Docker Community Forums

Share and learn in the Docker community.

Ucp install -i fails on selinux even with correctly mounted docker.sock

ucp

(Rick Peters) #1

I’m installing UCP on a selinux enabled RHEL7.2 system (kernel 3.10).
I am mounting docker.sock with the :Z flag:

docker run --rm -it --name ucp -v /var/run/docker.sock:/var/run/docker.sock:Z docker/ucp install -i --swarm-port=3376

I also added the selinux module to enable access to docker.sock from this repo https://github.com/dpw/selinux-dockersock

The local docker daemon is TLS enabled ans selinux enabled, as can be seen in my docker config:

OPTIONS=" -g /var/appdata/docker/ -H tcp://0.0.0.0:2376 
-H unix:///var/run/docker.sock --ip-forward=true 
--iptables=true --ip-masq=true -l info --log-driver json-file 
 --cluster-store=consul://itu520.acs.kadaster.nl:8500 
--cluster-advertise=eth0prim:2376 
--selinux-enabled=true 
--tlsverify --tlscacert /var/appdata/certs/public/ca.pem 
--tlscert /var/appdata/certs/private/server-cert.pem 
--tlskey /var/appdata/certs/private/server-key.pem"

The initial bootstrap installation now starts and I answer several questions.

However after I press [enter] on the question for additional SAN’s, the installation fails with:

FATA[0000] Missing docker.sock. You must run the bootstrap container with 
"-v /var/run/docker.sock:/var/run/docker.sock"

There is no message whatsoever from selinux in our audit.log?

Is this a selinux problem and if so what should I do about it. I know that putting selinux in permissive mode enables installation, so it does not seem that it is just a check in the installation.

regards,
Rick


(Vivek Saraswat) #2

Hi Rick,

I saw the support team is working with you on this. Will try to work through that avenue.


(Rick Peters) #3

Hi Vivek,

Support doesn’t really get me anywhere since we use the (licensed) UCP, but for now work with the OSS version of Docker Engine and RHEL 7.2 (becasue of the kernel dependency). Current workaround is temporarily disable selinux. Don’t much like it because selinux gives unpredictable and hard to analyze problems.

regards,
Rick


(Rick Peters) #4

Problem seems to be somewhere in our own puppet installation. On a clean and hardened SELinux installation it works as intended.