Resolving Docker CE Installation Dependencies on RHEL 7.3: Complete Solution for container-selinux >= 2.9

Keywords: Docker CE | RHEL 7.3 | container-selinux | dependency resolution | SELinux policy

Abstract: This article provides an in-depth exploration of the container-selinux dependency issue encountered when installing Docker Community Edition on Red Hat Enterprise Linux 7.3 systems. By analyzing official recommendations and alternative approaches, it details how to properly enable the rhel-7-server-extras-rpms repository and manually install specific package versions from CentOS repositories. The discussion also covers SELinux policy compatibility and version selection best practices, offering system administrators a comprehensive troubleshooting guide.

Problem Context and Error Analysis

When installing Docker Community Edition on Red Hat Enterprise Linux 7.3 systems, users frequently encounter the following dependency error:

Error: Package: docker-ce-17.06.0.ce-1.el7.centos.x86_64 (docker-ce-stable)
           Requires: container-selinux >= 2.9

This error indicates that the system lacks the container-selinux package required for Docker CE installation. container-selinux is an SELinux policy module that provides essential security contexts and access control rules for container runtimes. Docker CE version 17.06 and later requires at least container-selinux version 2.9 to ensure secure isolation between containers and the host system.

Official Recommended Solution

According to Red Hat official documentation and best practices, the most recommended solution is to enable the rhel-7-server-extras-rpms repository. This repository contains additional software packages maintained by Red Hat, including container-selinux.

The command to enable this repository is:

subscription-manager repos --enable=rhel-7-server-extras-rpms

After executing this command, the system will be able to access the container-selinux package provided by Red Hat. Docker CE can then be installed normally:

sudo yum -y install docker-ce

The main advantages of this approach include:

Receiving Red Hat official support
Automatic dependency resolution
Ensuring package compatibility with other system components
Support for subsequent updates via yum

Alternative Approach: Installation from CentOS Repository

If Red Hat official repositories cannot be enabled, consider obtaining the container-selinux package from CentOS repositories. As a community rebuild of RHEL, CentOS packages are generally compatible with RHEL.

The specific operational steps are:

Access the CentOS Extras repository: http://mirror.centos.org/centos/7/extras/x86_64/Packages/
Find the latest version of the container-selinux package (e.g., container-selinux-2.21-1.el7.noarch.rpm)
Use yum to directly install the remote RPM package:

sudo yum install -y http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.21-1.el7.noarch.rpm

It is important to note that container-selinux versions are constantly updated, so it is recommended to always use the latest version available in the repository. After installation, the Docker CE installation process can proceed.

Version Compatibility Considerations

In some cases, users may encounter deeper dependency issues. For example, newer versions of container-selinux may require higher versions of selinux-policy:

Error: Package: 2:container-selinux-2.74-1.el7.noarch
Requires: selinux-policy >= 3.13.1-216.el7

For RHEL 7.3 systems, a viable solution is to install a specific version of container-selinux. Compatible versions can be obtained from the CentOS Vault repository:

yum install http://vault.centos.org/centos/7.3.1611/extras/x86_64/Packages/container-selinux-2.9-4.el7.noarch.rpm

While this method resolves immediate dependency issues, note that:

Installing older versions may lack certain security updates
May be incompatible with future Docker version upgrades
Recommended to validate in a test environment before applying to production systems

Complete Installation Process Example

Based on the above analysis, the following is the recommended complete process for installing Docker CE on RHEL 7.3:

# Step 1: Enable Red Hat official repository (preferred)
subscription-manager repos --enable=rhel-7-server-extras-rpms

# Or Step 1 alternative: Install container-selinux from CentOS
# sudo yum install -y http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.21-1.el7.noarch.rpm

# Step 2: Install necessary tools
sudo yum install -y yum-utils device-mapper-persistent-data lvm2

# Step 3: Add Docker CE repository
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

# Step 4: Install Docker CE
sudo yum install -y docker-ce

# Step 5: Start Docker service
sudo systemctl start docker
sudo systemctl enable docker

Technical Principle Deep Analysis

The core function of the container-selinux package is to define SELinux policies for container runtimes. In Linux systems, SELinux provides an additional security layer through Mandatory Access Control (MAC) mechanisms. When containers start, they require specific SELinux contexts to:

Limit the permission scope of container processes
Control container access to host resources
Prevent unauthorized interactions between containers
Audit security-related events

New features introduced in Docker CE 17.06 enhanced container security requirements, necessitating newer versions of container-selinux. Version 2.9 and later include fixes for container vulnerabilities and improved policy rules.

Best Practice Recommendations

Based on community experience and official documentation, the following best practices are recommended:

Prioritize Red Hat Official Repositories: Ensure packages receive official support, facilitating problem diagnosis and system maintenance.
Maintain System Updates: Regularly run yum update to ensure all components, including SELinux policies, remain current.
Verify Compatibility: Validate Docker version compatibility with system components in a test environment before production deployment.
Monitor Security Advisories: Follow Red Hat and Docker security advisories and promptly apply security updates.
Consider Long-Term Support Versions: For production environments, consider using Docker EE or RHEL's built-in container solutions for more stable support cycles.

Extended Troubleshooting

If the above methods still fail to resolve the issue, consider the following extended troubleshooting steps:

Check SELinux status: sestatus
Verify repository configuration: yum repolist
Clear yum cache: yum clean all
View detailed error information: yum install docker-ce --verbose
Consider temporarily disabling SELinux for testing (diagnostic only, not recommended for production)

By systematically resolving the container-selinux dependency issue, not only can Docker CE be successfully installed, but container environment security and stability can also be ensured, laying a solid foundation for subsequent containerized application deployment.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.