Description of problem: unable to run groupadd inside a container
Version-Release number of selected component (if applicable): docker-0.10.0-4.el7 / atomic 2014.8
How reproducible: 100%
Steps to Reproduce:
1. docker run --rm -i -t centos groupadd foo
Actual results: groupadd: failure while writing changes to /etc/group
Expected results: no error
open("/proc/self/task/13/attr/fscreate", O_RDWR) = -1 EROFS (Read-only file system)
write(2, "groupadd: failure while writing "..., 54groupadd: failure while writing changes to /etc/group
Likely a regression from https://github.com/dotcloud/docker/pull/5445
For SELinux we really need /proc/self/.../fscreate to be writable.
Though...since we don't actually have SELinux in the containers, userspace shouldn't even be trying to write to them.
What centos image are you using? I tried centos6 0b443ba03958 from the upstream registry and groupadd worked.
I'm using the same 0b443ba03958:
-bash-4.2# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
fedora rawhide 5cc9e91966f7 4 hours ago 372.7 MB
fedora 20 b7de3133ff98 2 weeks ago 372.7 MB
fedora heisenbug b7de3133ff98 2 weeks ago 372.7 MB
fedora latest b7de3133ff98 2 weeks ago 372.7 MB
centos centos6 0b443ba03958 3 weeks ago 297.6 MB
centos latest 0b443ba03958 3 weeks ago 297.6 MB
centos 6.4 539c0211cd76 13 months ago 300.6 MB
-bash-4.2# docker run --rm centos groupadd foo
groupadd: failure while writing changes to /etc/group
Right, sorry, the machine I ran it on had SELinux disabled due to https://bugzilla.redhat.com/show_bug.cgi?id=1060423
So...one option is to change the kernel to fake out userspace into thinking SELinux is disabled. From what I can see shadow is opening /proc/self/attr/current which works, since it does have a domain.
Lennart said nspawn mounts /proc as read-write and just /proc/sys as readonly. We should probably switch to that. Lemme try that.
Lokesh can you get this pull request into the next docker image.
Does the change go to the docker-io package or to the images themselves? Or does the change to to the docker-io package and affects what the generated images will look like?
(In reply to Jan Pazdziora from comment #9)
> Does the change go to the docker-io package
Just to the package, no effect on the images.
However there is also a patch
to fix the centos6 image for this as well.
I have fix for us shipping the RHEL6.5 image with a new version of libselinux. I also sent a patch to centos which they can use to fix this problem.
Other then that there is nothing we can do to fix this problem until centos ships a new image with the fixed libselinux.