Error response from daemon: OCI runtime create failed: container_linux.go:349

Rajendraladkat1919 commented 4 years ago

[x] This is a bug report
[x] This is a feature request
[x ] I searched existing issues before opening this one

Expected behavior

It should run any docker image

Actual behavior

[root@localhost yum.repos.d]# docker run -i -t centos:7 docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"write /proc/self/attr/keycreate: permission denied\"": unknown. ERRO[0002] error waiting for container: context canceled [root@localhost yum.repos.d]# docker run -itd busybox 5c74da43514170bb8b9d7e1c772247e81916a23cd156658d32f16446f13412e1 docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"write /proc/self/attr/keycreate: permission denied\"": unknown. [root@localhost yum.repos.d]# docker ps

Steps to reproduce the behavior

Output of docker version:

Version:           19.03.8
 API version:       1.40
 Go version:        go1.12.17
 Git commit:        afacb8b
 Built:             Wed Mar 11 01:27:04 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.8
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.17
  Git commit:       afacb8b
  Built:            Wed Mar 11 01:25:42 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.13
  GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info:

Client:
 Debug Mode: false

Server:
 Containers: 8
  Running: 0
  Paused: 0
  Stopped: 8
 Images: 4
 Server Version: 19.03.8
 Storage Driver: overlay2
  Backing Filesystem: <unknown>
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 4.18.0-80.el8.x86_64
 Operating System: Red Hat Enterprise Linux 8.0 (Ootpa)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 7.497GiB
 Name: localhost.localdomain
 ID: QDI4:QLPF:EURH:LMKG:YIP3:UGGB:4K3L:Z3TG:UKPD:THXH:NJXV:INDZ
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: rala
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.) Physical RHEL 8

cpuguy83 commented 4 years ago

This is going to be due to the selinux policy. Do you have container-selinux installed? What version?

Rajendraladkat1919 commented 4 years ago

@cpuguy83 its container-selinux-2.10-2.el7

cpuguy83 commented 4 years ago

The minimum required currently in the centos7 build is Requires: container-selinux >= 2:2.74 I'm not sure what that means for RHEL8.

dennycrane0 commented 4 years ago

I run into the same problem with container-selinux 2.94. After an upgrade to version 2.124 the problem was solved.

So feel free to close this issue.

vvivas commented 4 years ago

I present the same problem but I am using debian9 and it tells me this

ERROR: for jenkins Cannot start service jenkins: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\"proc\\" to rootfs \\"/var/lib/docker/overlay2/bbf189ac6d27c62fa2cb1ba556b0c68b50a3cf34e47b704e9e11506f461c4186/merged\\" at \\"/proc\\" caused \\"permission denied\\"\"": unknown

What could it be??

sfescape commented 4 years ago

I'm experiencing the same error vvivas. Were you able to identify and resolve the issue?

Rajendraladkat1919 commented 3 years ago

@sfescape I think reinstalling docker will works fine for me. This is related to SE linux security.

raceboyer commented 3 years ago

I ran into this issue this morning on rhel 7 and setting selinux to permissive resolved the issue. after adding the policy exception, I was ready to rock (meaning I was able to set selinux to enforce).

SerhiiAksiutin commented 3 years ago

+1 raspberrypi:~ $ sestatus -bash: sestatus: command not found

perezjasonr commented 3 years ago

I just got this as well with rhel8:

Warning  Failed   60m (x4 over 63m)      kubelet  Error: failed to create containerd task: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: failed to set /proc/self/attr/keycreate on procfs: write /proc/self/attr/keycreate: invalid argument: unknown

cat /etc/system-release
Red Hat Enterprise Linux release 8.4 (Ootpa)

dnf list --installed | grep container-selinux
container-selinux.noarch                      2:2.164.1-1.module+el8.4.0+11870+8b6f7018   @rhel-8-appstream-rhui-rpms

anyone have a version needed for rhel8?

perezjasonr commented 3 years ago

I run into the same problem with container-selinux 2.94. After an upgrade to version 2.124 the problem was solved.

So feel free to close this issue.

I just tried to use that version in rhel8 (I had to downgrade to it):

dnf list --installed | grep container-selinux container-selinux.noarch 2:2.124.0-1.module+el8.2.0+6368+cf16aa14 @rhel-8-appstream-rhui-rpms

and I still get this issue. of course, the newer version above (2.164) is also getting it.

docker / for-linux