SELinux cause “Permission denied” issue in using docker

I am using docker on RHEL 7. After mounting host directory into container, some interesting things happen: Although I am a root user, and seem to have all permissions, but the system will prompt “Permission denied” when executing commands:

# docker run -v /root:/test --rm -it debian ls /test
ls: cannot open directory /test: Permission denied

Through tough investigations, I find the root cause is about SELinux:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

The current mode of SELinux is enforcing, and I get 2 solutions to resolve it now:

(1)

Add --privileged option in docker run command:

# docker run --privileged -v /root:/test --rm -it debian ls /test
Desktop    Pictures   anaconda-ks.cfg       linuxamd64_12102_database_1of2.zip
Documents  Public     database              linuxamd64_12102_database_2of2.zip
Downloads  Templates  docker-oracle12c      sysdig
Music      Videos     initial-setup-ks.cfg

(2)

Set SELinux mode as permissive:

# setenforce 0
# docker run -v /root:/test --rm -it debian ls /test
Desktop    Downloads  Pictures  Templates  anaconda-ks.cfg  docker-oracle12c      linuxamd64_12102_database_1of2.zip  sysdig
Documents  Music      Public    Videos     database         initial-setup-ks.cfg  linuxamd64_12102_database_2of2.zip

References:
Why does docker prompt “Permission denied” when backing up the data volume?;
Why does docker container prompt “Permission denied”?.

 

Fix “TNS-01106: Listener using listener name LISTENER has already been started” error

I utilize docker-oracle12c to run Oracle in docker. When starting listener, it outputs following:

$ lsnrctl start

LSNRCTL for Linux: Version 12.1.0.2.0 - Production on 25-FEB-2016 00:38:38

Copyright (c) 1991, 2014, Oracle.  All rights reserved.

TNS-01106: Listener using listener name LISTENER has already been started

I first meet TNS-01106 error, so try to use “lsnrctl status” to check the listener status:

$ lsnrctl status

LSNRCTL for Linux: Version 12.1.0.2.0 - Production on 25-FEB-2016 00:38:52

Copyright (c) 1991, 2014, Oracle.  All rights reserved.

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
TNS-12541: TNS:no listener
 TNS-12560: TNS:protocol adapter error
  TNS-00511: No listener
   Linux Error: 2: No such file or directory

No listener is running, so what is wrong? After checking the configuration file, I find the file name is spelled wrongly as listerner.ora, not listener.ora! After modifying name, the “lsnrctl start” run successfully:

$ lsnrctl start

LSNRCTL for Linux: Version 12.1.0.2.0 - Production on 25-FEB-2016 00:41:25

Copyright (c) 1991, 2014, Oracle.  All rights reserved.

Starting /app/oracle/product/12.1.0/dbhome_1/bin/tnslsnr: please wait...
......

P.S. If there are some configuration errors in listerner.ora, such as port number, host address, it also induce this error.

Install ncurses-devel package when building htop

I download htop 2.0.0 and want to build it from source code on RHEL 7.1, but “./configure” outputs the following errors:

......
checking for addnwstr in -lncursesw6... no
checking for addnwstr in -lncursesw... no
checking for addnwstr in -lncurses... no
configure: error: You may want to use --disable-unicode or install libncursesw.

The solution is to install ncurses-devel package:

yum install ncurses-devel

Then the configuration & build processes are smooth.

 

How to pull docker image behind proxy on RHEL7?

My host OS is RHEL7, and running behind proxy. The output of executing docker run hello-world is like this:

# docker run hello-world
Unable to find image 'hello-world:latest' locally
Trying to pull repository registry.access.redhat.com/hello-world ... failed
Trying to pull repository docker.io/library/hello-world ... failed
Error while pulling image: Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate is valid for FG3K6C3A15800021, not index.docker.io

It prompts pull image failed, so I need to configure proxy to make docker work correctly:

(1) Add proxy info in /etc/sysconfig/docker file:

HTTP_PROXY="http://web-proxy.corp.xxxxxx.com:8080"
HTTPS_PROXY="http://web-proxy.corp.xxxxxx.com:8080"
http_proxy="${HTTP_PROXY}"
https_proxy="${HTTPS_PROXY}"

(2) Restart docker service:

# service docker restart

Then docker works OK now:

# docker run hello-world
Unable to find image 'hello-world:latest' locally
Trying to pull repository registry.access.redhat.com/hello-world ... not found
Trying to pull repository docker.io/library/hello-world ... latest: Pulling from library/hello-world
3f12c794407e: Pull complete
975b84d108f1: Pull complete
......

References:
Cannot download Docker images behind a proxy

Install sysdig on RHEL7

The manual of advanced installing sysdig focus on RHEL6 only. To install sysdig on RHEL7, just need to modify this step:

2) Install the EPEL repository
......
rpm -i http://mirror.us.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm

We should install EPEL7 for RHEL7:

yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Other steps are same! The you can play sysdig now!