Installation errors with SELinux enabled

If you have Security-Enhanced Linux (SELinux) enabled, you can encounter the following errors when you are installing IBM Cloud Private:

Permission denied when running Docker

Symptom: Permission denied when running Docker

When SELinux is enabled, you encounter a "permission denied" error when you run the docker run command. The command and resulting error can resemble the following command and output:

# sudo docker run  -v $(pwd):/data:z  -e LICENSE=accept ibmcom/icp-inception-amd64:3.2.1-ee cp -r cluster /data
standard_init_linux.go:190: exec user process caused "permission denied"

Causes: Permission denied when running Docker

Docker does not include the correct SELinux security context setting.

Resolving the problem: Permission denied when running Docker

Run the following command to set the expected SELinux security context:

/usr/sbin/restorecon -R /usr/bin/docker* /var/run/docker.sock /var/run/docker.pid /etc/docker /usr/lib/systemd/system/docker.service

Install failure when copying hyperkube

Symptom: Install failure when copying hyperkube

When SELinux is enabled, the installation of IBM Cloud Private fails when you run the following command:

sudo docker run --net=host -t -e LICENSE=accept -v "$(pwd)":/installer/cluster:z ibmcom/icp-inception-amd64:3.2.1 install

The resulting error log includes the following details:

TASK [kubelet-config : Copying hyperkube onto operating system] ****************
FAILED - RETRYING: Copying hyperkube onto operating system (3 retries left).
FAILED - RETRYING: Copying hyperkube onto operating system (2 retries left).
FAILED - RETRYING: Copying hyperkube onto operating system (1 retries left).
fatal: [172.16.181.137]: FAILED! => changed=true
  attempts: 3
  cmd: docker run --rm -v /opt/kubernetes/:/data:z mycluster.icp:8500/ibmcom/hyperkube:v1.13.7-ee sh -c 'cp -f /hyperkube /data/'
  delta: '0:00:02.413875'
  end: '2019-03-20 07:55:32.436609'
  msg: non-zero return code
  rc: 127
  start: '2019-03-20 07:55:30.022734'
  stderr: 'cp: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied'
  stderr_lines: <omitted>
  stdout: ''
  stdout_lines: <omitted>

Causes: Install failure when copying hyperkube

The enabled SELinux container is not at the required version level.

Resolving the problem: Install failure when copying hyperkube

Upgrade your SELinux container version. Check the SELinux container version that you have enabled by running the following command:

rpm -q container-selinux

If your SELinux container version is not container-selinux-2.68-1.el7.noarch, upgrade your container to this version. You can download the container-selinux-2.68-1.el7.noarch.rpm RPM installation package for the SELinux version from the CentOS Project website Opens in a new tab.

After the package is downloaded, run the following command to upgrade your SELinux container: 

rpm -e container-selinux
rpm -ivh container-selinux-2.68-1.el7.noarch.rpm

The container-selinux RPM package runs the restorecon -R -v /var/lib/docker process in a fresh install. This process can take a few minutes to complete.