Bug 1803495

Summary: useradd and groupadd fail under rootless Buildah and podman [stream-container-tools-rhel8-rhel-8.1.1]
Product: Red Hat Enterprise Linux 8 Reporter: Jindrich Novy <jnovy>
Component: fuse-overlayfsAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: low Docs Contact:
Priority: low    
Version: 8.1CC: ajia, andrew, castedo, ddarrah, dornelas, gscrivan, jnovy, lfriedma, lsm5, timo.sandmann, tsweeney
Target Milestone: rcKeywords: ZStream
Target Release: 8.1Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: fuse-overlayfs-0.7.2-5.module+el8.1.1+6114+953c5a57 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-07 10:31:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1186913, 1734578, 1802907    
Attachments:
Description Flags
patch for stream-container-tools-rhel8-rhel-8.1.1 none

Description Jindrich Novy 2020-02-16 12:40:39 UTC 
This is a tracking bug assuring the fix for bug #1802907 gets applied in stream-container-tools-rhel8-rhel-8.1.1 branch of fuse-overlayfs.
Comment 2 Laurie Friedman 2020-02-17 14:24:27 UTC 
Setting exception+ because everything that goes into 8.1.1 / 8.1.1.z requires exception plus.  It is before 8.1.1.3 dev freeze so it is OK to add this bug fix.
Comment 3 Laurie Friedman 2020-02-17 14:27:23 UTC 
Clearing ITR.  This fix is going into 8.1.1.3 so only ZTR should be set.
Comment 17 Alex Jia 2020-03-25 10:56:25 UTC 
Still failed in fuse-overlayfs-0.7.2-4.module+el8.1.1+6101+69ae647f.x86_64

[foo@hpe-dl380pgen8-02-vm-10 ~]$ buildah bud -t sleepy:rhel8.1 sleepy-container
---------------------8<---------------------
STEP 10: ADD sleepy /usr/local/bin
STEP 11: ADD sleepy.conf /etc
STEP 12: RUN groupadd -r ${SRVGRP} || true
groupadd: /etc/group.6: lock file already used
groupadd: cannot lock /etc/group; try again later.
STEP 13: RUN useradd -r -g ${SRVGRP} ${SRVUSR} || true
useradd: group 'sleepy' does not exist
STEP 14: RUN chmod +x /usr/local/bin/sleepy || true
STEP 15: RUN chown root:${SRVGRP} /etc/sleepy.conf ; chmod 640 /etc/sleepy.conf || true
chown: invalid group: 'root:sleepy'
STEP 16: RUN mkdir /var/local/sleepy
STEP 17: RUN chmod 2750 /var/local/sleepy && chown ${SRVUSR}:${SRVGRP} /var/local/sleepy || true
chown: invalid user: 'sleepy:sleepy'
STEP 18: RUN ${YUM} install procps-ng iproute nmap-ncat
---------------------8<---------------------

[foo@hpe-dl380pgen8-02-vm-10 ~]$ rpm -q fuse-overlayfs buildah
fuse-overlayfs-0.7.2-4.module+el8.1.1+6101+69ae647f.x86_64
buildah-1.11.6-6.module+el8.1.1+5865+cc793d95.x86_64
Comment 20 Tom Sweeney 2020-03-25 15:38:13 UTC 
Giuseppe to provide new patch shortly.
Comment 21 Giuseppe Scrivano 2020-03-25 15:43:51 UTC 
Created attachment 1673560 [details]
patch for stream-container-tools-rhel8-rhel-8.1.1
Comment 23 Alex Jia 2020-03-27 05:15:05 UTC 
Verified in fuse-overlayfs-0.7.2-5.module+el8.1.1+6114+953c5a57.x86_64.

[ajia@atomic-host-test-4109 ~]$ buildah bud -t sleepy:rhel8.1 sleepy-container
STEP 1: FROM registry.access.redhat.com/ubi8/ubi
Getting image source signatures
Copying blob 941e1e2b31a8 done
Copying blob 0bb54aa5e977 done
Copying config 0c46e5c7a8 done
Writing manifest to image destination
Storing signatures
STEP 2: USER root
STEP 3: ENV SRVUSR=sleepy
STEP 4: ENV SRVGRP=sleepy
STEP 5: LABEL maintainer="Me <me>"
STEP 6: LABEL description="A trivial Dockerfile to reproduce failure to add service users in rootless buildah/podman"
STEP 7: LABEL io.k8s.description="A trivial Dockerfile to reproduce failure to add service users in rootless buildah/podman"
STEP 8: LABEL io.k8s.dispaly-name="User fail on RHEL UBI 8"
STEP 9: ENV YUM="yum -y --disablerepo=rhel*"
STEP 10: ADD sleepy /usr/local/bin
STEP 11: ADD sleepy.conf /etc
STEP 12: RUN groupadd -r ${SRVGRP} || true
STEP 13: RUN useradd -r -g ${SRVGRP} ${SRVUSR} || true
STEP 14: RUN chmod +x /usr/local/bin/sleepy || true
STEP 15: RUN chown root:${SRVGRP} /etc/sleepy.conf ; chmod 640 /etc/sleepy.conf || true
STEP 16: RUN mkdir /var/local/sleepy
STEP 17: RUN chmod 2750 /var/local/sleepy && chown ${SRVUSR}:${SRVGRP} /var/local/sleepy || true
---------------------8<---------------------

[ajia@atomic-host-test-4109 ~]$ podman run -dt --rm --name sleepy sleepy:rhel8.1
76c39498dc8b6eb036bc2f4c537544234b53254423dbeda8cf897bae8de2033a

[ajia@atomic-host-test-4109 ~]$ podman ps
CONTAINER ID  IMAGE                     COMMAND  CREATED        STATUS            PORTS  NAMES
76c39498dc8b  localhost/sleepy:rhel8.1           4 seconds ago  Up 3 seconds ago         sleepy
STEP 18: RUN ${YUM} install procps-ng iproute nmap-ncat

[ajia@atomic-host-test-4109 ~]$ rpm -q fuse-overlayfs buildah podman
fuse-overlayfs-0.7.2-5.module+el8.1.1+6114+953c5a57.x86_64
buildah-1.11.6-6.module+el8.1.1+5865+cc793d95.x86_64
podman-1.6.4-4.module+el8.1.1+5885+44006e55.x86_64
Comment 25 errata-xmlrpc 2020-04-07 10:31:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1379