From 4318802f645cdd4fa63a894160f153a69a97af59 Mon Sep 17 00:00:00 2001 From: Matthew Heon Date: Wed, 4 Jun 2014 16:38:06 -0400 Subject: [PATCH] Error if Docker daemon starts with BTRFS graph driver and SELinux enabled The Docker btrfs graph driver does not interact well with SELinux at present. If btrfs mounts the same file in several locations, the same SELinux label will be applied to all mountpoints. In the context of the graph driver, things such as shared libraries become inaccessible to containers due to SELInux, causing all dynamically linked applications to fail when run in a container. Consequently, error when we detect the daemon is being run with SELinux enabled and the btrfs driver. Documentation has been added for this behavior. Docker-DCO-1.1-Signed-off-by: Matthew Heon (github: mheon) --- daemon/daemon.go | 5 +++++ docker/docker.go | 2 +- docs/man/docker.1.md | 2 +- docs/sources/reference/commandline/cli.md | 2 +- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/daemon/daemon.go b/daemon/daemon.go index 23402d9518..8863407979 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go @@ -778,6 +778,11 @@ func NewDaemonFromDirectory(config *daemonconfig.Config, eng *engine.Engine) (*D } utils.Debugf("Using graph driver %s", driver) + // As Docker on btrfs and SELinux are incompatible at present, error on both being enabled + if config.EnableSelinuxSupport && driver.String() == "btrfs" { + return nil, fmt.Errorf("SELinux is not supported with the BTRFS graph driver!") + } + daemonRepo := path.Join(config.Root, "containers") if err := os.MkdirAll(daemonRepo, 0700); err != nil && !os.IsExist(err) { diff --git a/docker/docker.go b/docker/docker.go index 30d43bc6a8..5367e759af 100644 --- a/docker/docker.go +++ b/docker/docker.go @@ -66,7 +66,7 @@ func main() { flCa = flag.String([]string{"-tlscacert"}, dockerConfDir+defaultCaFile, "Trust only remotes providing a certificate signed by the CA given here") flCert = flag.String([]string{"-tlscert"}, dockerConfDir+defaultCertFile, "Path to TLS certificate file") flKey = flag.String([]string{"-tlskey"}, dockerConfDir+defaultKeyFile, "Path to TLS key file") - flSelinuxEnabled = flag.Bool([]string{"-selinux-enabled"}, false, "Enable selinux support") + flSelinuxEnabled = flag.Bool([]string{"-selinux-enabled"}, false, "Enable selinux support. SELinux does not presently support the BTRFS storage driver") ) flag.Var(&flDns, []string{"#dns", "-dns"}, "Force Docker to use specific DNS servers") flag.Var(&flDnsSearch, []string{"-dns-search"}, "Force Docker to use specific DNS search domains") diff --git a/docs/man/docker.1.md b/docs/man/docker.1.md index a7a826ed9f..602c6e2ace 100644 --- a/docs/man/docker.1.md +++ b/docs/man/docker.1.md @@ -74,7 +74,7 @@ unix://[/path/to/socket] to use. Print version information and quit. Default is false. **--selinux-enabled**=*true*|*false* - Enable selinux support. Default is false. + Enable selinux support. Default is false. SELinux does not presently support the BTRFS storage driver. # COMMANDS **docker-attach(1)** diff --git a/docs/sources/reference/commandline/cli.md b/docs/sources/reference/commandline/cli.md index 301593f2f1..9a6d27f0eb 100644 --- a/docs/sources/reference/commandline/cli.md +++ b/docs/sources/reference/commandline/cli.md @@ -73,7 +73,7 @@ expect an integer, and they can only be specified once. -p, --pidfile="/var/run/docker.pid" Path to use for daemon PID file -r, --restart=true Restart previously running containers -s, --storage-driver="" Force the Docker runtime to use a specific storage driver - --selinux-enabled=false Enable selinux support + --selinux-enabled=false Enable selinux support. SELinux does not presently support the BTRFS storage driver --storage-opt=[] Set storage driver options --tls=false Use TLS; implied by tls-verify flags --tlscacert="/home/sven/.docker/ca.pem" Trust only remotes providing a certificate signed by the CA given here