People are reporting problems in Fedora about using centos rhel6 images.
https://bugzilla.redhat.com/show_bug.cgi?id=1098120
The problem is the libselinux in the centos image is reporting that SELinux is enabled to processes running within the container. Tools like useradd and groupadd to attempt to write to /proc/self/attr/* files in order to setup proper labeling for SELinux. Since /proc is now mounted read/only within the docker containers, the writes are denied and useradd/groupadd fail.
I wrote the attached patch for RHEL6 libselinux to get RHEL6 images to work properly. Basically the patched libselinux will report to processes that SELinux is disabled if the selinux file system is not mounted or mounted read/only. The fixed version of libselinux is already in Fedora and RHEL7 versions of libselinux.
Red Hat will be shipping this new version of libselinux in rhel6.6. But we will also ship it as part of our rhel6.5 Base Image.
Privileged containers and systems with SELInux disabled do not have this issue, however systemd with SELinux in permissive mode or enforcing have the problem.
In permissive mode the problem will continue, since it is not SELinux denying access to /proc. It is actually the fact that /proc is mounted Read/Only. Previous versions of docker did not mount the /proc file system as read/only
It would be a good idea if someone could get a patched version of libselinux into the centos 6 docker image.
On 05/21/2014 12:32 PM, Daniel J Walsh wrote:
People are reporting problems in Fedora about using centos rhel6 images.
https://bugzilla.redhat.com/show_bug.cgi?id=1098120
The problem is the libselinux in the centos image is reporting that SELinux is enabled to processes running within the container. Tools like useradd and groupadd to attempt to write to /proc/self/attr/* files in order to setup proper labeling for SELinux. Since /proc is now mounted read/only within the docker containers, the writes are denied and useradd/groupadd fail.
I wrote the attached patch for RHEL6 libselinux to get RHEL6 images to work properly. Basically the patched libselinux will report to processes that SELinux is disabled if the selinux file system is not mounted or mounted read/only. The fixed version of libselinux is already in Fedora and RHEL7 versions of libselinux.
Red Hat will be shipping this new version of libselinux in rhel6.6. But we will also ship it as part of our rhel6.5 Base Image.
Privileged containers and systems with SELInux disabled do not have this issue, however systemd with SELinux in permissive mode or enforcing have the problem.
In permissive mode the problem will continue, since it is not SELinux denying access to /proc. It is actually the fact that /proc is mounted Read/Only. Previous versions of docker did not mount the /proc file system as read/only
It would be a good idea if someone could get a patched version of libselinux into the centos 6 docker image.
As I understand this, the patch only needs to be applied to the libselinux package within the docker image, correct?
KB / Johnny -
If we were to pull this patch in how would we keep this package separate from the base packages to ensure we're not polluting the core build, while still enabling users access to the package? Something specific to cloud.centos.org maybe? A one-off file/repo location?
What are the opinions of the cloud-sig folks?
On 05/21/2014 02:08 PM, Jim Perrin wrote:
On 05/21/2014 12:32 PM, Daniel J Walsh wrote:
People are reporting problems in Fedora about using centos rhel6 images.
https://bugzilla.redhat.com/show_bug.cgi?id=1098120
The problem is the libselinux in the centos image is reporting that SELinux is enabled to processes running within the container. Tools like useradd and groupadd to attempt to write to /proc/self/attr/* files in order to setup proper labeling for SELinux. Since /proc is now mounted read/only within the docker containers, the writes are denied and useradd/groupadd fail.
I wrote the attached patch for RHEL6 libselinux to get RHEL6 images to work properly. Basically the patched libselinux will report to processes that SELinux is disabled if the selinux file system is not mounted or mounted read/only. The fixed version of libselinux is already in Fedora and RHEL7 versions of libselinux.
Red Hat will be shipping this new version of libselinux in rhel6.6. But we will also ship it as part of our rhel6.5 Base Image.
Privileged containers and systems with SELInux disabled do not have this issue, however systemd with SELinux in permissive mode or enforcing have the problem.
In permissive mode the problem will continue, since it is not SELinux denying access to /proc. It is actually the fact that /proc is mounted Read/Only. Previous versions of docker did not mount the /proc file system as read/only
It would be a good idea if someone could get a patched version of libselinux into the centos 6 docker image.
As I understand this, the patch only needs to be applied to the libselinux package within the docker image, correct?
KB / Johnny -
If we were to pull this patch in how would we keep this package separate from the base packages to ensure we're not polluting the core build, while still enabling users access to the package? Something specific to cloud.centos.org maybe? A one-off file/repo location?
What are the opinions of the cloud-sig folks?
Yes that is what I would recommend, and is actually what we are doing with RHEL6. New libselinux will show up in RHEL6.6 update but for now only exists in rhel6.5 docker base image.
On 05/21/2014 08:55 PM, Daniel J Walsh wrote:
What are the opinions of the cloud-sig folks?
Yes that is what I would recommend, and is actually what we are doing with RHEL6. New libselinux will show up in RHEL6.6 update but for now only exists in rhel6.5 docker base image.
The way we are setup right now, we dont have any mechanism to push into specific repos, not a part of the OS repos, without some hoops - and the instance/image builders : that output the docker image, also only include the OS repos.
Let me look the process over and see how we can do something like this, and how we might be able to repose these repos ( and where ).
Regards
If we're going to have a hackish approach regardless, is this something we could shoehorn into the image build process? I don't know much about the CentOS build infrastructure, but in Fedora we could do something like:
* Have the patch provided and an updated specfile in the git repo with the kickstart and other image metadata; * At the start of the build, fetch the upstream libselinux sources and build an SRPM; * Send that SRPM to koji to be built into a real RPM; * Fetch the resulting RPM and install it into the image, either with the kickstart or with the Dockerfile we ship to stackbrew.
We could probably even use Koji for EPEL-6 to do this, depending on how flexible the CentOS build infrastructure is. It's terrible and hackish and I hate it, but if it'll get us through until CentOS 6.6 (and will require less effort than other approaches), I say let's do it.
Or, could we use COPR to create a repo for the updated package? Again, stepping outside the CentOS infrastructure proper, but we're all owned by the same corporate overlord^W^W^W^W^W^W friends here.
On Fri, May 23, 2014 at 10:55 AM, Karanbir Singh mail-lists@karan.orgwrote:
On 05/21/2014 08:55 PM, Daniel J Walsh wrote:
What are the opinions of the cloud-sig folks?
Yes that is what I would recommend, and is actually what we are doing with RHEL6. New libselinux will show up in RHEL6.6 update but for now only exists in rhel6.5 docker base image.
The way we are setup right now, we dont have any mechanism to push into specific repos, not a part of the OS repos, without some hoops - and the instance/image builders : that output the docker image, also only include the OS repos.
Let me look the process over and see how we can do something like this, and how we might be able to repose these repos ( and where ).
Regards
-- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
Hi
On 05/23/2014 04:02 PM, Chris St. Pierre wrote:
If we're going to have a hackish approach regardless, is this something we could shoehorn into the image build process? I don't know much about the CentOS build infrastructure, but in Fedora we could do something like:
We just had a brief chat about this, and it looks like the best way to handle it might be to build the patch into CentOS Plus, and then use that package, and only that package, from CentOS Plus at buildtime. Then leave enough .repo content in /etc/yum.repos.d/ that we have an update path for people into the future.
I believe Jim is going to work on the kickstart to make this work, and Johnny is going to get the rpm into plus. Once those two things happen - I can get a testing image online, and if that works, we can update the index at docker.io
- KB
On 05/27/2014 12:01 PM, Karanbir Singh wrote:
Hi
On 05/23/2014 04:02 PM, Chris St. Pierre wrote:
If we're going to have a hackish approach regardless, is this something we could shoehorn into the image build process? I don't know much about the CentOS build infrastructure, but in Fedora we could do something like:
We just had a brief chat about this, and it looks like the best way to handle it might be to build the patch into CentOS Plus, and then use that package, and only that package, from CentOS Plus at buildtime. Then leave enough .repo content in /etc/yum.repos.d/ that we have an update path for people into the future.
I believe Jim is going to work on the kickstart to make this work, and Johnny is going to get the rpm into plus. Once those two things happen - I can get a testing image online, and if that works, we can update the index at docker.io
- KB
libselinux-2.0.94-5.3.0.1.el6.centos.plus* is now in the centosplus repo .. and it should be replaced by newer updates to 6.6
-
Chris St. Pierre -
Daniel J Walsh -
Jim Perrin -
Johnny Hughes -
Karanbir Singh