From 511e67e5ab820c85ac6edb2fa7b214cdcd4bf30c Mon Sep 17 00:00:00 2001
From: Achilleas Pipinellis <axil@gitlab.com>
Date: Fri, 21 Jun 2019 14:05:03 +0000
Subject: Mention Container Scanning NFS bug and how to fix it

---
 .../application_security/container_scanning/index.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md
index a24374dff1d..4a2fb1d7190 100644
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -40,6 +40,9 @@ To enable Container Scanning in your pipeline, you need:
   [`kubernetes`](https://docs.gitlab.com/runner/install/kubernetes.html#running-privileged-containers-for-the-runners)
   executor running in privileged mode. If you're using the shared Runners on GitLab.com,
   this is enabled by default.
+- Docker `18.09.03` or higher installed on the machine where the Runners are
+  running. If you're using the shared Runners on GitLab.com, this is already
+  the case.
 - To [build and push](../../../ci/docker/using_docker_build.md#container-registry-examples)
   your Docker image to your project's [Container Registry](../../project/container_registry.md).
   The name of the Docker image should match the following scheme:
@@ -202,3 +205,20 @@ vulnerabilities in your groups and projects. Read more about the
 
 Once a vulnerability is found, you can interact with it. Read more on how to
 [interact with the vulnerabilities](../index.md#interacting-with-the-vulnerabilities).
+
+## Troubleshooting
+
+### docker: Error response from daemon: failed to copy xattrs
+
+When the GitLab Runner uses the Docker executor and NFS is used
+(e.g., `/var/lib/docker` is on an NFS mount), Container Scanning might fail with
+an error like the following:
+
+```
+docker: Error response from daemon: failed to copy xattrs: failed to set xattr "security.selinux" on /path/to/file: operation not supported.
+```
+
+This is a result of a bug in Docker which is now [fixed](https://github.com/containerd/continuity/pull/138 "fs: add WithAllowXAttrErrors CopyOpt").
+To prevent the error, ensure the Docker version that the Runner is using is
+`18.09.03` or higher. For more information, see
+[issue #10241](https://gitlab.com/gitlab-org/gitlab-ee/issues/10241 "Investigate why Container Scanning is not working with NFS mounts").
-- 
cgit v1.2.1