rootless+overlay2 (kernel 5.11)+SELinux: mkdir /home/<USER>/.local/share/docker/overlay2/<CID>-init/merged/dev: permission denied. #42333
Description
Workaround
Use fuse-overlayfs
$ cat <<EOF > ~/.config/docker/daemon.json
{"storage-driver": "fuse-overlayfs"}
EOF
$ systemctl --user restart dockerDescription
rootless+overlay2 (kernel 5.11)+SELinux fails with mkdir /home/<USER>/.local/share/docker/overlay2/<CID>-init/merged/dev: permission denied.
Steps to reproduce the issue:
- Install Docker 20.10.6 RPMs to Fedora 34, without disabling SELinux (https://get.docker.com)
- Apply dockerd-rootless.sh: avoid /run/xtables.lock EACCES on SELinux hosts #42199 to
/usr/bin/dockerd-rootless.shfor the iptables issue - Run
dockerd-rootless-setuptool.sh install - Run
docker --context=rootless info, and make sureoverlay2is used as the storage driver. - Run
docker --context=rootless run --rm hello-world
Describe the results you received:
$ docker --context=rootless run --rm hello-world
docker: Error response from daemon: mkdir /home/vagrant/.local/share/docker/overlay2/ccede5b169c7aa8f767ae0ab0b1e7199a5a63a4ad49e0ba0485cb4913eb7852c-init/merged/etc: permission denied.
See 'docker run --help'.Describe the results you expected:
Should work
Additional information you deem important (e.g. issue happens only occasionally):
-
fuse-overlayfsworks. -
Enabling "SELinux" in this issue means just enabling SELinux on the host. (getenforce = Enforcing .)
This has nothing to do with the--selinux-enabledflag ofdockerd.
Output of docker version:
Client: Docker Engine - Community
Version: 20.10.6
API version: 1.41
Go version: go1.13.15
Git commit: 370c289
Built: Fri Apr 9 22:47:35 2021
OS/Arch: linux/amd64
Context: rootless
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.6
API version: 1.41 (minimum version 1.12)
Go version: go1.13.15
Git commit: 8728dd2
Built: Fri Apr 9 22:45:20 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.4
GitCommit: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
runc:
Version: 1.0.0-rc93
GitCommit: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Output of docker info:
Client:
Context: rootless
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)
scan: Docker Scan (Docker Inc.)
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 20.10.6
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: false
userxattr: true
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc io.containerd.runc.v2 io.containerd.runtime.v1.linux
Default Runtime: runc
Init Binary: docker-init
containerd version: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
runc version: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
init version: de40ad0
Security Options:
seccomp
Profile: default
rootless
cgroupns
Kernel Version: 5.11.12-300.fc34.x86_64
Operating System: Fedora 34 (Cloud Edition)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.93GiB
Name: fedora
ID: 2JDG:SEW5:A2RU:BA7A:F2YD:CRSP:KLR6:43HL:R7PS:YVGZ:WEPV:QNTG
Docker Root Dir: /home/vagrant/.local/share/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
WARNING: No cpu shares support
WARNING: No cpuset support
WARNING: No io.weight support
WARNING: No io.weight (per device) support
WARNING: No io.max (rbps) support
WARNING: No io.max (wbps) support
WARNING: No io.max (riops) support
WARNING: No io.max (wiops) support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled