Troubleshooting Docker stuck in restarting mode
Problem
Container keeps stuck at restarting status as follows:
# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6c133ce907a7 container-registry.docker.hub.com/os/registry:latest "registry serve /etc…" 18 minutes ago Restarting (1) 31 seconds ago registry
The Solution
From the log, it reports ‘permission denied’ when open the certification file:
# docker logs 6c133ce907a7
time="2019-04-12T01:38:15Z" level=fatal msg="open /registry_data/conf.d/domain.crt: permission denied"
time="2019-04-12T01:38:16Z" level=warning msg="No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable." go.version=go1.6.2 instance.id=b5dcc661-f8e2-4bc1-b915-576a5dce098b version=v2.4.1
time="2019-04-12T01:38:16Z" level=info msg="redis not configured" go.version=go1.6.2 instance.id=b5dcc661-f8e2-4bc1-b915-576a5dce098b version=v2.4.1
time="2019-04-12T01:38:16Z" level=info msg="Starting upload purge in 26m0s" go.version=go1.6.2 instance.id=b5dcc661-f8e2-4bc1-b915-576a5dce098b version=v2.4.1
time="2019-04-12T01:38:16Z" level=info msg="using inmemory blob descriptor cache" go.version=go1.6.2 instance.id=b5dcc661-f8e2-4bc1-b915-576a5dce098b version=v2.4.1
time="2019-04-12T01:38:16Z" level=fatal msg="open /registry_data/conf.d/domain.crt: permission denied"
If we check the file permissions, it looks correct:
# ll /var/lib/registry/conf.d/
total 8
-rw-r--r--. 1 root root 2114 Apr 12 01:20 domain.crt
-rw-------. 1 root root 3268 Apr 12 01:20 domain.key
By checking the SElinux status, The SELinux security context for the certification file is incorrect:
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
# ls -lZd /var/lib/registry/conf.d/domain.crt
-rw-r--r--. root root unconfined_u:object_r:var_lib_t:s0 /var/lib/registry/conf.d/domain.crt
To solve this problem, please follow below steps:
1. Disable Selinux temporarily:
# setenforce 0
2. Restart the docker container:
# docker stop 6c133ce907a7
# docker start 6c133ce907a7
3. Check the container status:
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6c133ce907a7 container-registry.docker.hub.com/os/registry:latest "registry serve /etc…" 30 minutes ago Up 3 seconds 0.0.0.0:5000->5000/tcp registry