Installation errors with SELinux enabled

If you have Security-Enhanced Linux (SELinux) enabled, you can encounter the following errors when you are installing IBM Cloud Private:

Permission denied when running Docker
Install failure when copying hyperkube

Symptom - Permission denied when running Docker

When SELinux is enabled, you encounter a "permission denied" error when you run the docker run command. The command and resulting error can resemble the following command and output:

# sudo docker run  -v $(pwd):/data:z  -e LICENSE=accept ibmcom/icp-inception-amd64:3.1.2-ee cp -r cluster /data
standard_init_linux.go:190: exec user process caused "permission denied"

Causes

Docker does not include the correct SELinux security context setting.

Resolving the problem

Run the following command to set the expected SELinux security context:

/usr/sbin/restorecon -R /usr/bin/docker* /var/run/docker.sock /var/run/docker.pid /etc/docker /usr/lib/systemd/system/docker.service

Symptom - Install failure when copying hyperkube

When SELinux is enabled, the installation of IBM Cloud Private fails when you run the following command:

sudo docker run --net=host -t -e LICENSE=accept -v "$(pwd)":/installer/cluster:z ibmcom/icp-inception-amd64:3.1.2-ee install

The resulting error log includes the following details:

TASK [kubelet-config : Copying hyperkube onto operating system] ****************
FAILED - RETRYING: Copying hyperkube onto operating system (3 retries left).
FAILED - RETRYING: Copying hyperkube onto operating system (2 retries left).
FAILED - RETRYING: Copying hyperkube onto operating system (1 retries left).
fatal: [172.16.181.137]: FAILED! => changed=true
  attempts: 3
  cmd: docker run --rm -v /opt/kubernetes/:/data:z mycluster.icp:8500/ibmcom/hyperkube:v1.12.4-ee sh -c 'cp -f /hyperkube /data/'
  delta: '0:00:02.413875'
  end: '2019-03-20 07:55:32.436609'
  msg: non-zero return code
  rc: 127
  start: '2019-03-20 07:55:30.022734'
  stderr: 'cp: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied'
  stderr_lines: <omitted>
  stdout: ''
  stdout_lines: <omitted>

Causes

The enabled SELinux container is not at the required version level.

Resolving the problem

Upgrade your SELinux container version. Check the SELinux container version that you have enabled by running the following command:

rpm -q container-selinux

If your SELinux container version is not container-selinux-2.68-1.el7.noarch, upgrade your container to this version. You can download the container-selinux-2.68-1.el7.noarch.rpm RPM installation package for the SELinux version from the CentOS Project website Opens in a new tab .

After the package is downloaded, run the following command to upgrade your SELinux container:

rpm -e container-selinux
rpm -ivh container-selinux-2.68-1.el7.noarch.rpm

The container-selinux RPM package runs the restorecon -R -v /var/lib/docker process in a fresh install. This process can take a few minutes to complete.