Docker: Failure To Run Docker Containers With "process_linux.go:430: container init caused \"write /proc/self/attr/keycreate: permission denied\": unknown" (Doc ID 2602479.1)

Last updated on SEPTEMBER 23, 2022

Applies to:

Symptoms

Starting containers fails with below error,

docker: Error response from daemon: OCI runtime create failed:container_linux.go:345: starting container process caused "process_linux.go:430: container init caused \"write /proc/self/attr/keycreate: permission denied\"": unknown.
ERRO[0002] error waiting for container: context canceled

Below message is logged in the /var/log/audit/audit.log file,

type=AVC msg=audit(1568665975.479:2659): avc: denied { create } for pid=24597 comm="runc:[2:INIT]" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=key permissive=0

NOTE: The customer was using Docker EE which is supported to be installed on Oracle Linux as per Docker website
          Also, the customer in the mentioned SR was running RHCK. 
          Oracle Support only assists with issues faced with Oracle Container Runtime for Docker User's Guide
          But in this case it was found the issue was with container-selinux package which is provided by Oracle in the yum repository.
          The issue is similar to what is described in https://github.com/moby/moby/issues/39109 /Internal_Only>

Changes

No changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.