Bug 1098120 (libselinux_disabled)

Summary: Unable to buid images that interact with /etc/groups
Product: [Fedora] Fedora Reporter: Paolo Antinori <pantinor>
Component: docker-ioAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: admiller, dwalsh, golang-updates, jkeck, lsm5, lsu, mattdm, mgoldman, michael.faille, oarribas, s, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-03 20:51:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paolo Antinori 2014-05-15 10:50:29 UTC
Description of problem:

Unable to succesfully build and run a fairly simple image that used to work.


Version-Release number of selected component (if applicable):

$ docker -v
Docker version 0.11.1, build fb99f99/0.11.1


How reproducible:

Always


Steps to Reproduce:

mkdir docker_test
cd docker_test
wget  http://pastebin.com/raw.php?i=ie8BRcC4 -O Dockerfile
docker build -t sshd --no-cache  

Actual results:

$ docker build -t sshd --no-cache  .
Uploading context  2.56 kB
Uploading context 
Step 0 : FROM centos
 ---> 539c0211cd76
Step 1 : RUN yum install -y openssh-server
 ---> Running in 65f28c081323
Loaded plugins: fastestmirror
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package openssh-server.x86_64 0:5.3p1-94.el6 will be installed
--> Processing Dependency: openssh = 5.3p1-94.el6 for package: openssh-server-5.3p1-94.el6.x86_64
--> Processing Dependency: libcrypto.so.10(libcrypto.so.10)(64bit) for package: openssh-server-5.3p1-94.el6.x86_64
--> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.1)(64bit) for package: openssh-server-5.3p1-94.el6.x86_64
--> Processing Dependency: libwrap.so.0()(64bit) for package: openssh-server-5.3p1-94.el6.x86_64
--> Processing Dependency: libfipscheck.so.1()(64bit) for package: openssh-server-5.3p1-94.el6.x86_64
--> Running transaction check
---> Package fipscheck-lib.x86_64 0:1.2.0-7.el6 will be installed
--> Processing Dependency: /usr/bin/fipscheck for package: fipscheck-lib-1.2.0-7.el6.x86_64
---> Package openssh.x86_64 0:5.3p1-94.el6 will be installed
---> Package openssl.x86_64 0:1.0.0-27.el6_4.2 will be updated
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.7 will be an update
--> Processing Dependency: make for package: openssl-1.0.1e-16.el6_5.7.x86_64
---> Package tcp_wrappers-libs.x86_64 0:7.6-57.el6 will be installed
--> Running transaction check
---> Package fipscheck.x86_64 0:1.2.0-7.el6 will be installed
---> Package make.x86_64 1:3.81-20.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                Arch        Version                  Repository    Size
================================================================================
Installing:
 openssh-server         x86_64      5.3p1-94.el6             base         311 k
Installing for dependencies:
 fipscheck              x86_64      1.2.0-7.el6              base          14 k
 fipscheck-lib          x86_64      1.2.0-7.el6              base         8.3 k
 make                   x86_64      1:3.81-20.el6            base         389 k
 openssh                x86_64      5.3p1-94.el6             base         258 k
 tcp_wrappers-libs      x86_64      7.6-57.el6               base          62 k
Updating for dependencies:
 openssl                x86_64      1.0.1e-16.el6_5.7        updates      1.5 M

Transaction Summary
================================================================================
Install       6 Package(s)
Upgrade       1 Package(s)

Total download size: 2.5 M
Downloading Packages:
--------------------------------------------------------------------------------
Total                                           569 kB/s | 2.5 MB     00:04     
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
Importing GPG key 0xC105B9DE:
 Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key>
 Package: centos-release-6-4.el6.centos.10.x86_64 (@febootstrap/$releasever)
 From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : tcp_wrappers-libs-7.6-57.el6.x86_64                          1/8 
  Installing : 1:make-3.81-20.el6.x86_64                                    2/8 
  Updating   : openssl-1.0.1e-16.el6_5.7.x86_64                             3/8 
  Installing : fipscheck-lib-1.2.0-7.el6.x86_64                             4/8 
  Installing : fipscheck-1.2.0-7.el6.x86_64                                 5/8 
  Installing : openssh-5.3p1-94.el6.x86_64                                  6/8 
  Installing : openssh-server-5.3p1-94.el6.x86_64                           7/8 
groupadd: failure while writing changes to /etc/group
  Cleanup    : openssl-1.0.0-27.el6_4.2.x86_64                              8/8 
  Verifying  : 1:make-3.81-20.el6.x86_64                                    1/8 
  Verifying  : tcp_wrappers-libs-7.6-57.el6.x86_64                          2/8 
  Verifying  : fipscheck-1.2.0-7.el6.x86_64                                 3/8 
  Verifying  : openssl-1.0.1e-16.el6_5.7.x86_64                             4/8 
  Verifying  : openssh-5.3p1-94.el6.x86_64                                  5/8 
  Verifying  : openssh-server-5.3p1-94.el6.x86_64                           6/8 
  Verifying  : fipscheck-lib-1.2.0-7.el6.x86_64                             7/8 
  Verifying  : openssl-1.0.0-27.el6_4.2.x86_64                              8/8 

Installed:
  openssh-server.x86_64 0:5.3p1-94.el6                                          

Dependency Installed:
  fipscheck.x86_64 0:1.2.0-7.el6           fipscheck-lib.x86_64 0:1.2.0-7.el6   
  make.x86_64 1:3.81-20.el6                openssh.x86_64 0:5.3p1-94.el6        
  tcp_wrappers-libs.x86_64 0:7.6-57.el6   

Dependency Updated:
  openssl.x86_64 0:1.0.1e-16.el6_5.7                                            

Complete!
 ---> e869dfd88b15
Removing intermediate container 65f28c081323
Step 2 : RUN sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords yes/;s/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
 ---> Running in 8673e7861c41
sed: warning: failed to set default file creation context to system_u:object_r:file_t:s0: Read-only file system ---> f49ebe0bc026
Removing intermediate container 8673e7861c41
Step 3 : CMD service sshd start ; bash
 ---> Running in b4db6af6261e
 ---> b9d7e3852943
Removing intermediate container b4db6af6261e
Successfully built b9d7e3852943



Expected results:

A build and run with no errors.
Everything works as expected when run for instance in a boot2docker vm:

https://github.com/boot2docker/boot2docker/releases/download/v0.9.1/boot2docker.iso


Additional info:

$ getenforce 
Permissive

The error is recent. I am not sure if the problem is Docker, selinux, or Centos base files, but the full operation used to succed without any problem in past.



Note sed warning:
sed: warning: failed to set default file creation context to system_u:object_r:file_t:s0: Read-only file system ---> f49ebe0bc026


When running a container from that image, the ssh fails:

$ docker run -t -i sshd
Generating SSH1 RSA host key: No such file or directory
                                                           [  OK  ]
Generating SSH2 RSA host key: No such file or directory
                                                           [  OK  ]
Generating SSH2 DSA host key: No such file or directory
                                                           [  OK  ]
Starting sshd: Privilege separation user sshd does not exist
                                                           [FAILED]
bash-4.1# exit

Comment 1 Paolo Antinori 2014-05-20 15:29:00 UTC
Found some evidence that the problem is wider and not related just to sshd..

Building this simpla image:



FROM centos:latest

MAINTAINER Paolo Antinori <paolo.antinori>

RUN yum install -y httpd ; yum -y clean all

CMD service httpd start ; bash

EXPOSE 80





Gives this output and a not runnable httpd:



$ docker build --rm -t test .
Uploading context  2.56 kB
Uploading context 
Step 0 : FROM centos:latest
 ---> 0b443ba03958
Step 1 : MAINTAINER Paolo Antinori <paolo.antinori>
 ---> Using cache
 ---> 4f53ca7a4051
Step 2 : RUN yum install -y httpd ; yum -y clean all
 ---> Running in 783dae15dd6c
Loaded plugins: fastestmirror
http://centosh2.centos.org/centos/6.5/updates/x86_64/repodata/d488729553d7cbc3cc08e719d084cfbab0740f8784827f632c1939c87ffdd7c3-primary.sqlite.bz2: [Errno 12] Timeout on http://centosh2.centos.org/centos/6.5/updates/x86_64/repodata/d488729553d7cbc3cc08e719d084cfbab0740f8784827f632c1939c87ffdd7c3-primary.sqlite.bz2: (28, 'Operation too slow. Less than 1 bytes/sec transfered the last 30 seconds')
Trying other mirror.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package httpd.x86_64 0:2.2.15-30.el6.centos will be installed
--> Processing Dependency: httpd-tools = 2.2.15-30.el6.centos for package: httpd-2.2.15-30.el6.centos.x86_64
--> Processing Dependency: system-logos >= 7.92.1-1 for package: httpd-2.2.15-30.el6.centos.x86_64
--> Processing Dependency: initscripts >= 8.36 for package: httpd-2.2.15-30.el6.centos.x86_64
--> Processing Dependency: apr-util-ldap for package: httpd-2.2.15-30.el6.centos.x86_64
--> Processing Dependency: /etc/mime.types for package: httpd-2.2.15-30.el6.centos.x86_64
--> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.2.15-30.el6.centos.x86_64
--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.2.15-30.el6.centos.x86_64
--> Running transaction check
---> Package apr.x86_64 0:1.3.9-5.el6_2 will be installed
---> Package apr-util.x86_64 0:1.3.9-3.el6_0.1 will be installed
---> Package apr-util-ldap.x86_64 0:1.3.9-3.el6_0.1 will be installed
---> Package httpd-tools.x86_64 0:2.2.15-30.el6.centos will be installed
---> Package initscripts.x86_64 0:9.03.40-2.el6.centos.1 will be installed
--> Processing Dependency: upstart >= 0.6.0 for package: initscripts-9.03.40-2.el6.centos.1.x86_64
--> Processing Dependency: ethtool >= 1.8-2 for package: initscripts-9.03.40-2.el6.centos.1.x86_64
--> Processing Dependency: /sbin/ip for package: initscripts-9.03.40-2.el6.centos.1.x86_64
--> Processing Dependency: /sbin/arping for package: initscripts-9.03.40-2.el6.centos.1.x86_64
---> Package mailcap.noarch 0:2.1.31-2.el6 will be installed
---> Package redhat-logos.noarch 0:60.0.14-12.el6.centos will be installed
--> Running transaction check
---> Package ethtool.x86_64 2:3.5-1.4.el6_5 will be installed
---> Package iproute.x86_64 0:2.6.32-31.el6 will be installed
--> Processing Dependency: iptables >= 1.4.5 for package: iproute-2.6.32-31.el6.x86_64
--> Processing Dependency: libxtables.so.4()(64bit) for package: iproute-2.6.32-31.el6.x86_64
---> Package iputils.x86_64 0:20071127-17.el6_4.2 will be installed
---> Package upstart.x86_64 0:0.6.5-13.el6_5.3 will be installed
--> Running transaction check
---> Package iptables.x86_64 0:1.4.7-11.el6 will be installed
--> Processing Dependency: policycoreutils for package: iptables-1.4.7-11.el6.x86_64
--> Running transaction check
---> Package policycoreutils.x86_64 0:2.0.83-19.39.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package             Arch       Version                       Repository   Size
================================================================================
Installing:
 httpd               x86_64     2.2.15-30.el6.centos          updates     821 k
Installing for dependencies:
 apr                 x86_64     1.3.9-5.el6_2                 base        123 k
 apr-util            x86_64     1.3.9-3.el6_0.1               base         87 k
 apr-util-ldap       x86_64     1.3.9-3.el6_0.1               base         15 k
 ethtool             x86_64     2:3.5-1.4.el6_5               updates     101 k
 httpd-tools         x86_64     2.2.15-30.el6.centos          updates      73 k
 initscripts         x86_64     9.03.40-2.el6.centos.1        updates     940 k
 iproute             x86_64     2.6.32-31.el6                 base        365 k
 iptables            x86_64     1.4.7-11.el6                  base        252 k
 iputils             x86_64     20071127-17.el6_4.2           base        120 k
 mailcap             noarch     2.1.31-2.el6                  base         27 k
 policycoreutils     x86_64     2.0.83-19.39.el6              base        648 k
 redhat-logos        noarch     60.0.14-12.el6.centos         base         15 M
 upstart             x86_64     0.6.5-13.el6_5.3              updates     177 k

Transaction Summary
================================================================================
Install      14 Package(s)

Total download size: 18 M
Installed size: 30 M
Downloading Packages:
--------------------------------------------------------------------------------
Total                                           536 kB/s |  18 MB     00:34     
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
Importing GPG key 0xC105B9DE:
 Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key>
 Package: centos-release-6-5.el6.centos.11.2.x86_64 (@CentOS-Updates/$releasever)
 From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
** Found 2 pre-existing rpmdb problem(s), 'yum check' output follows:
udev-147-2.51.el6.x86_64 has missing requires of /sbin/service
udev-147-2.51.el6.x86_64 has missing requires of MAKEDEV >= ('0', '3.11', None)
  Installing : apr-1.3.9-5.el6_2.x86_64                                    1/14 
  Installing : apr-util-1.3.9-3.el6_0.1.x86_64                             2/14 
  Installing : apr-util-ldap-1.3.9-3.el6_0.1.x86_64                        3/14 
  Installing : httpd-tools-2.2.15-30.el6.centos.x86_64                     4/14 
  Installing : mailcap-2.1.31-2.el6.noarch                                 5/14 
  Installing : upstart-0.6.5-13.el6_5.3.x86_64                             6/14 
  Installing : redhat-logos-60.0.14-12.el6.centos.noarch                   7/14 
  Installing : 2:ethtool-3.5-1.4.el6_5.x86_64                              8/14 
  Installing : iputils-20071127-17.el6_4.2.x86_64                          9/14 
  Installing : iproute-2.6.32-31.el6.x86_64                               10/14 
  Installing : initscripts-9.03.40-2.el6.centos.1.x86_64                  11/14 
  Installing : policycoreutils-2.0.83-19.39.el6.x86_64                    12/14 
  Installing : iptables-1.4.7-11.el6.x86_64                               13/14 
  Installing : httpd-2.2.15-30.el6.centos.x86_64                          14/14 
groupadd: failure while writing changes to /etc/group
useradd: group 'apache' does not exist
warning: group apache does not exist - using root
warning: user apache does not exist - using root
warning: group apache does not exist - using root
warning: user apache does not exist - using root
warning: group apache does not exist - using root
warning: group apache does not exist - using root
  Verifying  : httpd-2.2.15-30.el6.centos.x86_64                           1/14 
  Verifying  : apr-1.3.9-5.el6_2.x86_64                                    2/14 
  Verifying  : 2:ethtool-3.5-1.4.el6_5.x86_64                              3/14 
  Verifying  : apr-util-ldap-1.3.9-3.el6_0.1.x86_64                        4/14 
  Verifying  : initscripts-9.03.40-2.el6.centos.1.x86_64                   5/14 
  Verifying  : iputils-20071127-17.el6_4.2.x86_64                          6/14 
  Verifying  : redhat-logos-60.0.14-12.el6.centos.noarch                   7/14 
  Verifying  : iptables-1.4.7-11.el6.x86_64                                8/14 
  Verifying  : upstart-0.6.5-13.el6_5.3.x86_64                             9/14 
  Verifying  : iproute-2.6.32-31.el6.x86_64                               10/14 
  Verifying  : mailcap-2.1.31-2.el6.noarch                                11/14 
  Verifying  : httpd-tools-2.2.15-30.el6.centos.x86_64                    12/14 
  Verifying  : apr-util-1.3.9-3.el6_0.1.x86_64                            13/14 
  Verifying  : policycoreutils-2.0.83-19.39.el6.x86_64                    14/14 

Installed:
  httpd.x86_64 0:2.2.15-30.el6.centos                                           

Dependency Installed:
  apr.x86_64 0:1.3.9-5.el6_2                                                    
  apr-util.x86_64 0:1.3.9-3.el6_0.1                                             
  apr-util-ldap.x86_64 0:1.3.9-3.el6_0.1                                        
  ethtool.x86_64 2:3.5-1.4.el6_5                                                
  httpd-tools.x86_64 0:2.2.15-30.el6.centos                                     
  initscripts.x86_64 0:9.03.40-2.el6.centos.1                                   
  iproute.x86_64 0:2.6.32-31.el6                                                
  iptables.x86_64 0:1.4.7-11.el6                                                
  iputils.x86_64 0:20071127-17.el6_4.2                                          
  mailcap.noarch 0:2.1.31-2.el6                                                 
  policycoreutils.x86_64 0:2.0.83-19.39.el6                                     
  redhat-logos.noarch 0:60.0.14-12.el6.centos                                   
  upstart.x86_64 0:0.6.5-13.el6_5.3                                             

Complete!
Loaded plugins: fastestmirror
Cleaning repos: base extras updates
Cleaning up Everything
 ---> 544b2a692924
Removing intermediate container 783dae15dd6c
Step 3 : CMD service httpd start ; bash
 ---> Running in 0ede7efeb3cc
 ---> 140c0aaa7f53
Removing intermediate container 0ede7efeb3cc
Step 4 : EXPOSE 80
 ---> Running in 17025c7e85dc
 ---> 085199e5b898
Removing intermediate container 17025c7e85dc
Successfully built 085199e5b898
17:03:37 (..ainers/centos/test)$ docker run --rm -it test
Starting httpd: httpd: bad user name apache
                                                           [FAILED]




while everything builds and then run just fine, from index.docker.io:


https://index.docker.io/u/pantinor/centos_httpd/

Comment 2 oarribas 2014-05-21 13:04:09 UTC
Similar error installing postgresql in a fedora based image.

Dockerfile:

FROM fedora
RUN  yum install -y postgresql-server postgresql postgresql-contrib  
USER postgres  
RUN  /usr/bin/initdb -D /var/lib/pgsql/data  


When installing postgres, the following warnings appear:
.
.
  Installing : postgresql-server-9.3.4-1.fc20.x86_64                        6/6 
warning: user postgres does not exist - using root
warning: group postgres does not exist - using root
.
.
.


And when running the initdb:
.
.
Step 3 : RUN             /usr/bin/initdb -D /var/lib/pgsql/data
 ---> Running in 9bb388ecf911

finalize namespace setup user get supplementary groups Unable to find user postgres
The command [/bin/sh -c /usr/bin/initdb -D /var/lib/pgsql/data] returned a non-zero code: 1
.
.

Comment 3 oarribas 2014-05-21 13:10:53 UTC
In a container created with docker 0.9.1 and running with docker 0.11, if I try to do a "su - postgres" it fails:

bash-4.2# su - postgres
su: System error


It runs in the same container, when running with docker 0.9.1

Comment 4 Daniel Walsh 2014-05-21 13:16:14 UTC
The problem is the libselinux in the centos image is reporting that SELinux is enabled to processes running within the container.  This is tools like useradd and groupadd to attempt to write to /proc/self/attr/* files in order to setup proper labeling for SELinux.  Since /proc is now mounted read/only within the container, the writes are denied and useradd/groupadd fail.

The fix is to get an updated version of libselinux into the Centos 6 images.  RHEL7/RHEL6 and Current Fedora images have the fix.

Privileged containers and systems with SELInux disabled will not have this issue.

I believe the Fedora bugs reported are a separate issue, and it looks like the postgresql user needs to be added.

Comment 5 Paolo Antinori 2014-05-21 13:38:57 UTC
(In reply to Daniel Walsh from comment #4)
> The problem is the libselinux in the centos image is reporting that SELinux
> is enabled to processes running within the container.  This is tools like
> useradd and groupadd to attempt to write to /proc/self/attr/* files in order
> to setup proper labeling for SELinux.  Since /proc is now mounted read/only
> within the container, the writes are denied and useradd/groupadd fail.
> 
> The fix is to get an updated version of libselinux into the Centos 6 images.
> RHEL7/RHEL6 and Current Fedora images have the fix.
> 
> Privileged containers and systems with SELInux disabled will not have this
> issue.
> 
> I believe the Fedora bugs reported are a separate issue, and it looks like
> the postgresql user needs to be added.

Hi Daniel, thanks for your comment. I just trust every of your word about selinux, but I think that the problem cannot be just inside Centos image, since it builds fine on index.docker.io:

https://index.docker.io/u/pantinor/centos_httpd/build_id/5062/code/bhwqycbcpdi5twzphkkoxzi/


Here the full log if that link is private:

http://fpaste.org/103787/


I am not sure which linux flavour is in use on index.docker.io, I suspect coreOs.


I was able to compile correctly even on a boot2docker images.

On my last test I have temporarely disable SElinux, built as root, and obviously not enable --privileged since it's not an option for the build sub command.

http://fpaste.org/103787/

And still seeing these lines that are not present while building on other platforms:


groupadd: failure while writing changes to /etc/group
useradd: group 'apache' does not exist
warning: group apache does not exist - using root
warning: user apache does not exist - using root
warning: group apache does not exist - using root
warning: user apache does not exist - using root
warning: group apache does not exist - using root
warning: group apache does not exist - using root


thank you

paolo

Comment 6 Daniel Walsh 2014-05-21 13:46:41 UTC
When you say you disabled it, did you just put it in permissive mode? In permissive mode the problem will continue, since it is not SELinux denying access it is actually the fact that /proc is mounted Read/Only.  Previous versions of docker did not do this.    

If you ran a container and just strace groupadd or useradd you will see it a permission denied while trying to write to /proc which is readonly.

It would build fine on any platform that did not have "selinux enabled" in permissive or enforcing mode.

Comment 7 Paolo Antinori 2014-05-21 13:55:27 UTC
oh, I see. I was just putting it in permissive mode.

Thanks for explanation.

Comment 8 oarribas 2014-05-21 15:55:40 UTC
Thanks Daniel, after an yum update of the host, postgresql runs again.

Comment 12 Daniel Walsh 2014-05-23 16:47:16 UTC
I have pushed an updated libselinux for rhel6.6 into 

http://people.redhat.com/dwalsh/SELinux/RHEL6

If you install this version of libselinux into your rhel6 base image, I believe the useradd/groupadd problems will go away.  We plan on adding this version to any docker images for rhel6 that we ship even prior to the release of rhel6.6.

Comment 13 Marek Goldmann 2014-05-26 06:26:18 UTC
(In reply to Daniel Walsh from comment #12)
> I have pushed an updated libselinux for rhel6.6 into 
> 
> http://people.redhat.com/dwalsh/SELinux/RHEL6
> 
> If you install this version of libselinux into your rhel6 base image, I
> believe the useradd/groupadd problems will go away.  We plan on adding this
> version to any docker images for rhel6 that we ship even prior to the
> release of rhel6.6.

This fixes the issue for me.

Comment 14 michael.faille 2014-05-30 01:17:44 UTC
I have same exactly problem but using Fedora 20 with Docker version 0.11.1, build fb99f99/0.11.1

Comment 15 Daniel Walsh 2014-06-03 20:51:58 UTC
I have provided a fixed libselinux package which can be used to build your rhel6 image,  We will soon be shipping a RHEL6 image with the newer libselinux package.  I have also provided patches for libselinux to centos

Comment 16 Paolo Antinori 2014-06-11 16:15:31 UTC
Thanks to Daniel half of my problem is solved. 

I am now able to build successfully with Centos base image, adding his packages as the very first step:

FROM centos:latest

# keep this until these packages get into the official image with Cenots 6.6
# see http://bugs.centos.org/view.php?id=7126
RUN yum install -y http://mirror.centos.org/centos/6.5/centosplus/x86_64/Packages/libselinux-2.0.94-5.3.0.1.el6.centos.plus.x86_64.rpm http://mirror.centos.org/centos/6.5/centosplus/x86_64/Packages/libselinux-utils-2.0.94-5.3.0.1.el6.centos.plus.x86_64.rpm

RUN yum install -y httpd ; yum -y clean all

CMD service httpd start ; bash

EXPOSE 80

Comment 17 Paolo Antinori 2014-06-13 12:29:16 UTC
Centos base image has been officially updated with the new packages, so the manual installation is no longer needed.

I still have problem connecting to sshd if I do not run the container as privileged, but I have open the ticket on Docker side now.