19.03 fails on Fedora 28 - write /proc/self/attr/keycreate: permission denied
haxorof opened this issue · 4 comments
When running t_config test suite (https://github.com/haxorof/ansible-role-docker-ce/blob/8255cc23d4b1950bb710d592b56bd2547fb29da3/tests/test_config.yml) on fedora/28-cloud-base the hello-world container fails to run.
Failing task below:
TASK [Run hello-world] *********************************************************
Wednesday 24 July 2019 19:25:09 +0000 (0:00:00.150) 0:01:39.825 ********
fatal: [test-host]: FAILED! => {"changed": false, "cmd": "docker run --rm hello-world", "delta": "0:00:03.669900", "end": "2019-07-24 19:25:13.834498", "msg": "non-zero return code", "rc": 126, "start": "2019-07-24 19:25:10.164598", "stderr": "Unable to find image 'hello-world:latest' locally\nlatest: Pulling from library/hello-world\n1b930d010525: Pulling fs layer\n1b930d010525: Verifying Checksum\n1b930d010525: Download complete\n1b930d010525: Pull complete\nDigest: sha256:6540fc08ee6e6b7b63468dc3317e3303aae178cb8a45ed3123180328bcc1d20f\nStatus: Downloaded newer image for hello-world:latest\ndocker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused \"process_linux.go:430: container init caused \\\"write /proc/self/attr/keycreate: permission denied\\\"\": unknown.\ntime=\"2019-07-24T19:25:13Z\" level=error msg=\"error waiting for container: context canceled\"", "stderr_lines": ["Unable to find image 'hello-world:latest' locally", "latest: Pulling from library/hello-world", "1b930d010525: Pulling fs layer", "1b930d010525: Verifying Checksum", "1b930d010525: Download complete", "1b930d010525: Pull complete", "Digest: sha256:6540fc08ee6e6b7b63468dc3317e3303aae178cb8a45ed3123180328bcc1d20f", "Status: Downloaded newer image for hello-world:latest", "docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused \"process_linux.go:430: container init caused \\\"write /proc/self/attr/keycreate: permission denied\\\"\": unknown.", "time=\"2019-07-24T19:25:13Z\" level=error msg=\"error waiting for container: context canceled\""], "stdout": "", "stdout_lines": []}
More investigation what causing the problem is needed but an issue that might be worth looking into for ideas is: moby/moby#39109
Enabling selinux in Docker and restarting the daemon everything starts to work:
{
"selinux-enabled": true
}SELinux is enabled which can be seen here:
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
During automated test done by this role SELinux mode can be change temporarily for the tests to pass:
[root@localhost ~]# setenforce 0
Output of sestatus after change:
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
Enabling selinux in Docker and restarting the daemon everything starts to work:
{ "selinux-enabled": true }
hi,with this docker Parameter, can fix “ write /proc/self/attr/keycreate: permission denied
”
But,I get a new error:
[root@localhost Euler_compile_env]# docker run -it --rm --entrypoint "/bin/bash" 8975d655b0bf
standard_init_linux.go:211: exec user process caused "permission denied"