Mounting Docker NFS Volume with selinux enabled not working #40944
Description
Description
With Docker daemon running on Centos 7 with selinux enabled, creating an NFS volume and mounting it into a container erroring with "operation not supported".
Steps to reproduce the issue:
- Install Centos 7 with Selinux enabled.
$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
$ cat /etc/docker/daemon.json
{"debug":true, "selinux-enabled":true}
- Create NFS Volume
docker volume create --name nfs-volume --opt type=nfs --opt o=addr=34.221.163.71,rw --opt device=:/home/ubuntu/nfs
$ docker volume inspect nfs-volume
[
{
"CreatedAt": "2020-05-10T04:28:55Z",
"Driver": "local",
"Labels": {},
"Mountpoint": "/var/lib/docker/volumes/nfs-volume/_data",
"Name": "nfs-volume",
"Options": {
"device": ":/home/ubuntu/nfs",
"o": "addr=34.221.163.71,rw",
"type": "nfs"
},
"Scope": "local"
}
]
- Run container with mounting the volume:
Describe the results you received:
$ docker run -it -v nfs-volume:/tmp busybox true
docker: Error response from daemon: failed to set file label on /var/lib/docker/volumes/nfs-volume/_data: operation not supported.
See 'docker run --help'.
$ docker run -it -v nfs-volume:/tmp:z busybox true
docker: Error response from daemon: failed to set file label on /var/lib/docker/volumes/nfs-volume/_data: operation not supported.
See 'docker run --help'.
$ docker run -it -v nfs-volume:/tmp:Z busybox true
docker: Error response from daemon: failed to set file label on /var/lib/docker/volumes/nfs-volume/_data: operation not supported.
See 'docker run --help'.
Describe the results you expected:
Expected volume to be able to be mounted properly.
Additional information you deem important (e.g. issue happens only occasionally):
NFS Mount working properly:
sudo mount 34.221.163.71:/home/ubuntu/nfs /tmp/nfs
produces no errors.
After mounting see it is indeed mounted
$ mount
...
34.221.163.71:/home/ubuntu/nfs on /tmp/nfs type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=172.31.20.209,local_lock=none,addr=34.221.163.71)
Output of docker version:
$ docker version
Client: Docker Engine - Community
Version: 19.03.8
API version: 1.40
Go version: go1.12.17
Git commit: afacb8b
Built: Wed Mar 11 01:27:04 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.8
API version: 1.40 (minimum version 1.12)
Go version: go1.12.17
Git commit: afacb8b
Built: Wed Mar 11 01:25:42 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.13
GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
Output of docker info:
$ docker info
Client:
Debug Mode: false
Server:
Containers: 4
Running: 0
Paused: 0
Stopped: 4
Images: 1
Server Version: 19.03.8
Storage Driver: overlay2
Backing Filesystem: <unknown>
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: active
NodeID: w95pd62dr6reenh1euodwkcxw
Is Manager: true
ClusterID: ipscr41ds5l8z6344ehftaf38
Managers: 1
Nodes: 1
Default Address Pool: 10.0.0.0/8
SubnetSize: 24
Data Path Port: 4789
Orchestration:
Task History Retention Limit: 5
Raft:
Snapshot Interval: 10000
Number of Old Snapshots to Retain: 0
Heartbeat Tick: 1
Election Tick: 10
Dispatcher:
Heartbeat Period: 5 seconds
CA Configuration:
Expiry Duration: 3 months
Force Rotate: 0
Autolock Managers: false
Root Rotation In Progress: false
Node Address: 172.31.20.209
Manager Addresses:
172.31.20.209:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
seccomp
Profile: default
selinux
Kernel Version: 3.10.0-957.1.3.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.145GiB
Name: cquon-test-centos-0
ID: GIEE:C7R2:ACGO:UGQ4:27KW:6R44:UW6P:JP5P:PBTE:2VWA:E4Z2:VYEM
Docker Root Dir: /var/lib/docker
Debug Mode: true
File Descriptors: 40
Goroutines: 157
System Time: 2020-05-10T04:58:28.212784955Z
EventsListeners: 0
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: API is accessible on http://0.0.0.0:2376 without encryption.
Access to the remote API is equivalent to root access on the host. Refer
to the 'Docker daemon attack surface' section in the documentation for
more information: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface
Additional environment details (AWS, VirtualBox, physical, etc.):
Running AWS EC2 instance with centos7 installed.