Package docker-1.13.1-203.git0be3e21.el7_9 or higher still applies SELinux labels when "--security-opt label=disabled" or "--privileged" is specified and a volume is mounted with ":Z" or ":z"

Solution In Progress - Updated -

Issue

  • On Docker package version docker-1.13.1-203.git0be3e21.el7_9 or higher on RHEL7, it is observed that if a container is started with --security-opt label=disabled or --privileged flags, where the ending of :Z or :z on volumes is not ignored as it should be.
  • Downgrading to Docker package version docker-1.13.1-162.git64e9980.el7_8 resolves the issue.
  • Latent effects of this issue include:
    • Docker privileged containers pr containers with label=disable defined as a security option with large volumes may be unexpectedly relabeled and creation, which can take an inordinate amount of time depending on the size of the volume, giving the appearance of a "hung" Docker process (where Docker doesn't respond to docker ps or other commands).
    • OpenShift 3.11 clusters, who have privileged pods with large volumes attached, may spend a large amount of time in "ContainerCreating" state as the relabel from Docker occurs, suffering from the same problem as described above.

Environment

  • Red Hat Enterprise Linux 7 with Docker version 1.13.1-203.git0be3e21.el7_9 or higher.
  • Red Hat OpenShift 3 running Docker version 1.13.1-203.git0be3e21.el7_9 or higher on nodes.

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In