Docker tries to set extended attribute when copying data to an NFS volume

[dmandalidis]

Description

Docker tries to set extended attribute when copying data to an NFS volume, while the latter is not yet supported by an NFS implementation.

Steps to reproduce the issue:

1. Create an image name myimage, using any base image as parent (I 've used debian:9). Create a folder within the image with name foo and place a file bar inside
2. Setup an NFSv4.2 server
3. Do the following:

docker service create --mount type=volume,src=myvolume,dst=/foo,volume-opt=type=nfs,volume-opt=o=addr=mynfsserver.host,volume-opt=device=:/myshare myimage:latest

Describe the results you received:

Nov  8 10:14:17 trg0011li dockerd: time="2018-11-08T10:14:17.222380072+01:00" level=error msg="fatal task error" error="failed to copy xattrs: failed to set xattr \"security.selinux\" on /var/lib/docker/volumes/9da2ee3d-6817-4ddb-84d3-49eec88fe131-v3-db/_data/iuclid6/README_DO_NOT_TOUCH_FILES.txt: operation not supported" module=node/agent/taskmanager node.id=udftyw0v27p4uoznpgxktwuqc service.id=cdh9gg864fc96of0kvvqwk7ds task.id=xcvsu5aiotrduienvyxf3sslk

Service is getting rejected. Strange thing is that the files I created don't have any xattr set.

Describe the results you expected:

Extended attributes should be set only when the target filesystem supports them.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client:
 Version:           18.06.1-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        e68fc7a
 Built:             Tue Aug 21 17:23:03 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.06.1-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.3
  Git commit:       e68fc7a
  Built:            Tue Aug 21 17:25:29 2018
  OS/Arch:          linux/amd64
  Experimental:     false

Output of docker info:

Containers: 38
 Running: 13
 Paused: 0
 Stopped: 25
Images: 20
Server Version: 18.06.1-ce
Storage Driver: devicemapper
 Pool Name: docker-253:0-1316562-pool
 Pool Blocksize: 65.54kB
 Base Device Size: 10.74GB
 Backing Filesystem: xfs
 Udev Sync Supported: true
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Data Space Used: 50.74GB
 Data Space Total: 107.4GB
 Data Space Available: 9.026GB
 Metadata Space Used: 64.55MB
 Metadata Space Total: 2.147GB
 Metadata Space Available: 2.083GB
 Thin Pool Minimum Free Space: 10.74GB
 Deferred Removal Enabled: true
 Deferred Deletion Enabled: true
 Deferred Deleted Device Count: 0
 Library Version: 1.02.149-RHEL7 (2018-07-20)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: active
 NodeID: sspl1ro2v1ftpu9yeu3hbd2q3
 Is Manager: true
 ClusterID: f1v841fs8ptflwtlv42kqxtte
 Managers: 3
 Nodes: 3
 Orchestration:
  Task History Retention Limit: 5
 Raft:
  Snapshot Interval: 10000
  Number of Old Snapshots to Retain: 0
  Heartbeat Tick: 1
  Election Tick: 3
 Dispatcher:
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 3 months
  Force Rotate: 0
 Autolock Managers: false
 Root Rotation In Progress: false
 Node Address: 153.89.136.168
 Manager Addresses:
  153.89.136.168:2377
  153.89.136.170:2377
  153.89.136.171:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
 seccomp
  Profile: default
Kernel Version: 3.10.0-957.el7.x86_64
Operating System: Red Hat
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.5GiB
Name: trg0011li
ID: H7LT:RBCS:7Z5F:A52K:ZZ62:C2DJ:2OMD:AXSC:UC54:CPGD:IRNZ:EKSE
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
HTTP Proxy: http://153.89.205.10:8080/
HTTPS Proxy: http://153.89.205.10:8080/
No Proxy: localhost,127.0.0.1,trg0015li.nrb.be,trg0015li.nrb.be:9092,trg0015li.nrb.be:9090,153.89.136.183,153.89.136.183:2377,153.89.136.183:443,153.89.136.184,153.89.136.184:2377,153.89.136.184:443,153.89.136.185,153.89.136.185:2377,153.89.136.185:443,153.89.136.186,153.89.136.186:2377,153.89.136.186:443,trg0048li,trg0049li,trg0050li,trg0051li,trg0052li,trg0053li,trg0048li.nrb.be,trg0049li.nrb.be,trg0050li.nrb.be,trg0051li.nrb.be,trg0052li.nrb.be,trg0053li.nrb.be,trg0048li:2377,trg0049li:2377,trg0050li:2377,trg0051li:2377,trg0052li:2377,trg0053li:2377,trg0048li.nrb.be:2377,trg0049li.nrb.be:2377,trg0050li.nrb.be:2377,trg0051li.nrb.be:2377,trg0052li.nrb.be:2377,trg0053li.nrb.be:2377,nrbhslprx03.nrb.be
Registry: https://index.docker.io/v1/
Labels:
 ecs.role.ui=1
 ecs.role.fallback=1
 ecs.role.revproxy=1
 ecs.role.rest=1
 ecs.role.logstash=1
Experimental: false
Insecure Registries:
 trg0015li.nrb.be:9090
 trg0015li.nrb.be:9092
 127.0.0.0/8
Registry Mirrors:
 http://trg0015li.nrb.be:9092/
Live Restore Enabled: false

WARNING: devicemapper: usage of loopback devices is strongly discouraged for production use.
         Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.

Additional environment details (AWS, VirtualBox, physical, etc.):

RHEL 7.6

[dmandalidis]

Same applies to 18.09.0. NFS server had selinux=permissive, disabling it completed didn't work out

edit: more info about the NFS server

[dmandalidis]

Downgraded to 17.12.1-ce works around the issue, so it seems that it's not RHEL 7.6 related. Still a problem though with newer docker version

[cpuguy83]

I suspect this happened when we moved to github.com/containerd/continuity to handle copying.

I'll take a look at what we can do to deal with this.
I think just pass in an option to ignore xattrs... but will see.

[dmandalidis]

Thanks @cpuguy83 for looking at it. About the possible extra option, wouldn't that require running services to be updated using the option when docker release incorporating it will be deployed?

Unfortunately, I 'm SELinux-illiterate, but what drew my attention is which part decides that an xattr should be set even though NFS doesn't support this; is it the service which runs under SELinux as well or is it somehow identifies that NFS has it enabled? (Tested with Debian without SELinux and it works)

[cpuguy83]

Actually it looks like someone else already is taking care of it :)

This option would just be something we set while copying, no extra setting on the service. This will bring back the old behavior.

[dmandalidis]

Great! do you have a link to an issue/PR to track it myself?

[cpuguy83]

It's linked above.

[dmandalidis]

@cpuguy83 referenced PR got merged, any chance of backporting to 18.09?

[cpuguy83]

@dmandalidis We need to open a PR here to pull in that change and make use of the new option. Would you like to do that?

[dmandalidis]

@cpuguy83 well, I don't know Go (so don't count on me for having this fixed) but I 'll give it a try

[dmandalidis]

@cpuguy83 hope it's ok, PTAL