Description of problem: unable to run groupadd inside a container Version-Release number of selected component (if applicable): docker-0.10.0-4.el7 / atomic 2014.8 How reproducible: 100% Steps to Reproduce: 1. docker run --rm -i -t centos groupadd foo Actual results: groupadd: failure while writing changes to /etc/group Expected results: no error Additional info: strace output: open("/proc/self/task/13/attr/fscreate", O_RDWR) = -1 EROFS (Read-only file system) write(2, "groupadd: failure while writing "..., 54groupadd: failure while writing changes to /etc/group
Likely a regression from https://github.com/dotcloud/docker/pull/5445 For SELinux we really need /proc/self/.../fscreate to be writable.
Though...since we don't actually have SELinux in the containers, userspace shouldn't even be trying to write to them. What centos image are you using? I tried centos6 0b443ba03958 from the upstream registry and groupadd worked.
I'm using the same 0b443ba03958: -bash-4.2# docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE fedora rawhide 5cc9e91966f7 4 hours ago 372.7 MB fedora 20 b7de3133ff98 2 weeks ago 372.7 MB fedora heisenbug b7de3133ff98 2 weeks ago 372.7 MB fedora latest b7de3133ff98 2 weeks ago 372.7 MB centos centos6 0b443ba03958 3 weeks ago 297.6 MB centos latest 0b443ba03958 3 weeks ago 297.6 MB centos 6.4 539c0211cd76 13 months ago 300.6 MB -bash-4.2# docker run --rm centos groupadd foo groupadd: failure while writing changes to /etc/group
Right, sorry, the machine I ran it on had SELinux disabled due to https://bugzilla.redhat.com/show_bug.cgi?id=1060423 So...one option is to change the kernel to fake out userspace into thinking SELinux is disabled. From what I can see shadow is opening /proc/self/attr/current which works, since it does have a domain.
Lennart said nspawn mounts /proc as read-write and just /proc/sys as readonly. We should probably switch to that. Lemme try that.
https://github.com/dotcloud/docker/pull/5903
Merged upstream
Lokesh can you get this pull request into the next docker image.
Does the change go to the docker-io package or to the images themselves? Or does the change to to the docker-io package and affects what the generated images will look like?
(In reply to Jan Pazdziora from comment #9) > Does the change go to the docker-io package Just to the package, no effect on the images. However there is also a patch http://lists.centos.org/pipermail/centos-devel/2014-May/010345.html to fix the centos6 image for this as well.
I have fix for us shipping the RHEL6.5 image with a new version of libselinux. I also sent a patch to centos which they can use to fix this problem. Other then that there is nothing we can do to fix this problem until centos ships a new image with the fixed libselinux.