Browse code
issue2740: updates to debugging doc for SELinux intermittent label issue
gabemontero authored on 2015/07/15 00:29:58Showing 1 changed files
| ... | ... |
@@ -66,6 +66,20 @@ If this shows up in your build logs, restart docker and then resubmit a build: |
| 66 | 66 |
$ sudo systemctl restart docker |
| 67 | 67 |
$ oc start-build <your build identifier> |
| 68 | 68 |
|
| 69 |
+Another item seen stems from how OpenShift operates in a SELinux environment. The SELinux policy requires that host directories that are bind mounted have the svirt_sandbox_file_t label. Generally |
|
| 70 |
+this simply happens for you under the covers, but there is a growing list of user operations which hamper the registry deployment to the point where the svrt_sandbox_file_t label ends up missing, and you can see |
|
| 71 |
+various authentication or push failures. One example, when initiating a build: |
|
| 72 |
+ |
|
| 73 |
+ Failed to push image: Error pushing to registry: Server error: unexpected 500 response status trying to initiate upload of test/origin-ruby-sample |
|
| 74 |
+ |
|
| 75 |
+And when inspecting the Docker registry, you will see messages like this: |
|
| 76 |
+ |
|
| 77 |
+ 173.17.42.1 - - [03/Jun/2015:13:26:19 +0000] "POST /v2/test/origin-ruby-sample/blobs/uploads/ HTTP/1.1" 500 203 "" "docker/1.6.0 go/go1.4.2 kernel/3.17.4-301.fc21.x86_64 os/linux arch/amd64" |
|
| 78 |
+ |
|
| 79 |
+When this sequence occurs, without needing to restart Docker nor OpenShift, you can work around it by running the following command: |
|
| 80 |
+ |
|
| 81 |
+ $ sudo chcon -R -t svirt_sandbox_file_t < path to >/openshift.local.volumes |
|
| 82 |
+ |
|
| 69 | 83 |
Docker Registry |
| 70 | 84 |
--------------- |
| 71 | 85 |
|