Bug 1098120 (libselinux_disabled)
Summary: | Unable to buid images that interact with /etc/groups | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Paolo Antinori <pantinor> |
Component: | docker-io | Assignee: | Lokesh Mandvekar <lsm5> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 20 | CC: | admiller, dwalsh, golang-updates, jkeck, lsm5, lsu, mattdm, mgoldman, michael.faille, oarribas, s, vbatts |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-03 20:51:58 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Paolo Antinori
2014-05-15 10:50:29 UTC
Found some evidence that the problem is wider and not related just to sshd.. Building this simpla image: FROM centos:latest MAINTAINER Paolo Antinori <paolo.antinori> RUN yum install -y httpd ; yum -y clean all CMD service httpd start ; bash EXPOSE 80 Gives this output and a not runnable httpd: $ docker build --rm -t test . Uploading context 2.56 kB Uploading context Step 0 : FROM centos:latest ---> 0b443ba03958 Step 1 : MAINTAINER Paolo Antinori <paolo.antinori> ---> Using cache ---> 4f53ca7a4051 Step 2 : RUN yum install -y httpd ; yum -y clean all ---> Running in 783dae15dd6c Loaded plugins: fastestmirror http://centosh2.centos.org/centos/6.5/updates/x86_64/repodata/d488729553d7cbc3cc08e719d084cfbab0740f8784827f632c1939c87ffdd7c3-primary.sqlite.bz2: [Errno 12] Timeout on http://centosh2.centos.org/centos/6.5/updates/x86_64/repodata/d488729553d7cbc3cc08e719d084cfbab0740f8784827f632c1939c87ffdd7c3-primary.sqlite.bz2: (28, 'Operation too slow. Less than 1 bytes/sec transfered the last 30 seconds') Trying other mirror. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package httpd.x86_64 0:2.2.15-30.el6.centos will be installed --> Processing Dependency: httpd-tools = 2.2.15-30.el6.centos for package: httpd-2.2.15-30.el6.centos.x86_64 --> Processing Dependency: system-logos >= 7.92.1-1 for package: httpd-2.2.15-30.el6.centos.x86_64 --> Processing Dependency: initscripts >= 8.36 for package: httpd-2.2.15-30.el6.centos.x86_64 --> Processing Dependency: apr-util-ldap for package: httpd-2.2.15-30.el6.centos.x86_64 --> Processing Dependency: /etc/mime.types for package: httpd-2.2.15-30.el6.centos.x86_64 --> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.2.15-30.el6.centos.x86_64 --> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.2.15-30.el6.centos.x86_64 --> Running transaction check ---> Package apr.x86_64 0:1.3.9-5.el6_2 will be installed ---> Package apr-util.x86_64 0:1.3.9-3.el6_0.1 will be installed ---> Package apr-util-ldap.x86_64 0:1.3.9-3.el6_0.1 will be installed ---> Package httpd-tools.x86_64 0:2.2.15-30.el6.centos will be installed ---> Package initscripts.x86_64 0:9.03.40-2.el6.centos.1 will be installed --> Processing Dependency: upstart >= 0.6.0 for package: initscripts-9.03.40-2.el6.centos.1.x86_64 --> Processing Dependency: ethtool >= 1.8-2 for package: initscripts-9.03.40-2.el6.centos.1.x86_64 --> Processing Dependency: /sbin/ip for package: initscripts-9.03.40-2.el6.centos.1.x86_64 --> Processing Dependency: /sbin/arping for package: initscripts-9.03.40-2.el6.centos.1.x86_64 ---> Package mailcap.noarch 0:2.1.31-2.el6 will be installed ---> Package redhat-logos.noarch 0:60.0.14-12.el6.centos will be installed --> Running transaction check ---> Package ethtool.x86_64 2:3.5-1.4.el6_5 will be installed ---> Package iproute.x86_64 0:2.6.32-31.el6 will be installed --> Processing Dependency: iptables >= 1.4.5 for package: iproute-2.6.32-31.el6.x86_64 --> Processing Dependency: libxtables.so.4()(64bit) for package: iproute-2.6.32-31.el6.x86_64 ---> Package iputils.x86_64 0:20071127-17.el6_4.2 will be installed ---> Package upstart.x86_64 0:0.6.5-13.el6_5.3 will be installed --> Running transaction check ---> Package iptables.x86_64 0:1.4.7-11.el6 will be installed --> Processing Dependency: policycoreutils for package: iptables-1.4.7-11.el6.x86_64 --> Running transaction check ---> Package policycoreutils.x86_64 0:2.0.83-19.39.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: httpd x86_64 2.2.15-30.el6.centos updates 821 k Installing for dependencies: apr x86_64 1.3.9-5.el6_2 base 123 k apr-util x86_64 1.3.9-3.el6_0.1 base 87 k apr-util-ldap x86_64 1.3.9-3.el6_0.1 base 15 k ethtool x86_64 2:3.5-1.4.el6_5 updates 101 k httpd-tools x86_64 2.2.15-30.el6.centos updates 73 k initscripts x86_64 9.03.40-2.el6.centos.1 updates 940 k iproute x86_64 2.6.32-31.el6 base 365 k iptables x86_64 1.4.7-11.el6 base 252 k iputils x86_64 20071127-17.el6_4.2 base 120 k mailcap noarch 2.1.31-2.el6 base 27 k policycoreutils x86_64 2.0.83-19.39.el6 base 648 k redhat-logos noarch 60.0.14-12.el6.centos base 15 M upstart x86_64 0.6.5-13.el6_5.3 updates 177 k Transaction Summary ================================================================================ Install 14 Package(s) Total download size: 18 M Installed size: 30 M Downloading Packages: -------------------------------------------------------------------------------- Total 536 kB/s | 18 MB 00:34 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Importing GPG key 0xC105B9DE: Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key> Package: centos-release-6-5.el6.centos.11.2.x86_64 (@CentOS-Updates/$releasever) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Warning: RPMDB altered outside of yum. ** Found 2 pre-existing rpmdb problem(s), 'yum check' output follows: udev-147-2.51.el6.x86_64 has missing requires of /sbin/service udev-147-2.51.el6.x86_64 has missing requires of MAKEDEV >= ('0', '3.11', None) Installing : apr-1.3.9-5.el6_2.x86_64 1/14 Installing : apr-util-1.3.9-3.el6_0.1.x86_64 2/14 Installing : apr-util-ldap-1.3.9-3.el6_0.1.x86_64 3/14 Installing : httpd-tools-2.2.15-30.el6.centos.x86_64 4/14 Installing : mailcap-2.1.31-2.el6.noarch 5/14 Installing : upstart-0.6.5-13.el6_5.3.x86_64 6/14 Installing : redhat-logos-60.0.14-12.el6.centos.noarch 7/14 Installing : 2:ethtool-3.5-1.4.el6_5.x86_64 8/14 Installing : iputils-20071127-17.el6_4.2.x86_64 9/14 Installing : iproute-2.6.32-31.el6.x86_64 10/14 Installing : initscripts-9.03.40-2.el6.centos.1.x86_64 11/14 Installing : policycoreutils-2.0.83-19.39.el6.x86_64 12/14 Installing : iptables-1.4.7-11.el6.x86_64 13/14 Installing : httpd-2.2.15-30.el6.centos.x86_64 14/14 groupadd: failure while writing changes to /etc/group useradd: group 'apache' does not exist warning: group apache does not exist - using root warning: user apache does not exist - using root warning: group apache does not exist - using root warning: user apache does not exist - using root warning: group apache does not exist - using root warning: group apache does not exist - using root Verifying : httpd-2.2.15-30.el6.centos.x86_64 1/14 Verifying : apr-1.3.9-5.el6_2.x86_64 2/14 Verifying : 2:ethtool-3.5-1.4.el6_5.x86_64 3/14 Verifying : apr-util-ldap-1.3.9-3.el6_0.1.x86_64 4/14 Verifying : initscripts-9.03.40-2.el6.centos.1.x86_64 5/14 Verifying : iputils-20071127-17.el6_4.2.x86_64 6/14 Verifying : redhat-logos-60.0.14-12.el6.centos.noarch 7/14 Verifying : iptables-1.4.7-11.el6.x86_64 8/14 Verifying : upstart-0.6.5-13.el6_5.3.x86_64 9/14 Verifying : iproute-2.6.32-31.el6.x86_64 10/14 Verifying : mailcap-2.1.31-2.el6.noarch 11/14 Verifying : httpd-tools-2.2.15-30.el6.centos.x86_64 12/14 Verifying : apr-util-1.3.9-3.el6_0.1.x86_64 13/14 Verifying : policycoreutils-2.0.83-19.39.el6.x86_64 14/14 Installed: httpd.x86_64 0:2.2.15-30.el6.centos Dependency Installed: apr.x86_64 0:1.3.9-5.el6_2 apr-util.x86_64 0:1.3.9-3.el6_0.1 apr-util-ldap.x86_64 0:1.3.9-3.el6_0.1 ethtool.x86_64 2:3.5-1.4.el6_5 httpd-tools.x86_64 0:2.2.15-30.el6.centos initscripts.x86_64 0:9.03.40-2.el6.centos.1 iproute.x86_64 0:2.6.32-31.el6 iptables.x86_64 0:1.4.7-11.el6 iputils.x86_64 0:20071127-17.el6_4.2 mailcap.noarch 0:2.1.31-2.el6 policycoreutils.x86_64 0:2.0.83-19.39.el6 redhat-logos.noarch 0:60.0.14-12.el6.centos upstart.x86_64 0:0.6.5-13.el6_5.3 Complete! Loaded plugins: fastestmirror Cleaning repos: base extras updates Cleaning up Everything ---> 544b2a692924 Removing intermediate container 783dae15dd6c Step 3 : CMD service httpd start ; bash ---> Running in 0ede7efeb3cc ---> 140c0aaa7f53 Removing intermediate container 0ede7efeb3cc Step 4 : EXPOSE 80 ---> Running in 17025c7e85dc ---> 085199e5b898 Removing intermediate container 17025c7e85dc Successfully built 085199e5b898 17:03:37 (..ainers/centos/test)$ docker run --rm -it test Starting httpd: httpd: bad user name apache [FAILED] while everything builds and then run just fine, from index.docker.io: https://index.docker.io/u/pantinor/centos_httpd/ Similar error installing postgresql in a fedora based image. Dockerfile: FROM fedora RUN yum install -y postgresql-server postgresql postgresql-contrib USER postgres RUN /usr/bin/initdb -D /var/lib/pgsql/data When installing postgres, the following warnings appear: . . Installing : postgresql-server-9.3.4-1.fc20.x86_64 6/6 warning: user postgres does not exist - using root warning: group postgres does not exist - using root . . . And when running the initdb: . . Step 3 : RUN /usr/bin/initdb -D /var/lib/pgsql/data ---> Running in 9bb388ecf911 finalize namespace setup user get supplementary groups Unable to find user postgres The command [/bin/sh -c /usr/bin/initdb -D /var/lib/pgsql/data] returned a non-zero code: 1 . . In a container created with docker 0.9.1 and running with docker 0.11, if I try to do a "su - postgres" it fails: bash-4.2# su - postgres su: System error It runs in the same container, when running with docker 0.9.1 The problem is the libselinux in the centos image is reporting that SELinux is enabled to processes running within the container. This is tools like useradd and groupadd to attempt to write to /proc/self/attr/* files in order to setup proper labeling for SELinux. Since /proc is now mounted read/only within the container, the writes are denied and useradd/groupadd fail. The fix is to get an updated version of libselinux into the Centos 6 images. RHEL7/RHEL6 and Current Fedora images have the fix. Privileged containers and systems with SELInux disabled will not have this issue. I believe the Fedora bugs reported are a separate issue, and it looks like the postgresql user needs to be added. (In reply to Daniel Walsh from comment #4) > The problem is the libselinux in the centos image is reporting that SELinux > is enabled to processes running within the container. This is tools like > useradd and groupadd to attempt to write to /proc/self/attr/* files in order > to setup proper labeling for SELinux. Since /proc is now mounted read/only > within the container, the writes are denied and useradd/groupadd fail. > > The fix is to get an updated version of libselinux into the Centos 6 images. > RHEL7/RHEL6 and Current Fedora images have the fix. > > Privileged containers and systems with SELInux disabled will not have this > issue. > > I believe the Fedora bugs reported are a separate issue, and it looks like > the postgresql user needs to be added. Hi Daniel, thanks for your comment. I just trust every of your word about selinux, but I think that the problem cannot be just inside Centos image, since it builds fine on index.docker.io: https://index.docker.io/u/pantinor/centos_httpd/build_id/5062/code/bhwqycbcpdi5twzphkkoxzi/ Here the full log if that link is private: http://fpaste.org/103787/ I am not sure which linux flavour is in use on index.docker.io, I suspect coreOs. I was able to compile correctly even on a boot2docker images. On my last test I have temporarely disable SElinux, built as root, and obviously not enable --privileged since it's not an option for the build sub command. http://fpaste.org/103787/ And still seeing these lines that are not present while building on other platforms: groupadd: failure while writing changes to /etc/group useradd: group 'apache' does not exist warning: group apache does not exist - using root warning: user apache does not exist - using root warning: group apache does not exist - using root warning: user apache does not exist - using root warning: group apache does not exist - using root warning: group apache does not exist - using root thank you paolo When you say you disabled it, did you just put it in permissive mode? In permissive mode the problem will continue, since it is not SELinux denying access it is actually the fact that /proc is mounted Read/Only. Previous versions of docker did not do this. If you ran a container and just strace groupadd or useradd you will see it a permission denied while trying to write to /proc which is readonly. It would build fine on any platform that did not have "selinux enabled" in permissive or enforcing mode. oh, I see. I was just putting it in permissive mode. Thanks for explanation. Thanks Daniel, after an yum update of the host, postgresql runs again. I have pushed an updated libselinux for rhel6.6 into http://people.redhat.com/dwalsh/SELinux/RHEL6 If you install this version of libselinux into your rhel6 base image, I believe the useradd/groupadd problems will go away. We plan on adding this version to any docker images for rhel6 that we ship even prior to the release of rhel6.6. (In reply to Daniel Walsh from comment #12) > I have pushed an updated libselinux for rhel6.6 into > > http://people.redhat.com/dwalsh/SELinux/RHEL6 > > If you install this version of libselinux into your rhel6 base image, I > believe the useradd/groupadd problems will go away. We plan on adding this > version to any docker images for rhel6 that we ship even prior to the > release of rhel6.6. This fixes the issue for me. I have same exactly problem but using Fedora 20 with Docker version 0.11.1, build fb99f99/0.11.1 I have provided a fixed libselinux package which can be used to build your rhel6 image, We will soon be shipping a RHEL6 image with the newer libselinux package. I have also provided patches for libselinux to centos Thanks to Daniel half of my problem is solved. I am now able to build successfully with Centos base image, adding his packages as the very first step: FROM centos:latest # keep this until these packages get into the official image with Cenots 6.6 # see http://bugs.centos.org/view.php?id=7126 RUN yum install -y http://mirror.centos.org/centos/6.5/centosplus/x86_64/Packages/libselinux-2.0.94-5.3.0.1.el6.centos.plus.x86_64.rpm http://mirror.centos.org/centos/6.5/centosplus/x86_64/Packages/libselinux-utils-2.0.94-5.3.0.1.el6.centos.plus.x86_64.rpm RUN yum install -y httpd ; yum -y clean all CMD service httpd start ; bash EXPOSE 80 Centos base image has been officially updated with the new packages, so the manual installation is no longer needed. I still have problem connecting to sshd if I do not run the container as privileged, but I have open the ticket on Docker side now. |