnome-shell[2661]: Source ID 134440 was not found when attempting to remove it
Nov 06 15:02:02 dhcp-41-99.bos.redhat.com avahi-daemon[1146]: Joining mDNS multicast group on interface veth4de4939.IPv6 with address fe80::ece1:10ff:fe13:c2f2.
Nov 06 15:02:02 dhcp-41-99.bos.redhat.com avahi-daemon[1146]: New relevant interface veth4de4939.IPv6 for mDNS.
Nov 06 15:02:02 dhcp-41-99.bos.redhat.com avahi-daemon[1146]: Registering new address record for fe80::ece1:10ff:fe13:c2f2 on veth4de4939.*.
Nov 06 15:02:02 dhcp-41-99.bos.redhat.com dockerd-current[1406]: [12.4K blob data]
Nov 06 15:02:03 dhcp-41-99.bos.redhat.com audit[3946]: AVC avc:  denied  { write } for  pid=3946 comm="systemd" name="release_agent" dev="cgroup" ino=7 scontext=system_u:system_r:container_t:s0:c703,c717 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0
Nov 06 15:02:03 dhcp-41-99.bos.redhat.com audit[3946]: AVC avc:  denied  { write } for  pid=3946 comm="systemd" name="docker-652426008f97893eb849d6766d1b7c0f552ee8cc2aaaa01f2647f1f97a9a6941.scope" dev="cgroup" ino=1019 scontext=system_u:system_r:container_t:s0:c703,c717 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0

Comment 4 Daniel Walsh 2017-11-16 18:42:12 UTC
Micah does enabling container_manage_cgroup boolean fix anything?

setsebool -P container_manage_cgroup 1

Comment 5 Micah Abbott 2017-11-16 19:29:59 UTC
(In reply to Daniel Walsh from comment #4)
> Micah does enabling container_manage_cgroup boolean fix anything?
> 
> setsebool -P container_manage_cgroup 1

I tried this on F27 Cloud host using a F27 base image and the Dockerfile from before:

# cat Dockerfile 
FROM registry.fedoraproject.org/fedora:27
ENV container docker
RUN dnf -y install httpd && \
    dnf clean all && \
    systemctl enable httpd
STOPSIGNAL SIGRTMIN+3
EXPOSE 80
CMD [ "/sbin/init" ]


The container can be run, but there is no output from systemd on the console showing the container coming up.  However, in the journal you can see the the various services starting.  And eventually you can 'curl <container IP>:80' successfully.


-- Logs begin at Thu 2017-11-16 18:51:58 UTC, end at Thu 2017-11-16 19:23:53 UTC. --
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain dockerd-current[2121]: time="2017-11-16T19:23:06.288755155Z" level=info msg="{Action=_ping, Username=cloud-user, LoginUID=1000, PID=4485}"
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[2121]: VIRT_CONTROL pid=2121 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='auid=1000 exe=? reason=api vm-pid=? user=cloud-user hostname=? op=_ping vm=?  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain dockerd-current[2121]: time="2017-11-16T19:23:06.290886636Z" level=info msg="{Action=create, Username=cloud-user, LoginUID=1000, PID=4485}"
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[2121]: VIRT_CONTROL pid=2121 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='reason=api vm=? op=create vm-pid=? user=cloud-user auid=1000 exe=? hostname=?  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain dockerd-current[2121]: time="2017-11-16T19:23:06.309414458Z" level=info msg="{Action=attach, ID=b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f, Username=cloud-user, LoginUID=1000, PID=4485}"
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[2121]: VIRT_CONTROL pid=2121 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='reason=api vm=httpd-systemd vm-pid=0 user=cloud-user auid=1000 op=attach exe=/sbin/init hostname=b0c564e5c21c  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain dockerd-current[2121]: time="2017-11-16T19:23:06.311602861Z" level=info msg="{Action=start, ID=b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f, Username=cloud-user, LoginUID=1000, PID=4485, Config={Hostname=b0c564e5c21c, AttachStdin=true, AttachStdout=true, AttachStderr=true, ExposedPorts=map[80/tcp:{}], Tty=true, OpenStdin=true, StdinOnce=true, Env=[DISTTAG=f27container FGC=f27 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin container=docker], Cmd=[/sbin/init], ArgsEscaped=true, Image=httpd-systemd, NetworkDisabled=false, Labels=map[license:MIT name:fedora vendor:Fedora Project version:27], StopSignal=SIGRTMIN+3}, HostConfig={Binds=[/sys/fs/cgroup:/sys/fs/cgroup:ro], LogConfig={Type:journald Config:map[]}, NetworkMode=default, PortBindings=map[], RestartPolicy={Name:no MaximumRetryCount:0}, AutoRemove=false, DNS=[], DNSOptions=[], DNSSearch=[], Privileged=false, PublishAllPorts=false, ReadonlyRootfs=false, Tmpfs=map[/run: /tmp:], ShmSize=67108864, Runtime=oci, Resources={CPUShares:0 Memory:0 NanoCPUs:0 CgroupParent: BlkioWeight:0 BlkioWeightDevice:[] BlkioDeviceReadBps:[] BlkioDeviceWriteBps:[] BlkioDeviceReadIOps:[] BlkioDeviceWriteIOps:[] CPUPeriod:0 CPUQuota:0 CPURealtimePeriod:0 CPURealtimeRuntime:0 CpusetCpus: CpusetMems: Devices:[] DiskQuota:0 KernelMemory:0 MemoryReservation:0 MemorySwap:0 MemorySwappiness:0xc420814040 OomKillDisable:0xc42081404a PidsLimit:0 Ulimits:[] CPUCount:0 CPUPercent:0 IOMaximumIOps:0 IOMaximumBandwidth:0}}}"
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[2121]: VIRT_CONTROL pid=2121 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='op=start vm-pid=0 exe=/sbin/init reason=api vm=httpd-systemd user=cloud-user auid=1000 hostname=b0c564e5c21c  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: docker0: port 1(vethdd3808f) entered blocking state
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: docker0: port 1(vethdd3808f) entered disabled state
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit: ANOM_PROMISCUOUS dev=vethdd3808f prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: device vethdd3808f entered promiscuous mode
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: IPv6: ADDRCONF(NETDEV_UP): vethdd3808f: link is not ready
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain dockerd-current[2121]: time="2017-11-16T19:23:06.338377237Z" level=warning msg="SUSE:secrets :: dangling symlink: /usr/share/rhel/secrets/etc-pki-entitlement"
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain dockerd-current[2121]: time="2017-11-16T19:23:06.338630425Z" level=warning msg="SUSE:secrets :: dangling symlink: /usr/share/rhel/secrets/rhel7.repo"
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[1]: AVC avc:  denied  { create } for  pid=1 comm="systemd" name="docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0:c493,c776 tclass=dir permissive=0
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain systemd[1]: Failed to create compat systemd cgroup /system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope: Permission denied
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain systemd[1]: Failed to attach 4511 to compat systemd cgroup /system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope: No such file or directory
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain systemd[1]: Started libcontainer container b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[1]: AVC avc:  denied  { create } for  pid=1 comm="systemd" name="var-lib-docker-containers-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f-shm.mount" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0:c493,c776 tclass=dir permissive=0
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[1]: AVC avc:  denied  { create } for  pid=1 comm="systemd" name="var-lib-docker-overlay2-36e0ced5c033d09edfbc496829408c2fce880696c3c34e4954af9d56c6309f48-merged.mount" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0:c493,c776 tclass=dir permissive=0
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[1]: AVC avc:  denied  { create } for  pid=1 comm="systemd" name="var-lib-docker-containers-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f-secrets.mount" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0:c493,c776 tclass=dir permissive=0
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain systemd[1]: Failed to create compat systemd cgroup /system.slice/var-lib-docker-containers-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f-shm.mount: Permission denied
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain systemd[1]: Failed to create compat systemd cgroup /system.slice/var-lib-docker-overlay2-36e0ced5c033d09edfbc496829408c2fce880696c3c34e4954af9d56c6309f48-merged.mount: Permission denied
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain systemd[1]: Failed to create compat systemd cgroup /system.slice/var-lib-docker-containers-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f-secrets.mount: Permission denied
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: eth0: renamed from veth8078cbd
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: IPv6: ADDRCONF(NETDEV_CHANGE): vethdd3808f: link becomes ready
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: docker0: port 1(vethdd3808f) entered blocking state
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain kernel: docker0: port 1(vethdd3808f) entered forwarding state
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-register-machine[4520]: 2017/11/16 19:23:06 Register machine: prestart b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f 4511 /var/lib/docker/overlay2/36e0ced5c033d09edfbc496829408c2fce880696c3c34e4954af9d56c6309f48/merged
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain systemd-machined[2933]: New machine b0c564e5c21ca9638b0231d47729165d.
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: rootfs=/var/lib/docker/overlay2/36e0ced5c033d09edfbc496829408c2fce880696c3c34e4954af9d56c6309f48/merged
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: gidMappings not found in config
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: GID: 0
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: uidMappings not found in config
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: UID: 0
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: /run already present as a mount point in container configuration, skipping
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 11:net_cls,net_prio:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :net_cls,net_prio:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 10:perf_event:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :perf_event:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 9:hugetlb:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :hugetlb:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 8:cpuset:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :cpuset:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 7:pids:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :pids:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 6:memory:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :memory:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: Found cgroup
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: PATH: /system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: SUBSYSTEM_PATH: /sys/fs/cgroup/memory/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: memory path: /sys/fs/cgroup/memory/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope/memory.limit_in_bytes
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: LIMIT: 9223372036854771712
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: Limit in bytes: 9223372036854771712
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: /tmp already present as a mount point in container configuration, skipping
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: /sys/fs/cgroup already present as a mount point in container configuration, skipping
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 11:net_cls,net_prio:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :net_cls,net_prio:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 10:perf_event:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :perf_event:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 9:hugetlb:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :hugetlb:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 8:cpuset:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :cpuset:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 7:pids:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :pids:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 6:memory:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :memory:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 5:freezer:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :freezer:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 4:blkio:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :blkio:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 3:devices:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :devices:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 2:cpu,cpuacct:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :cpu,cpuacct:/system.slice/docker-b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f.scope
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: 1:name=systemd:/system.slice/docker-containerd.service
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: :name=systemd:/system.slice/docker-containerd.service
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: Found cgroup
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: PATH: /system.slice/docker-containerd.service
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <debug>: SUBSYSTEM_PATH: /sys/fs/cgroup/systemd/system.slice/docker-containerd.service
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-systemd-hook[4523]: systemdhook <error>: Failed to set context system_u:object_r:container_file_t:s0:c713,c983 on /var/lib/docker/overlay2/36e0ced5c033d09edfbc496829408c2fce880696c3c34e4954af9d56c6309f48/merged//sys/fs/cgroup/systemd/system.slice/docker-containerd.service/..: Read-only file system
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: prestart /var/lib/docker/overlay2/36e0ced5c033d09edfbc496829408c2fce880696c3c34e4954af9d56c6309f48/merged
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/docker/overlay]: No such file or directory. Skipping.
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/docker/devicemapper]: No such file or directory. Skipping.
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/overlay2]: No such file or directory. Skipping.
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/overlay]: No such file or directory. Skipping.
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/devicemapper]: No such file or directory. Skipping.
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/docker-latest/containers/]: No such file or directory. Skipping.
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/lvm]: No such file or directory. Skipping.
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/devicemapper]: No such file or directory. Skipping.
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/lib/containers/storage/overlay]: No such file or directory. Skipping.
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Failed to canonicalize path [/var/run/containers/storage]: No such file or directory. Skipping.
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Could not find mapping for mount [/var/lib/docker/overlay2] from host to conatiner. Skipping.
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain oci-umount[4524]: umounthook <info>: Could not find mapping for mount [/var/lib/docker/containers] from host to conatiner. Skipping.
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain audit[2121]: VIRT_CONTROL pid=2121 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='vm=httpd-systemd user=cloud-user exe=/sbin/init hostname=b0c564e5c21c reason=api op=resize vm-pid=4511 auid=1000  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:06 micah-f27cloud-vm1116a.localdomain dockerd-current[2121]: time="2017-11-16T19:23:06.454861576Z" level=info msg="{Action=resize, ID=b0c564e5c21ca9638b0231d47729165da8ecc14eec35835bbb2bef0e178d111f, Username=cloud-user, LoginUID=1000, PID=4485}"
Nov 16 19:23:27 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-journald comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:28 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-sysusers comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:29 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=ldconfig comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:30 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-journal-catalog-update comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:33 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-update-done comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:34 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-journal-flush comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:36 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-tmpfiles-setup comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:36 micah-f27cloud-vm1116a.localdomain audit[4546]: SYSTEM_BOOT pid=4546 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg=' comm="systemd-update-utmp" exe="/usr/lib/systemd/systemd-update-utmp" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:38 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-update-utmp comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:48 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=dbus comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:49 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:50 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-user-sessions comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:52 micah-f27cloud-vm1116a.localdomain audit[4767]: SYSTEM_RUNLEVEL pid=4767 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='old-level=N new-level=3 comm="systemd-update-utmp" exe="/usr/lib/systemd/systemd-update-utmp" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:53 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_START pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-update-utmp-runlevel comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 16 19:23:53 micah-f27cloud-vm1116a.localdomain audit[4511]: SERVICE_STOP pid=4511 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_t:s0:c713,c983 msg='unit=systemd-update-utmp-runlevel comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Comment 6 Daniel Walsh 2017-11-18 11:28:57 UTC
Could you update your version of docker.

docker-1.13.1-41.git0861eff.fc27

Comment 7 Fedora Update System 2017-11-19 05:06:58 UTC
docker-1.13.1-42.git4402c09.fc27 skopeo-0.1.25-2.git7fd6f66.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-3da8ad596a

Comment 8 Micah Abbott 2017-11-20 15:47:10 UTC
I updated to docker-1.13.1-42.git4402c09.fc27.x86_64 and tried running the httpd systemd container again, but hit the same AVC denials from comment #1:

Nov 20 15:39:14 micah-f27cloud-vm1120a.localdomain audit[2392]: AVC avc:  denied  { write } for  pid=2392 comm="systemd" name="release_agent" dev="cgroup" ino=7 scontext=system_u:system_r:container_t:s0:c15,c48 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0
Nov 20 15:39:14 micah-f27cloud-vm1120a.localdomain audit[2392]: AVC avc:  denied  { write } for  pid=2392 comm="systemd" name="cgroup.procs" dev="cgroup" ino=377 scontext=system_u:system_r:container_t:s0:c15,c48 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0


If I enable the 'container_manage_cgroup' SEboolean, the container starts successfully.

The following SELinux packages were installed:

container-selinux-2.29-1.fc27.noarch
selinux-policy-3.13.1-283.16.fc27.noarch

Comment 9 Daniel Walsh 2017-11-20 15:51:45 UTC
We need and update of SELinux policy, I belive to get this to work without turning on the boolean.

Comment 10 Fedora Update System 2017-11-25 02:35:30 UTC
docker-1.13.1-42.git4402c09.fc27, skopeo-0.1.25-2.git7fd6f66.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Darren Gansberg 2017-11-27 00:25:29 UTC
(In reply to Fedora Update System from comment #10)
> docker-1.13.1-42.git4402c09.fc27, skopeo-0.1.25-2.git7fd6f66.fc27 has been
> pushed to the Fedora 27 stable repository. If problems still persist, please
> make note of it in this bug report.

I was adding a comment regarding testing I was undertaking on a vm running on VirtualBox with F26 when the quoted update was sent.

On F26 I had updated to docker-1.13.1-44.git584d391.fc26.x86_64.rpm. 

I was still required to execute:

$sudo setsebool container_manage_cgroup 1 

in order to successfully start the container. However, once I set the bool the container appeared to start successfully. I identified this by monitoring the journal live because there was still no tty/console output still. I expected output of the init process.

I confirmed that the container was running apache by opening Firefox and accessing the test web page successfully. 

Since the issue still existed with docker-1.13.1-44.git584d391.fc26.x86_64.rpm on F26, and I was not testing the update that I've quoted here (ie. "docker-1.13.1-42.git4402c09.fc27, skopeo-0.1.25-2.git7fd6f66.fc27") I decided I would download F27 and test the updated specifically identified.

After freshly installing F27 in a virtualbox vm and updating the system I encountered the following problems/issues:

1. When running $ sudo dnf install docker-1.13.1-42.git4402c09.fc27 I received an error regarding a dependency problem. 

"Result:
Error:
    Problem: conflicting requests
        -nothing provides atomic-registries >= 1.19.1-6 needed by docker-2:1.13.1-42.git4402c09.fc27.x86_64"

In order to continue with testing I downloaded and installed the following:
- atomic-1.20.1-3.fc27.x86_64.rpm
- atomic-registries-1.20.1-3.fc27.x86_64.rpm

from Koji: https://koji.fedoraproject.org/koji/buildinfo?buildID=1003143

by doing: 
$koji download-build --arch=x86_64 --arch=noarch 1003143
$sudo dnf -y install atomic-1.20.1-3.fc27.x86_64.rpm
$sudo dnf -y install atomic-registries-1.20.1-3.fc27.x86_64.rpm

Once I did this I could install docker-1.13.1-42.git4402c09.fc27. 

2. I built an image using the following in a Dockerfile:

 FROM         fedora:26
 ENV container docker
 RUN dnf -y install httpd; dnf clean all; systemctl enable httpd
 STOPSIGNAL SIGRTMIN+3
 EXPOSE 80
 CMD [ "/sbin/init" ]

After I ran the resulting image I still couldn't successfully start the container without running 
$ setsebool -P container_manage_cgroup 1. 

Is this to be expected? 

What are the ramifications of setting this bool? My apologies I'm relatively new to Linux/Unix, and the Fedora distribution.

Note that I still had no tty/console output using fedora:26 as the base image. I managed to identify that the container appeared to start successfully by monitoring the journal live in another terminal window (ie $ journalctl -f).

Also note that if you change out the base image to fedora:24 (ie. changing FROM fedora:26 to fedora:24 in the Dockerfile) then there is tty/console output and after running $ setsebool -P container_manage_cgroup 1, everything appears to work just fine. Does this suggest that the issue regarding no tty/console output lies in the underlying base image?

I have logs from both before I ran $ setsebool -P container_manage_cgroup 1 and after in case they are helpful. I have included them because I hit the 65536 character limit if I do.

Comment 12 Micah Abbott 2017-11-27 14:48:35 UTC
(In reply to Darren Gansberg from comment #11)

> After I ran the resulting image I still couldn't successfully start the
> container without running 
> $ setsebool -P container_manage_cgroup 1. 
> 
> Is this to be expected? 
> 
> What are the ramifications of setting this bool? My apologies I'm relatively
> new to Linux/Unix, and the Fedora distribution.

Based on comment #9 from Dan, to get this working as expected, we need a separate fix to selinux-policy.

I've filed the following BZ for that change:

https://bugzilla.redhat.com/show_bug.cgi?id=1517831

Comment 13 Micah Abbott 2017-11-27 20:45:53 UTC
*** Bug 1517831 has been marked as a duplicate of this bug. ***

Comment 14 Micah Abbott 2017-11-27 20:47:49 UTC
I'm closing the other BZ I opened (1517831) as a duplicate and re-categorizing this as a 'selinux-policy' issue based on comment #9.

Comment 15 Dusty Mabe 2017-12-11 19:28:06 UTC
lvrabec, what version is this fixed in?

Comment 16 Lukas Vrabec 2017-12-12 09:51:03 UTC
I'll create build with this fix today.

Comment 17 Fedora Update System 2017-12-13 08:24:46 UTC
selinux-policy-3.13.1-283.18.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502

Comment 18 Micah Abbott 2017-12-13 16:47:01 UTC
I'm still unable to run the systemd container with the build of 'selinux-policy' in comment #17.

I still have to use 'setsebool -P container_manage_cgroup 1' in order to make the container successfully start/run.

Without that boolean enabled, I observe the following AVC denials:


# journalctl -b | grep 'avc:  denied'                                     
Dec 13 16:33:34 micah-f27cloud-vm1213a.localdomain audit[1165]: AVC avc:  denied  { write } for  pid=1165 comm="systemd" name="docker-4d7db7aeebe02c2e307c6fd117c0716a4ba815bc5cfbd443e2e152c63a111454.scope" dev="cgroup2" ino=1149 scontext=system_u:system_r:container_t:s0:c176,c382 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
Dec 13 16:39:33 micah-f27cloud-vm1213a.localdomain audit[1322]: AVC avc:  denied  { write } for  pid=1322 comm="systemd" name="release_agent" dev="cgroup" ino=7 scontext=system_u:system_r:container_t:s0:c315,c979 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0
Dec 13 16:39:33 micah-f27cloud-vm1213a.localdomain audit[1322]: AVC avc:  denied  { write } for  pid=1322 comm="systemd" name="cgroup.procs" dev="cgroup" ino=629 scontext=system_u:system_r:container_t:s0:c315,c979 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0


The testing of the build was done on Fedora 27 Cloud, updated to latest in 'updates-testing'

# rpm -q docker selinux-policy
docker-1.13.1-44.git584d391.fc27.x86_64
selinux-policy-3.13.1-283.18.fc27.noarch

Comment 19 Daniel Walsh 2017-12-13 19:04:19 UTC
rpm -q oci-systemd-hook
Any message in dmesg about no support for labeling?

Comment 20 Micah Abbott 2017-12-13 19:57:14 UTC
(In reply to Daniel Walsh from comment #19)
> rpm -q oci-systemd-hook
> Any message in dmesg about no support for labeling?

Doesn't look like it.


# rpm -q oci-systemd-hook
oci-systemd-hook-0.1.13-1.gitafe4b4a.fc27.x86_64

# dmesg | grep label
[    0.125741] NetLabel:  unlabeled traffic allowed by default
[    1.568726] SELinux:  policy capability cgroup_seclabel=1
[    1.605100] systemd[1]: Relabelled /dev and /run in 17.999ms.
[  911.098205] SELinux:  policy capability cgroup_seclabel=1
[  940.347369] SELinux:  policy capability cgroup_seclabel=1
[ 1012.432674] SELinux:  policy capability cgroup_seclabel=1

# journalctl -b | grep label
Dec 13 16:23:49 localhost kernel: NetLabel:  unlabeled traffic allowed by default
Dec 13 16:23:50 micah-f27cloud-vm1213a.localdomain kernel: SELinux:  policy capability cgroup_seclabel=1
Dec 13 16:23:50 micah-f27cloud-vm1213a.localdomain systemd[1]: Relabelled /dev and /run in 17.999ms.
Dec 13 16:23:54 micah-f27cloud-vm1213a.localdomain dbus-daemon[428]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.8' (uid=0 pid=617 comm="hostnamectl --transient " label="system_u:system_r:dhcpc_t:s0")
Dec 13 16:31:07 micah-f27cloud-vm1213a.localdomain dbus-daemon[428]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service' requested by ':1.21' (uid=0 pid=1048 comm="/usr/libexec/oci/hooks.d/oci-register-machine pres" label="system_u:system_r:container_runtime_t:s0")
Dec 13 16:38:59 micah-f27cloud-vm1213a.localdomain kernel: SELinux:  policy capability cgroup_seclabel=1
Dec 13 16:39:29 micah-f27cloud-vm1213a.localdomain kernel: SELinux:  policy capability cgroup_seclabel=1
Dec 13 16:40:41 micah-f27cloud-vm1213a.localdomain kernel: SELinux:  policy capability cgroup_seclabel=1
[root@micah-f27cloud-vm1213a ~]#

Comment 21 Fedora Update System 2017-12-14 11:11:10 UTC
selinux-policy-3.13.1-283.18.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502

Comment 22 Fedora Update System 2017-12-20 11:22:33 UTC
selinux-policy-3.13.1-283.19.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502

Comment 23 Jan Pazdziora 2017-12-20 13:59:26 UTC
The Fixed In Version docker-1.13.1-42.git4402c09.fc27 seems wrong for component selinux-policy.

Comment 24 Jan Pazdziora 2017-12-20 14:03:54 UTC
selinux-policy-3.13.1-283.19.fc27.noarch does not fix this issue either.

Comment 25 Jan Pazdziora 2017-12-20 14:05:08 UTC
Which commit in which repo is supposed to carry the fix?

Comment 26 Dusty Mabe 2017-12-20 14:05:51 UTC
(In reply to Jan Pazdziora from comment #23)
> The Fixed In Version docker-1.13.1-42.git4402c09.fc27 seems wrong for
> component selinux-policy.

did that version of docker deliver a new container-selinux package with the fix in it?

Comment 27 Fedora Update System 2017-12-21 20:20:16 UTC
selinux-policy-3.13.1-283.19.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502

Comment 28 Jan Pazdziora 2018-01-02 13:26:08 UTC
The issue is still present with

docker-1.13.1-44.git584d391.fc27.x86_64
selinux-policy-3.13.1-283.19.fc27.noarch
oci-systemd-hook-0.1.15-1.git2d0b8a3.fc27.x86_64

The exact reproducer for bug 1520033 with container_manage_cgroup not set still fails.

Comment 30 Jan Pazdziora 2018-01-02 13:28:11 UTC
Can you please clear the Fixed In Version field?

Comment 31 Fedora Update System 2018-01-02 16:46:54 UTC
selinux-policy-3.13.1-283.19.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 32 Jan Pazdziora 2018-01-02 16:56:46 UTC
Not fixed, reopening.

Comment 33 Steve Milner 2018-01-15 18:57:36 UTC
Lukas,

What's the current status of this issue?

Comment 34 Darren Gansberg 2018-01-29 10:06:32 UTC
(In reply to Steve Milner from comment #33)
> Lukas,
> 
> What's the current status of this issue?

Not fixed / unresolved.

Comment 35 Tom Sweeney 2018-02-14 20:00:12 UTC
I've just tried reproducing this on Fedora 27 that was installed today and updated.  I did:

#dnf install docker

# rpm -qa | grep selinux
selinux-policy-3.13.1-283.24.fc27.noarch
# rpm -qa | grep docker
docker-1.13.1-44.git584d391.fc27.x86_64
# rpm -qa | grep hook
oci-systemd-hook-0.1.15-1.git2d0b8a3.fc27.x86_64

# cat Dockerfile
 FROM registry.fedoraproject.org/fedora:26
 ENV container docker
 RUN dnf -y install httpd; dnf clean all; systemctl enable httpd
 STOPSIGNAL SIGRTMIN+3
 EXPOSE 80
 CMD [ "/sbin/init" ]

# systemctl start docker
# docker build .
Sending build context to Docker daemon 10.24 kB
Step 1/6 : FROM registry.fedoraproject.org/fedora:26
Trying to pull repository registry.fedoraproject.org/fedora ... 
sha256:f5da7776116ff89d4563cd668b5c87d84f5023300c1a235c537e2bd11d37bd39: Pulling from registry.fedoraproject.org/fedora
f731d4d7fe41: Pull complete 
Digest: sha256:f5da7776116ff89d4563cd668b5c87d84f5023300c1a235c537e2bd11d37bd39
{Removed a lot of package install verbiage}
Step 6/6 : CMD /sbin/init
 ---> Running in aed4e094ac22
 ---> c64e10594dbc
Removing intermediate container aed4e094ac22
Successfully built c64e10594dbc

# docker run -p 80:80 httpd
Unable to find image 'httpd:latest' locally
Trying to pull repository docker.io/library/httpd ... 
sha256:643ca2ed9f6caf1f392184aee05a8f2cd478bdacbd350ea6b4dbc8f5b8e400a8: Pulling from docker.io/library/httpd
f49cf87b52c1: Pull complete 
02ca099fb6cd: Pull complete 
de7acb18da57: Pull complete 
770c8edb393d: Pull complete 
0e252730aeae: Pull complete 
6288e83d58fa: Pull complete 
a91ad03b2178: Pull complete 
Digest: sha256:643ca2ed9f6caf1f392184aee05a8f2cd478bdacbd350ea6b4dbc8f5b8e400a8
Status: Downloaded newer image for docker.io/httpd:latest
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[Wed Feb 14 19:39:46.454372 2018] [mpm_event:notice] [pid 1:tid 139902487709568] AH00489: Apache/2.4.29 (Unix) configured -- resuming normal operations
[Wed Feb 14 19:39:46.455233 2018] [core:notice] [pid 1:tid 139902487709568] AH00094: Command line: 'httpd -D FOREGROUND'


Which seems to be OK.  On a second terminal, I did:

# curl http://192.168.122.128:80
<html><body><h1>It works!</h1></body></html>

And as that was invoked, this line was printed out on the first terminal:

192.168.122.128 - - [14/Feb/2018:19:45:33 +0000] "GET / HTTP/1.1" 200 45


Checking journalctl, I'm seeing no hits:

# journalctl -b | grep 'avc:  denied'    
# 

What you see above is all I did on the freshly installed machine.  If I missed a step in configuration or installation, please let me know and I'll retry.  Otherwise it seems to be working for me.

Comment 36 Dusty Mabe 2018-02-14 20:19:04 UTC
(In reply to Tom Sweeney from comment #35)


 
> # cat Dockerfile
>  FROM registry.fedoraproject.org/fedora:26
>  ENV container docker
>  RUN dnf -y install httpd; dnf clean all; systemctl enable httpd
>  STOPSIGNAL SIGRTMIN+3
>  EXPOSE 80
>  CMD [ "/sbin/init" ]
> 
> # systemctl start docker
> # docker build .
> Sending build context to Docker daemon 10.24 kB
> Step 1/6 : FROM registry.fedoraproject.org/fedora:26
> Trying to pull repository registry.fedoraproject.org/fedora ... 
> sha256:f5da7776116ff89d4563cd668b5c87d84f5023300c1a235c537e2bd11d37bd39:
> Pulling from registry.fedoraproject.org/fedora
> f731d4d7fe41: Pull complete 
> Digest:
> sha256:f5da7776116ff89d4563cd668b5c87d84f5023300c1a235c537e2bd11d37bd39
> {Removed a lot of package install verbiage}
> Step 6/6 : CMD /sbin/init
>  ---> Running in aed4e094ac22
>  ---> c64e10594dbc
> Removing intermediate container aed4e094ac22
> Successfully built c64e10594dbc


So you build a container with no tag? and then right below here you try to run 
'httpd' which pulls from docker hub and runs (I'm pretty sure no systemd in
that container). Is this really testing systemd in a container?


> 
> # docker run -p 80:80 httpd
> Unable to find image 'httpd:latest' locally
> Trying to pull repository docker.io/library/httpd ... 
> sha256:643ca2ed9f6caf1f392184aee05a8f2cd478bdacbd350ea6b4dbc8f5b8e400a8:
> Pulling from docker.io/library/httpd
> f49cf87b52c1: Pull complete 
> 02ca099fb6cd: Pull complete 
> de7acb18da57: Pull complete 
> 770c8edb393d: Pull complete 
> 0e252730aeae: Pull complete 
> 6288e83d58fa: Pull complete 
> a91ad03b2178: Pull complete

Comment 37 Tom Sweeney 2018-02-15 19:41:55 UTC
Dusty/Michah,

Thanks for the off-line info via IRC this morning.  I've retested using 

docker build -t syscontain .
docker run syscontain

I'm now seeing a hang. 

without the 'setsebool -P container_manage_cgroup 1' in play, I'm seeing avc's 

Feb 15 14:29:16 localhost.localdomain oci-systemd-hook[5928]: systemdhook <debug>: 2c5847668005: Found cgroup
Feb 15 14:29:16 localhost.localdomain oci-systemd-hook[5928]: systemdhook <debug>: 2c5847668005: PATH: /system.slice/docker-2c5847668005af5165ab2dd0e0654c340e8c972f018c175a5b362112bea1af6
e.scope
Feb 15 14:29:16 localhost.localdomain oci-systemd-hook[5928]: systemdhook <debug>: 2c5847668005: SUBSYSTEM_PATH: /sys/fs/cgroup/systemd/system.slice/docker-2c5847668005af5165ab2dd0e0654c340e8c972f018c175a5b362112bea1af6e.scope
Feb 15 14:29:16 localhost.localdomain oci-systemd-hook[5928]: systemdhook <error>: 2c5847668005: Failed to set context system_u:object_r:container_file_t:s0:c587,c933 on /var/lib/docker/overlay2/58b0e47747376616120785928a54612bcbc44797f8212e5e5d56fd32ae9cd6c5/merged//sys/fs/cgroup/systemd/system.slice/docker-2c5847668005af5165ab2dd0e0654c340e8c972f018c175a5b362112bea1af6e.scope/..: Read-only file system
Feb 15 14:29:16 localhost.localdomain oci-umount[5929]: umounthook <debug>: prestart container_id:2c5847668005 rootfs:/var/lib/docker/overlay2/58b0e47747376616120785928a54612bcbc44797f8212e5e5d56fd32ae9cd6c5/merged

qa:qFeb 15 14:29:16 localhost.localdomain audit[5915]: AVC avc:  denied  { write } for  pid=5915 comm="systemd" name="release_agent" dev="cgroup" ino=7 scontext=system_u:system_r:container_t:s0:c587,c933 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0
Feb 15 14:29:16 localhost.localdomain audit[5915]: AVC avc:  denied  { write } for  pid=5915 comm="systemd" name="cgroup.procs" dev="cgroup" ino=1989 scontext=system_u:system_r:container_t:s0:c587,c933 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=0


With the 'setsebool -P container_manage_cgroup 1' I'm only seeing some progress in the httpd server starting and it never appears to be responsive.  This is slightly different than Micah I think.  I did note a similar error in systemdhoo for both.

Feb 15 14:33:32 localhost.localdomain oci-systemd-hook[6025]: systemdhook <debug>: 64917b89c788: Found cgroup
Feb 15 14:33:32 localhost.localdomain oci-systemd-hook[6025]: systemdhook <debug>: 64917b89c788: PATH: /system.slice/docker-64917b89c7883646fbfc06a3202f8e2d33422bf810c34a44c1fdd2d9c7bb313
3.scope
Feb 15 14:33:32 localhost.localdomain oci-systemd-hook[6025]: systemdhook <debug>: 64917b89c788: SUBSYSTEM_PATH: /sys/fs/cgroup/systemd/system.slice/docker-64917b89c7883646fbfc06a3202f8e2
d33422bf810c34a44c1fdd2d9c7bb3133.scope
Feb 15 14:33:32 localhost.localdomain oci-systemd-hook[6025]: systemdhook <error>: 64917b89c788: Failed to set context system_u:object_r:container_file_t:s0:c125,c750 on /var/lib/docker/o
verlay2/bb1f6866c4199203a79252042a06224e6e15f3c5f07390a099b5231d6b2f11e0/merged//sys/fs/cgroup/systemd/system.slice/docker-64917b89c7883646fbfc06a3202f8e2d33422bf810c34a44c1fdd2d9c7bb3133
.scope/..: Read-only file system
Feb 15 14:33:32 localhost.localdomain oci-umount[6026]: umounthook <debug>: prestart container_id:64917b89c788 rootfs:/var/lib/docker/overlay2/bb1f6866c4199203a79252042a06224e6e15f3c5f073
90a099b5231d6b2f11e0/merged

 
More digging, thanks again for the earlier info

Comment 38 Dusty Mabe 2018-02-16 21:29:49 UTC
(In reply to Tom Sweeney from comment #37)
>
> More digging, thanks again for the earlier info

no problem.. did you make any progress today?

Comment 39 Tom Sweeney 2018-02-16 21:50:21 UTC
Nope, unfortunately not smoking gun yet.

Comment 40 Lukas Vrabec 2018-02-19 14:39:25 UTC
Moving to oci-systemd-hook. After discussion with Dan Walsh, oci-systemd-hook should set correct label to cgroups.

Comment 41 Tom Sweeney 2018-02-21 20:21:54 UTC
Just a quick note, Dan spotted that it looks like oci-systemd-hook was setting the labels correctly on one directory tree, but not a few others that were needed.  I'm working up a fix now, hope to have it out tomorrow.

Comment 42 Daniel Walsh 2018-02-21 20:58:05 UTC
Correct.
Running a test with podman we see all of the scopes that systemd might want to write to.  We were only labeling the systemd one, all of these directories need to be labeled correctly.

cat /proc/self/cgroup 
11:hugetlb:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4
10:freezer:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4
9:blkio:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4
8:cpu,cpuacct:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4
7:net_cls,net_prio:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4
6:pids:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4
5:cpuset:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4
4:memory:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4
3:devices:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4
2:perf_event:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4
1:name=systemd:/libpod_parent/libpod-conmon-092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4/092b4e56c3d520a71972f034c115c3fce784807d4d7442c15f7dccbc16cf67f4

Comment 43 Dusty Mabe 2018-02-26 20:39:05 UTC
any updates?

Comment 44 Tom Sweeney 2018-02-26 22:53:16 UTC
Unfortunately still digging.  We've made progress, the logs were showing a number AVC's and a readonly error.  Dan spotted a probable cause and I put a patch together to address it.  It took care of the readonly error and the AVCs, but now we've run into other AVC's that we're trying to figure out.

The httpd server is responsive now, but no output is being put out terminal where the container is running.

Comment 45 Dusty Mabe 2018-03-05 19:41:19 UTC
Thanks tom.. Anything new since then?

Comment 46 Tom Sweeney 2018-03-05 19:51:47 UTC
Besides headbanging on the keyboard, not much more to report.  I spent the past couple of days toggling a number of files via oci-systemd-mount to try and kill the AVC's that are going on.  At the moment the httpd server is up and responsive, but no output is being shown on the terminal that it's being run from.  I've got four or five AVC's that I keep chasing, but it's a bit like the kid at the dike in Amsterdan.  I seem to cure one and another one or two pops.  

I talked with Dan briefly this morning he thinks the latest container-selinux kit might fix the issues I'm trying to run down.  I just finished installing that on my test VM and I've run into yet another issue and can't right that at the moment.  Going to try on a fresh VM with the latest container-selinux kit and see if that gives us different results.

Comment 47 Tom Sweeney 2018-03-09 16:46:52 UTC
Quick update.  Dan and I found that there's a kernel issue.  The patch that we've put together for oci-systemd-hook sets the directories permissions appropriately, but the kernel is not letting the perms propagate down the tree as they should.
Dan's putting together a separate BZ and we'll link it here once it's put together.

Comment 48 Dusty Mabe 2018-03-23 17:43:53 UTC
(In reply to Tom Sweeney from comment #47)
> Quick update.  Dan and I found that there's a kernel issue.  The patch that
> we've put together for oci-systemd-hook sets the directories permissions
> appropriately, but the kernel is not letting the perms propagate down the
> tree as they should.
> Dan's putting together a separate BZ and we'll link it here once it's put
> together.

Was the separate BZ ever opened?

Comment 50 Fedora Update System 2018-05-01 13:12:59 UTC
oci-systemd-hook-0.1.16-1.git05bd9a0.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-70716263e7

Comment 51 Fedora Update System 2018-05-01 13:13:23 UTC
oci-systemd-hook-0.1.16-1.git05bd9a0.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-f239057b7b

Comment 52 Fedora Update System 2018-05-02 10:11:57 UTC
oci-systemd-hook-0.1.16-1.git05bd9a0.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-f239057b7b

Comment 53 Fedora Update System 2018-05-02 13:13:19 UTC
oci-systemd-hook-0.1.16-1.git05bd9a0.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-70716263e7

Comment 54 Fedora Update System 2018-05-11 20:27:28 UTC
oci-systemd-hook-0.1.16-1.git05bd9a0.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 55 Fedora Update System 2018-05-11 21:13:00 UTC
oci-systemd-hook-0.1.16-1.git05bd9a0.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.