Package docker-1.13.1-203.git0be3e21.el7_9 or higher still applies SELinux labels when "--security-opt label=disabled" or "--privileged" is specified and a volume is mounted with ":Z" or ":z"

Solution In Progress - Updated -

Issue

  • On Docker package version docker-1.13.1-203.git0be3e21.el7_9 or higher on RHEL7, it is observed that if a container is started with --security-opt label=disabled or --privileged flags, where the ending of :Z or :z on volumes is not ignored as it should be.
  • Downgrading to Docker package version docker-1.13.1-162.git64e9980.el7_8 resolves the issue.
  • Latent effects of this issue include:
    • Docker privileged containers pr containers with label=disable defined as a security option with large volumes may be unexpectedly relabeled and creation, which can take an inordinate amount of time depending on the size of the volume, giving the appearance of a "hung" Docker process (where Docker doesn't respond to docker ps or other commands).
    • OpenShift 3.11 clusters, who have privileged pods with large volumes attached, may spend a large amount of time in "ContainerCreating" state as the relabel from Docker occurs, suffering from the same problem as described above.

Environment

  • Red Hat Enterprise Linux 7 with Docker version 1.13.1-203.git0be3e21.el7_9 or higher.
  • Red Hat OpenShift 3 running Docker version 1.13.1-203.git0be3e21.el7_9 or higher on nodes.

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content