Bug 1096375
Summary: | Unable to run groupadd in container using centos image | ||
---|---|---|---|
Product: | [Retired] Atomic | Reporter: | Andy Goldstein <agoldste> |
Component: | docker-io | Assignee: | Lokesh Mandvekar <lsm5> |
Status: | CLOSED CANTFIX | QA Contact: | |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | unspecified | CC: | dwalsh, jkeck, jpazdziora, mads, walters |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-03 20:42:28 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Andy Goldstein
2014-05-09 18:53:28 UTC
Likely a regression from https://github.com/dotcloud/docker/pull/5445 For SELinux we really need /proc/self/.../fscreate to be writable. Though...since we don't actually have SELinux in the containers, userspace shouldn't even be trying to write to them. What centos image are you using? I tried centos6 0b443ba03958 from the upstream registry and groupadd worked. I'm using the same 0b443ba03958: -bash-4.2# docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE fedora rawhide 5cc9e91966f7 4 hours ago 372.7 MB fedora 20 b7de3133ff98 2 weeks ago 372.7 MB fedora heisenbug b7de3133ff98 2 weeks ago 372.7 MB fedora latest b7de3133ff98 2 weeks ago 372.7 MB centos centos6 0b443ba03958 3 weeks ago 297.6 MB centos latest 0b443ba03958 3 weeks ago 297.6 MB centos 6.4 539c0211cd76 13 months ago 300.6 MB -bash-4.2# docker run --rm centos groupadd foo groupadd: failure while writing changes to /etc/group Right, sorry, the machine I ran it on had SELinux disabled due to https://bugzilla.redhat.com/show_bug.cgi?id=1060423 So...one option is to change the kernel to fake out userspace into thinking SELinux is disabled. From what I can see shadow is opening /proc/self/attr/current which works, since it does have a domain. Lennart said nspawn mounts /proc as read-write and just /proc/sys as readonly. We should probably switch to that. Lemme try that. Merged upstream Lokesh can you get this pull request into the next docker image. Does the change go to the docker-io package or to the images themselves? Or does the change to to the docker-io package and affects what the generated images will look like? (In reply to Jan Pazdziora from comment #9) > Does the change go to the docker-io package Just to the package, no effect on the images. However there is also a patch http://lists.centos.org/pipermail/centos-devel/2014-May/010345.html to fix the centos6 image for this as well. I have fix for us shipping the RHEL6.5 image with a new version of libselinux. I also sent a patch to centos which they can use to fix this problem. Other then that there is nothing we can do to fix this problem until centos ships a new image with the fixed libselinux. |