profile
viewpoint

Ask questionsrunc regression - EPERM running containers from selinux

Trying to run containers on centOS with selinux enforcing on, runc gets a denial trying to access /proc/self/attrs/keycreate.

This happens when selinux-enabled=false on dockerd, which is the default. When selinux-enabled=true all is OK.

Reverting runc to an older commit (which does not mess with this file), everything starts up properly.

moby/moby

Answer questions kolyshkin

Oh OK I got it!

yum downgrade container-selinux
....
Installed:
  container-selinux.noarch 2:2.74-1.el7                                                                                                                                                                                                       

Complete!
[root@kir-ce75-gd ~]# docker run hello-world
docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "process_linux.go:430: container init caused \"write /proc/self/attr/keycreate: permission denied\"": unknown.
ERRO[0000] error waiting for container: context canceled 
useful!

Related questions

can not successfully install docker-ce on ubuntu 16.04 ? why ,Can you help me? hot 1
OCI runtime exec failed: exec failed: cannot exec a container that has stopped: unknown hot 1
Allow COPY command's --chown to be dynamically populated via ENV or ARG hot 1
windowsRS1 and windowsRS5-process are failing due to "Unable to delete '\gopath\src\github.com\docker\docker" hot 1
Error response from daemon: rpc error: code = DeadlineExceeded desc = context deadline exceeded hot 1
one container in the overlay network not available hot 1
Containers on overlay network cannot reach other containers hot 1
[Windows] windowsfilter folder impossible to delete hot 1
swarm node lost leader status hot 1
New-SmbGlobalMapping don't continued working in Container hot 1
failed to export image: failed to create image: failed to get layer: layer does not exist hot 1
"docker stack deploy">"rpc error: code = 3 desc = name must be valid as a DNS name component" hot 1
Read only filesystem creating services with secrets hot 1
Docker sometimes fails to create the default networks when starting hot 1
no matching manifest for linux/arm64/unknown hot 1
Github User Rank List