Bug 1096375 - Unable to run groupadd in container using centos image
Summary: Unable to run groupadd in container using centos image
Alias: None
Product: Atomic
Classification: Retired
Component: docker-io
Version: unspecified
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2014-05-09 18:53 UTC by Andy Goldstein
Modified: 2014-07-01 23:00 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-06-03 20:42:28 UTC
RHEL 7.3 requirements from Atomic Host:

Attachments (Terms of Use)

Description Andy Goldstein 2014-05-09 18:53:28 UTC
Description of problem: unable to run groupadd inside a container

Version-Release number of selected component (if applicable): docker-0.10.0-4.el7 / atomic 2014.8

How reproducible: 100%

Steps to Reproduce:
1. docker run --rm -i -t centos groupadd foo

Actual results: groupadd: failure while writing changes to /etc/group

Expected results: no error

Additional info:

strace output:

open("/proc/self/task/13/attr/fscreate", O_RDWR) = -1 EROFS (Read-only file system)
write(2, "groupadd: failure while writing "..., 54groupadd: failure while writing changes to /etc/group

Comment 1 Colin Walters 2014-05-09 18:58:35 UTC
Likely a regression from https://github.com/dotcloud/docker/pull/5445

For SELinux we really need /proc/self/.../fscreate to be writable.

Comment 2 Colin Walters 2014-05-09 19:19:44 UTC
Though...since we don't actually have SELinux in the containers, userspace shouldn't even be trying to write to them.

What centos image are you using?  I tried centos6 0b443ba03958 from the upstream registry and groupadd worked.

Comment 3 Andy Goldstein 2014-05-09 19:22:59 UTC
I'm using the same 0b443ba03958:

-bash-4.2# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
fedora              rawhide             5cc9e91966f7        4 hours ago         372.7 MB
fedora              20                  b7de3133ff98        2 weeks ago         372.7 MB
fedora              heisenbug           b7de3133ff98        2 weeks ago         372.7 MB
fedora              latest              b7de3133ff98        2 weeks ago         372.7 MB
centos              centos6             0b443ba03958        3 weeks ago         297.6 MB
centos              latest              0b443ba03958        3 weeks ago         297.6 MB
centos              6.4                 539c0211cd76        13 months ago       300.6 MB

-bash-4.2# docker run --rm centos groupadd foo
groupadd: failure while writing changes to /etc/group

Comment 4 Colin Walters 2014-05-09 19:35:38 UTC
Right, sorry, the machine I ran it on had SELinux disabled due to https://bugzilla.redhat.com/show_bug.cgi?id=1060423

So...one option is to change the kernel to fake out userspace into thinking SELinux is disabled.  From what I can see shadow is opening /proc/self/attr/current which works, since it does have a domain.

Comment 5 Alexander Larsson 2014-05-19 07:13:47 UTC
Lennart said nspawn mounts /proc as read-write and just /proc/sys as readonly. We should probably switch to that. Lemme try that.

Comment 6 Alexander Larsson 2014-05-19 07:55:35 UTC

Comment 7 Alexander Larsson 2014-05-20 07:00:36 UTC
Merged upstream

Comment 8 Daniel Walsh 2014-05-22 16:14:09 UTC
Lokesh can you get this pull request into the next docker image.

Comment 9 Jan Pazdziora 2014-05-27 08:52:55 UTC
Does the change go to the docker-io package or to the images themselves? Or does the change to to the docker-io package and affects what the generated images will look like?

Comment 10 Colin Walters 2014-05-27 11:35:32 UTC
(In reply to Jan Pazdziora from comment #9)
> Does the change go to the docker-io package

Just to the package, no effect on the images.  

However there is also a patch 
to fix the centos6 image for this as well.

Comment 13 Daniel Walsh 2014-06-03 20:42:28 UTC
I have fix for us shipping the RHEL6.5 image with a new version of libselinux. I also sent a patch to centos which they can use to fix this problem.

Other then that there is nothing we can do to fix this problem until centos ships a new image with the fixed libselinux.

Note You need to log in before you can comment on or make changes to this bug.