Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

19.03 fails on Fedora 28 - write /proc/self/attr/keycreate: permission denied #107

Closed
haxorof opened this issue Jul 24, 2019 · 4 comments
Closed

19.03 fails on Fedora 28 - write /proc/self/attr/keycreate: permission denied #107

haxorof opened this issue Jul 24, 2019 · 4 comments
Labels
fix

Comments

@haxorof
Copy link
Owner

haxorof commented Jul 24, 2019

When running t_config test suite (https://github.com/haxorof/ansible-role-docker-ce/blob/8255cc23d4b1950bb710d592b56bd2547fb29da3/tests/test_config.yml) on fedora/28-cloud-base the hello-world container fails to run.

Failing task below:

TASK [Run hello-world] *********************************************************
Wednesday 24 July 2019  19:25:09 +0000 (0:00:00.150)       0:01:39.825 ******** 
fatal: [test-host]: FAILED! => {"changed": false, "cmd": "docker run --rm hello-world", "delta": "0:00:03.669900", "end": "2019-07-24 19:25:13.834498", "msg": "non-zero return code", "rc": 126, "start": "2019-07-24 19:25:10.164598", "stderr": "Unable to find image 'hello-world:latest' locally\nlatest: Pulling from library/hello-world\n1b930d010525: Pulling fs layer\n1b930d010525: Verifying Checksum\n1b930d010525: Download complete\n1b930d010525: Pull complete\nDigest: sha256:6540fc08ee6e6b7b63468dc3317e3303aae178cb8a45ed3123180328bcc1d20f\nStatus: Downloaded newer image for hello-world:latest\ndocker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused \"process_linux.go:430: container init caused \\\"write /proc/self/attr/keycreate: permission denied\\\"\": unknown.\ntime=\"2019-07-24T19:25:13Z\" level=error msg=\"error waiting for container: context canceled\"", "stderr_lines": ["Unable to find image 'hello-world:latest' locally", "latest: Pulling from library/hello-world", "1b930d010525: Pulling fs layer", "1b930d010525: Verifying Checksum", "1b930d010525: Download complete", "1b930d010525: Pull complete", "Digest: sha256:6540fc08ee6e6b7b63468dc3317e3303aae178cb8a45ed3123180328bcc1d20f", "Status: Downloaded newer image for hello-world:latest", "docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused \"process_linux.go:430: container init caused \\\"write /proc/self/attr/keycreate: permission denied\\\"\": unknown.", "time=\"2019-07-24T19:25:13Z\" level=error msg=\"error waiting for container: context canceled\""], "stdout": "", "stdout_lines": []}

More investigation what causing the problem is needed but an issue that might be worth looking into for ideas is: moby/moby#39109
@haxorof haxorof added the fix label Jul 24, 2019
@haxorof
Copy link
Owner Author

haxorof commented Jul 26, 2019

Enabling selinux in Docker and restarting the daemon everything starts to work:

{
  "selinux-enabled": true
}

@haxorof
Copy link
Owner Author

haxorof commented Jul 26, 2019
edited
Loading

SELinux is enabled which can be seen here:

[root@localhost ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

During automated test done by this role SELinux mode can be change temporarily for the tests to pass:

[root@localhost ~]# setenforce 0

Output of sestatus after change:

[root@localhost ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

haxorof added a commit that referenced this issue Jul 26, 2019
@haxorof
Fixes #108,#107,#104,#105
721d2ac
@haxorof haxorof closed this as completed Jul 26, 2019
@StormRat
Copy link

StormRat commented Mar 9, 2020

Enabling selinux in Docker and restarting the daemon everything starts to work:

{
  "selinux-enabled": true
}

hi,with this docker Parameter, can fix “ write /proc/self/attr/keycreate: permission denied

But,I get a new error:

[root@localhost Euler_compile_env]# docker run -it --rm --entrypoint "/bin/bash" 8975d655b0bf
standard_init_linux.go:211: exec user process caused "permission denied"

@haxorof
Copy link
Owner Author

haxorof commented Mar 16, 2020

@StormRat Fedora 28 is End-of-Life since 2019-05-28 and because of that I do no test on that version anymore. I do not know the reason for permission denied in your case but Docker works as expected on Fedora 30 and 31.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@haxorof @StormRat