Cannot start containers in new install with "setup user: permission denied"

nswartz99 commented 5 years ago

[x] This is a bug report
[ ] This is a feature request
[X] I searched existing issues before opening this one

Expected behavior

Docker container starts

Actual behavior

Get message: $ docker run hello-world docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "setup user: permission denied": unknown. ERRO[0000] error waiting for container: context canceled

Steps to reproduce the behavior

Install Docker on Centos 7.6.1810. Start Docker. docker run hello-world

Output of docker version:

Client:
 Version:           18.09.8
 API version:       1.39
 Go version:        go1.10.8
 Git commit:        0dd43dd87f
 Built:             Wed Jul 17 17:40:31 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.8
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.8
  Git commit:       0dd43dd
  Built:            Wed Jul 17 17:10:42 2019
  OS/Arch:          linux/amd64
  Experimental:     false

Output of docker info:

Containers: 7
 Running: 0
 Paused: 0
 Stopped: 7
Images: 8
Server Version: 18.09.8
Storage Driver: overlay2
 Backing Filesystem: xfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f
init version: fec3683
Security Options:
 seccomp
  Profile: default
 selinux
 userns
Kernel Version: 3.10.0-957.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.639GiB
Name: nasdevap09-new
ID: 6HNH:EVJ3:AGJG:BLXI:6QMK:DESM:RQ7X:7IF3:2UW6:R2JK:UD2M:UXJC
Docker Root Dir: /var/app/docker/storage/200000.200000
Debug Mode (client): false
Debug Mode (server): false
HTTP Proxy: http://10.133.140.227:7080/
No Proxy: localhost,127.0.0.1,registry.tatavideo.net
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

VM running under VMWare. $ ps -ef | grep container root 5371 1 0 Jul24 ? 00:03:33 /usr/bin/containerd root 12352 1 1 15:13 ? 00:00:10 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --config-file=/app/docker/config/daemon.json

$ cat /app/docker/config/daemon.json { "userns-remap": "default", "data-root": "/var/app/docker/storage", "storage-driver": "overlay2", "selinux-enabled":true }

$ grep docker /etc/passwd docker:x:1005:994:docker user:/home/docker:/bin/bash nasremap:x:8000:8000:docker remap user:/home/nasremap:/sbin/nologin dckr0:x:200000:200000:docker user:/app/docker/home/dckr0:/sbin/nologin dckr1000:x:201000:201000:docker user:/app/docker/home/dckr1000:/sbin/nologin

$ ls -ltraZ /var/app/docker/ drwxr-xr-x. root root system_u:object_r:var_t:s0 .. drwx--x--x. root root unconfined_u:object_r:var_t:s0 storage drwxrwxr-x. docker docker unconfined_u:object_r:var_t:s0 . drwxrwxr-x+ docker docker unconfined_u:object_r:var_t:s0 mounts

AkihiroSuda commented 5 years ago

Does it work if disable selinux?

nswartz99 commented 5 years ago

Yes. I found the problem. Should have posted. We needed: container-selinux.noarch 2:2.99-1.el7_6

We had version 2:2.33 and that seems to have this problem

docker / for-linux