The RHEL 6.7 docker image pull fails with "invalid argument" message in Enforcing mode
Issue
It is not possible to pull the RHEL 6.7 container image, registry.access.redhat.com/rhel6.7. It fails with one of the following errors:
# docker run -ti registry.access.redhat.com/rhel6.7 bash
Unable to find image 'registry.access.redhat.com/rhel6.7:latest' locally
Trying to pull repository registry.access.redhat.com/rhel6.7 ...
latest: Pulling from registry.access.redhat.com/rhel6.7
70d17a322519: Extracting [==================================================>] 61.43 MB/61.43 MB
/usr/bin/docker-current: failed to register layer: Error processing tar file(exit status 1): invalid argument.
# docker pull registry.access.redhat.com/rhel6.7
Using default tag: latest
Trying to pull repository registry.access.redhat.com/rhel6.7 ...
sha256:1e4631bcdf425bf7d6f70f5f228f372107cc9098368742923ce4acedebe0c145: Pulling from registry.access.redhat.com/rhel6.7
70d17a322519: Extracting [==================================================>] 61.43 MB/61.43 MB
failed to register layer: ApplyLayer exit status 1 stdout: stderr: invalid argument
The SELinux status is Enforcing
# getenforce
Enforcing
It is possible to see the following AVC message on the node
type=AVC msg=audit(1520853514.663:6200): avc: denied { mac_admin } for pid=25799 comm="exe" capability=33 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:container_runtime_t:s0 tclass=capability2 permissive=0
type=SELINUX_ERR msg=audit(1520853514.663:6201): op=setxattr invalid_context="system_u:object_r:tzdata_exec_t:s0"
Once the SELinux is in Permissive/Disabled mode the 6.7 image works
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux Atomic Host
- docker
- registry.access.redhat.com/rhel6.7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.