-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG REPORT INFORMATION - Docker CE 1.13.1 issue while changing kernel semaphore changes(kernel.sem) #313
Comments
Did you get any AVC messages? |
No, SElinux isn't the factor. error: |
I take it SELinux is disabled? Could be capabitliies? Do you know if the kernel/sem is a namespaced sysctl? |
Does it work if you set --cap-add ALL |
BTW Have you tried podman... Worked successfully with podman on Fedora 28.
|
selinux is enabled. We have only noticed this param kernel.sem not changed. |
@rhatdan It works fine when I disable user namespaces(--userns=host). |
Ah a clue. So usernamespace is blocking it. Quick tests with podman shows that it is failing.
|
Without usernamespace:
|
@ebeiderman Do you think this is a bug in UserNamespace or in Runc? |
@rhatdan I think that is expected. Writing to |
Can we change the writing to the sysctl to not be done by the the root in the init user namespace? IE Can this be fixed in the OCI RUntimes? |
I am not sure, it might be possible that the parent process writes to the Tagging @ebiederm |
BUG REPORT INFORMATION
Use the commands below to provide key information from your environment:
You do NOT have to include this information if this is a FEATURE REQUEST
--> docker run --name webserver1 -d -p 9091:80 --sysctl kernel.sem="250 32000 100 2048" nginx
Description
Steps to reproduce the issue:
if successful:
** Output of error **
aa71efee7bf149794a11fb27eab1a25640c6cc3c09192f610d5b14cafe186b26
/usr/bin/docker-latest: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:364: container init caused "open /proc/sys/kernel/sem: permission denied"".
Describe the results you received:
Docker service was unable to pick the desired kernel changes on host.
Describe the results you expected:
the kernel semaphore changes are supposed to be reflected inside the container.
Additional information you deem important (e.g. issue happens only occasionally):
It perfectly works fine with docker 1.12.x and docker 18.03.
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
AWS- EC2 instance
OS -RHEL-7.5
The text was updated successfully, but these errors were encountered: