Description
TestMount in module github.com/docker/docker/pkg/mount is failing when mounts are using seclabel label. This label is unexpected for TestMount and in my opinion, we should expect it when it's needed.
Steps to reproduce the issue:
- Run
make test or make test-unit inside moby source tree.
Describe the results you received:
--- FAIL: TestMount (0.28s)
--- FAIL: TestMount/none-remount,size=128k (0.02s)
mounter_linux_test.go:203: unexpected mount option "seclabel" expected "rw,size=128k"
--- FAIL: TestMount/none-remount,ro,size=128k (0.01s)
mounter_linux_test.go:203: unexpected mount option "seclabel" expected "ro,size=128k"
FAIL
coverage: 69.3% of statements
FAIL github.com/docker/docker/pkg/mount 0.463s
Describe the results you expected:
Ì expect to successfully run TestMount unit test.
Additional information you deem important (e.g. issue happens only occasionally):
It happens only if "seclabel" is used in mounts inside docker containers, i.e.:
[root@bd417ac4a61c /]# cat /proc/mounts | grep seclabel
overlay / overlay rw,seclabel,relatime,lowerdir=/var/lib/docker/overlay2/l/NPKY7477X4YEIUU3AU6HVT4JWI:/var/lib/docker/overlay2/l/DUZY6AAEVSHPAQLD5SXTKLXBQI,upperdir=/var/lib/docker/overlay2/358c55234910697dc687a841d6f64c4c906c8833a635cc9845fff28c90277a11/diff,workdir=/var/lib/docker/overlay2/358c55234910697dc687a841d6f64c4c906c8833a635cc9845fff28c90277a11/work 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0
sysfs /sys sysfs ro,seclabel,nosuid,nodev,noexec,relatime 0 0
tmpfs /sys/fs/cgroup tmpfs ro,seclabel,nosuid,nodev,noexec,relatime,mode=755 0 0
mqueue /dev/mqueue mqueue rw,seclabel,nosuid,nodev,noexec,relatime 0 0
/dev/mapper/fedora-root /etc/resolv.conf ext4 rw,seclabel,relatime,data=ordered 0 0
/dev/mapper/fedora-root /etc/hostname ext4 rw,seclabel,relatime,data=ordered 0 0
/dev/mapper/fedora-root /etc/hosts ext4 rw,seclabel,relatime,data=ordered 0 0
shm /dev/shm tmpfs rw,seclabel,nosuid,nodev,noexec,relatime,size=65536k 0 0
devpts /dev/console devpts rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /proc/kcore tmpfs rw,seclabel,nosuid,mode=755 0 0
tmpfs /proc/latency_stats tmpfs rw,seclabel,nosuid,mode=755 0 0
tmpfs /proc/timer_list tmpfs rw,seclabel,nosuid,mode=755 0 0
tmpfs /proc/sched_debug tmpfs rw,seclabel,nosuid,mode=755 0 0
tmpfs /sys/firmware tmpfs ro,seclabel,relatime 0 0
That seems to happen on Fedora/CentOS/RH-based systems on host. Using --security-opt label:disable (which disables selinux for the container even if docker daemon uses it by default) does not change that behavior, so the test is still failing.
Output of docker version:
Client:
Version: 1.13.1
API version: 1.26
Package version: <unknown>
Go version: go1.8.1
Git commit: 27e468e/1.13.1
Built: Mon Jun 19 19:26:21 2017
OS/Arch: linux/amd64
Server:
Version: 1.13.1
API version: 1.26 (minimum version 1.12)
Package version: <unknown>
Go version: go1.8.1
Git commit: 27e468e/1.13.1
Built: Mon Jun 19 19:26:21 2017
OS/Arch: linux/amd64
Experimental: false
Output of docker info:
Containers: 89
Running: 4
Paused: 0
Stopped: 85
Images: 1061
Server Version: 1.13.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: journald
Cgroup Driver: systemd
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Authorization: rhel-push-plugin
Swarm: inactive
Runtimes: oci runc
Default Runtime: oci
Init Binary: /usr/libexec/docker/docker-init-current
containerd version: (expected: aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1)
runc version: N/A (expected: 9df8b306d01f59d3a8029be411de015b7304dd8f)
init version: N/A (expected: 949e6facb77383876aeff8a6944dde66b3089574)
Security Options:
seccomp
WARNING: You're not using the default seccomp profile
Profile: /etc/docker/seccomp.json
selinux
Kernel Version: 4.11.9-300.fc26.x86_64
Operating System: Fedora 26 (Workstation Edition)
OSType: linux
Architecture: x86_64
Number of Docker Hooks: 3
CPUs: 4
Total Memory: 15.55 GiB
Name: localhost.localdomain
ID: WMFD:S6TI:4AMQ:5HI2:DXBO:2NHB:QYM7:HJO6:FMST:XKVW:DAGA:W2WD
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://registry.fedoraproject.org/v1/
Experimental: false
Insecure Registries:
10.192.0.1:5000
127.0.0.0/8
Live Restore Enabled: false
Registries: registry.fedoraproject.org (secure), registry.access.redhat.com (secure), docker.io (secure)
Additional environment details (AWS, VirtualBox, physical, etc.):
Fedora 26 on my physical machine
Description
TestMountin modulegithub.com/docker/docker/pkg/mountis failing when mounts are usingseclabellabel. This label is unexpected forTestMountand in my opinion, we should expect it when it's needed.Steps to reproduce the issue:
make testormake test-unitinside moby source tree.Describe the results you received:
Describe the results you expected:
Ì expect to successfully run
TestMountunit test.Additional information you deem important (e.g. issue happens only occasionally):
It happens only if "seclabel" is used in mounts inside docker containers, i.e.:
That seems to happen on Fedora/CentOS/RH-based systems on host. Using
--security-opt label:disable(which disables selinux for the container even if docker daemon uses it by default) does not change that behavior, so the test is still failing.Output of
docker version:Output of
docker info:Additional environment details (AWS, VirtualBox, physical, etc.):
Fedora 26 on my physical machine