Container running systemd fails to run after upgrade to Red Hat Enterprise Linux 7.5
Environment
- Red Hat Enterprise Linux 7.5 and newer
- Red Hat Enterprise Linux Atomic Host 7.5 and newer
- docker-1.13.1-58.git87f2fab.el7 and newer
- selinux-policy-3.13.1-192.el7.noarch.rpm and newer
Issue
- Container running systemd fails to run/start with an error similar to the following:
# docker run -ti registry.access.redhat.com/rhel7/rhel:latest /usr/sbin/init
...
Failed to create cgroup /system.slice/docker-15fcda4a7f4b4c47758e212786b2aa5af27e39fd8ff9703863a26b6cdaf4792a.scope/system.slice/systemd-journald.service: Permission denied
Resolution
Enable container_manage_cgroup SELinux boolean to allow a container process, in this case, systemd, to make changes to cgroup configuration. The following command can be used to persistently enable this setting:
setsebool -P container_manage_cgroup on
Root Cause
An update to selinux-policy in RHEL 7.5 fixed an issue that incorrectly allowed systemd in a container to make cgroup changes without enabling the required SELinux boolean, container_manage_cgroup. Now SELinux will properly block a container process from making cgroup changes without explicitly enabling this option.
<insert link to 7.5 release notes>
Diagnostic Steps
- Check if container is configured to run
initorsystemdcommand
docker inspect -f '{{ .Config.Cmd }}' registry.access.redhat.com/rhel7
[/bin/bash]
- Check if container is based on registry.access.redhat.com/rhel7-init image, which runs
/sbin/initby default
# docker inspect -f '{{ .Config.Cmd }}' registry.access.redhat.com/rhel7-init
[/sbin/init]
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.