Sempre que eu tento puxar uma imagem com o Docker no meu sistema Fedora 28, as conexões esgotam o tempo de espera dos cabeçalhos. Desativar o SELinux corrige o problema e as imagens são obtidas com sucesso dos registros.
Nota : Isso acontece se eu desabilitar o SELinux ( setenforce 0 ).
$ docker run -it --rm centos:latest bash
Unable to find image 'centos:latest' locally
Trying to pull repository docker.io/library/centos ...
sha256:67b491e26d566ee9c55578bfd6115554a6e1b805a49502ead32cb1a324466f2c: Pulling from docker.io/library/centos
987d765a926d: Pull complete
Digest: sha256:67b491e26d566ee9c55578bfd6115554a6e1b805a49502ead32cb1a324466f2c
Status: Downloaded newer image for docker.io/centos:latest
O que acontece quando o SELinux está ativado:
$ docker run -it --rm centos:latest bash
Unable to find image 'centos:latest' locally
Trying to pull repository docker.io/library/centos ...
Trying to pull repository registry.fedoraproject.org/centos ...
Trying to pull repository quay.io/centos ...
Trying to pull repository registry.access.redhat.com/centos ...
Trying to pull repository docker.io/library/centos ...
/usr/bin/docker-current: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers).
See '/usr/bin/docker-current run --help'.
Eu notei isso nos últimos lançamentos do Fedora, mas ainda não tive a chance de depurá-lo até recentemente.
Eu tentei o seguinte para depurar o meu problema:
audit.log
Eu configurei o Docker para executar no modo de depuração, de acordo com o arquivo /etc/docker/daemon.json :
{
"debug": true
}
Eu segui os logs do systemd para o Docker ( journalctl -f -u docker ), mas não forneceu novas informações.
Jun 04 13:31:59 fossbook.justinwflory.com dockerd-current[5056]: time="2018-06-04T13:31:59.125852937-05:00" level=error msg="Handler for POST /v1.26/containers/create returned error: No such image: centos:latest"
Jun 04 13:32:14 fossbook.justinwflory.com dockerd-current[5056]: time="2018-06-04T13:32:14.130985506-05:00" level=warning msg="Error getting v2 registry: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"
Jun 04 13:32:14 fossbook.justinwflory.com dockerd-current[5056]: time="2018-06-04T13:32:14.131117960-05:00" level=error msg="Attempting next endpoint for pull after error: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"
Jun 04 13:34:29 fossbook.justinwflory.com dockerd-current[5056]: time="2018-06-04T13:34:29.142313716-05:00" level=warning msg="Error getting v2 registry: Get https://registry.fedoraproject.org/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"
Jun 04 13:34:29 fossbook.justinwflory.com dockerd-current[5056]: time="2018-06-04T13:34:29.142431187-05:00" level=error msg="Attempting next endpoint for pull after error: Get https://registry.fedoraproject.org/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"
Jun 04 13:36:44 fossbook.justinwflory.com dockerd-current[5056]: time="2018-06-04T13:36:44.248503828-05:00" level=error msg="Attempting next endpoint for pull after error: Get https://registry.fedoraproject.org/v1/_ping: dial tcp: i/o timeout"
Jun 04 13:38:59 fossbook.justinwflory.com dockerd-current[5056]: time="2018-06-04T13:38:59.319214287-05:00" level=warning msg="Error getting v2 registry: Get https://quay.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"
Jun 04 13:38:59 fossbook.justinwflory.com dockerd-current[5056]: time="2018-06-04T13:38:59.319842249-05:00" level=error msg="Attempting next endpoint for pull after error: Get https://quay.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"
Jun 04 13:41:14 fossbook.justinwflory.com dockerd-current[5056]: time="2018-06-04T13:41:14.351227680-05:00" level=error msg="Attempting next endpoint for pull after error: Get https://quay.io/v1/_ping: dial tcp: i/o timeout"
Jun 04 13:43:29 fossbook.justinwflory.com dockerd-current[5056]: time="2018-06-04T13:43:29.459856743-05:00" level=warning msg="Error getting v2 registry: Get https://registry.access.redhat.com/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"
Jun 04 13:43:29 fossbook.justinwflory.com dockerd-current[5056]: time="2018-06-04T13:43:29.459965386-05:00" level=error msg="Attempting next endpoint for pull after error: Get https://registry.access.redhat.com/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"
Jun 04 13:45:44 fossbook.justinwflory.com dockerd-current[5056]: time="2018-06-04T13:45:44.524412574-05:00" level=error msg="Attempting next endpoint for pull after error: Get https://registry.access.redhat.com/v1/_ping: dial tcp: i/o timeout"
Jun 04 13:45:59 fossbook.justinwflory.com dockerd-current[5056]: time="2018-06-04T13:45:59.526067302-05:00" level=warning msg="Error getting v2 registry: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"
Jun 04 13:45:59 fossbook.justinwflory.com dockerd-current[5056]: time="2018-06-04T13:45:59.526139072-05:00" level=error msg="Attempting next endpoint for pull after error: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"
Eu segui o audit.log para mais informações, mas não vi nenhum problema type=USER_AVC no log do período de tempo em que usei o Docker.
Estou completamente perplexo com isso. Não sei como depurar ainda mais. Existe alguma maneira de resolver este problema sem desabilitar o SELinux no meu sistema?