Package docker-1.13.1-203.git0be3e21.el7_9 or higher still applies SELinux labels when "--security-opt label=disabled" or "--privileged" is specified and a volume is mounted with ":Z" or ":z"
Issue
- On Docker package version
docker-1.13.1-203.git0be3e21.el7_9
or higher on RHEL7, it is observed that if a container is started with--security-opt label=disabled
or--privileged
flags, where the ending of:Z
or:z
on volumes is not ignored as it should be. - Downgrading to Docker package version
docker-1.13.1-162.git64e9980.el7_8
resolves the issue. - Latent effects of this issue include:
- Docker privileged containers pr containers with
label=disable
defined as a security option with large volumes may be unexpectedly relabeled and creation, which can take an inordinate amount of time depending on the size of the volume, giving the appearance of a "hung" Docker process (where Docker doesn't respond todocker ps
or other commands). - OpenShift 3.11 clusters, who have privileged pods with large volumes attached, may spend a large amount of time in "ContainerCreating" state as the relabel from Docker occurs, suffering from the same problem as described above.
- Docker privileged containers pr containers with
Environment
- Red Hat Enterprise Linux 7 with Docker version
1.13.1-203.git0be3e21.el7_9
or higher. - Red Hat OpenShift 3 running Docker version
1.13.1-203.git0be3e21.el7_9
or higher on nodes.
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.