Description of problem: Unable to succesfully build and run a fairly simple image that used to work. Version-Release number of selected component (if applicable): $ docker -v Docker version 0.11.1, build fb99f99/0.11.1 How reproducible: Always Steps to Reproduce: mkdir docker_test cd docker_test wget http://pastebin.com/raw.php?i=ie8BRcC4 -O Dockerfile docker build -t sshd --no-cache Actual results: $ docker build -t sshd --no-cache . Uploading context 2.56 kB Uploading context Step 0 : FROM centos ---> 539c0211cd76 Step 1 : RUN yum install -y openssh-server ---> Running in 65f28c081323 Loaded plugins: fastestmirror Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package openssh-server.x86_64 0:5.3p1-94.el6 will be installed --> Processing Dependency: openssh = 5.3p1-94.el6 for package: openssh-server-5.3p1-94.el6.x86_64 --> Processing Dependency: libcrypto.so.10(libcrypto.so.10)(64bit) for package: openssh-server-5.3p1-94.el6.x86_64 --> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.1)(64bit) for package: openssh-server-5.3p1-94.el6.x86_64 --> Processing Dependency: libwrap.so.0()(64bit) for package: openssh-server-5.3p1-94.el6.x86_64 --> Processing Dependency: libfipscheck.so.1()(64bit) for package: openssh-server-5.3p1-94.el6.x86_64 --> Running transaction check ---> Package fipscheck-lib.x86_64 0:1.2.0-7.el6 will be installed --> Processing Dependency: /usr/bin/fipscheck for package: fipscheck-lib-1.2.0-7.el6.x86_64 ---> Package openssh.x86_64 0:5.3p1-94.el6 will be installed ---> Package openssl.x86_64 0:1.0.0-27.el6_4.2 will be updated ---> Package openssl.x86_64 0:1.0.1e-16.el6_5.7 will be an update --> Processing Dependency: make for package: openssl-1.0.1e-16.el6_5.7.x86_64 ---> Package tcp_wrappers-libs.x86_64 0:7.6-57.el6 will be installed --> Running transaction check ---> Package fipscheck.x86_64 0:1.2.0-7.el6 will be installed ---> Package make.x86_64 1:3.81-20.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: openssh-server x86_64 5.3p1-94.el6 base 311 k Installing for dependencies: fipscheck x86_64 1.2.0-7.el6 base 14 k fipscheck-lib x86_64 1.2.0-7.el6 base 8.3 k make x86_64 1:3.81-20.el6 base 389 k openssh x86_64 5.3p1-94.el6 base 258 k tcp_wrappers-libs x86_64 7.6-57.el6 base 62 k Updating for dependencies: openssl x86_64 1.0.1e-16.el6_5.7 updates 1.5 M Transaction Summary ================================================================================ Install 6 Package(s) Upgrade 1 Package(s) Total download size: 2.5 M Downloading Packages: -------------------------------------------------------------------------------- Total 569 kB/s | 2.5 MB 00:04 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Importing GPG key 0xC105B9DE: Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key> Package: centos-release-6-4.el6.centos.10.x86_64 (@febootstrap/$releasever) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : tcp_wrappers-libs-7.6-57.el6.x86_64 1/8 Installing : 1:make-3.81-20.el6.x86_64 2/8 Updating : openssl-1.0.1e-16.el6_5.7.x86_64 3/8 Installing : fipscheck-lib-1.2.0-7.el6.x86_64 4/8 Installing : fipscheck-1.2.0-7.el6.x86_64 5/8 Installing : openssh-5.3p1-94.el6.x86_64 6/8 Installing : openssh-server-5.3p1-94.el6.x86_64 7/8 groupadd: failure while writing changes to /etc/group Cleanup : openssl-1.0.0-27.el6_4.2.x86_64 8/8 Verifying : 1:make-3.81-20.el6.x86_64 1/8 Verifying : tcp_wrappers-libs-7.6-57.el6.x86_64 2/8 Verifying : fipscheck-1.2.0-7.el6.x86_64 3/8 Verifying : openssl-1.0.1e-16.el6_5.7.x86_64 4/8 Verifying : openssh-5.3p1-94.el6.x86_64 5/8 Verifying : openssh-server-5.3p1-94.el6.x86_64 6/8 Verifying : fipscheck-lib-1.2.0-7.el6.x86_64 7/8 Verifying : openssl-1.0.0-27.el6_4.2.x86_64 8/8 Installed: openssh-server.x86_64 0:5.3p1-94.el6 Dependency Installed: fipscheck.x86_64 0:1.2.0-7.el6 fipscheck-lib.x86_64 0:1.2.0-7.el6 make.x86_64 1:3.81-20.el6 openssh.x86_64 0:5.3p1-94.el6 tcp_wrappers-libs.x86_64 0:7.6-57.el6 Dependency Updated: openssl.x86_64 0:1.0.1e-16.el6_5.7 Complete! ---> e869dfd88b15 Removing intermediate container 65f28c081323 Step 2 : RUN sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords yes/;s/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config ---> Running in 8673e7861c41 sed: warning: failed to set default file creation context to system_u:object_r:file_t:s0: Read-only file system ---> f49ebe0bc026 Removing intermediate container 8673e7861c41 Step 3 : CMD service sshd start ; bash ---> Running in b4db6af6261e ---> b9d7e3852943 Removing intermediate container b4db6af6261e Successfully built b9d7e3852943 Expected results: A build and run with no errors. Everything works as expected when run for instance in a boot2docker vm: https://github.com/boot2docker/boot2docker/releases/download/v0.9.1/boot2docker.iso Additional info: $ getenforce Permissive The error is recent. I am not sure if the problem is Docker, selinux, or Centos base files, but the full operation used to succed without any problem in past. Note sed warning: sed: warning: failed to set default file creation context to system_u:object_r:file_t:s0: Read-only file system ---> f49ebe0bc026 When running a container from that image, the ssh fails: $ docker run -t -i sshd Generating SSH1 RSA host key: No such file or directory [ OK ] Generating SSH2 RSA host key: No such file or directory [ OK ] Generating SSH2 DSA host key: No such file or directory [ OK ] Starting sshd: Privilege separation user sshd does not exist [FAILED] bash-4.1# exit
Found some evidence that the problem is wider and not related just to sshd.. Building this simpla image: FROM centos:latest MAINTAINER Paolo Antinori <paolo.antinori> RUN yum install -y httpd ; yum -y clean all CMD service httpd start ; bash EXPOSE 80 Gives this output and a not runnable httpd: $ docker build --rm -t test . Uploading context 2.56 kB Uploading context Step 0 : FROM centos:latest ---> 0b443ba03958 Step 1 : MAINTAINER Paolo Antinori <paolo.antinori> ---> Using cache ---> 4f53ca7a4051 Step 2 : RUN yum install -y httpd ; yum -y clean all ---> Running in 783dae15dd6c Loaded plugins: fastestmirror http://centosh2.centos.org/centos/6.5/updates/x86_64/repodata/d488729553d7cbc3cc08e719d084cfbab0740f8784827f632c1939c87ffdd7c3-primary.sqlite.bz2: [Errno 12] Timeout on http://centosh2.centos.org/centos/6.5/updates/x86_64/repodata/d488729553d7cbc3cc08e719d084cfbab0740f8784827f632c1939c87ffdd7c3-primary.sqlite.bz2: (28, 'Operation too slow. Less than 1 bytes/sec transfered the last 30 seconds') Trying other mirror. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package httpd.x86_64 0:2.2.15-30.el6.centos will be installed --> Processing Dependency: httpd-tools = 2.2.15-30.el6.centos for package: httpd-2.2.15-30.el6.centos.x86_64 --> Processing Dependency: system-logos >= 7.92.1-1 for package: httpd-2.2.15-30.el6.centos.x86_64 --> Processing Dependency: initscripts >= 8.36 for package: httpd-2.2.15-30.el6.centos.x86_64 --> Processing Dependency: apr-util-ldap for package: httpd-2.2.15-30.el6.centos.x86_64 --> Processing Dependency: /etc/mime.types for package: httpd-2.2.15-30.el6.centos.x86_64 --> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.2.15-30.el6.centos.x86_64 --> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.2.15-30.el6.centos.x86_64 --> Running transaction check ---> Package apr.x86_64 0:1.3.9-5.el6_2 will be installed ---> Package apr-util.x86_64 0:1.3.9-3.el6_0.1 will be installed ---> Package apr-util-ldap.x86_64 0:1.3.9-3.el6_0.1 will be installed ---> Package httpd-tools.x86_64 0:2.2.15-30.el6.centos will be installed ---> Package initscripts.x86_64 0:9.03.40-2.el6.centos.1 will be installed --> Processing Dependency: upstart >= 0.6.0 for package: initscripts-9.03.40-2.el6.centos.1.x86_64 --> Processing Dependency: ethtool >= 1.8-2 for package: initscripts-9.03.40-2.el6.centos.1.x86_64 --> Processing Dependency: /sbin/ip for package: initscripts-9.03.40-2.el6.centos.1.x86_64 --> Processing Dependency: /sbin/arping for package: initscripts-9.03.40-2.el6.centos.1.x86_64 ---> Package mailcap.noarch 0:2.1.31-2.el6 will be installed ---> Package redhat-logos.noarch 0:60.0.14-12.el6.centos will be installed --> Running transaction check ---> Package ethtool.x86_64 2:3.5-1.4.el6_5 will be installed ---> Package iproute.x86_64 0:2.6.32-31.el6 will be installed --> Processing Dependency: iptables >= 1.4.5 for package: iproute-2.6.32-31.el6.x86_64 --> Processing Dependency: libxtables.so.4()(64bit) for package: iproute-2.6.32-31.el6.x86_64 ---> Package iputils.x86_64 0:20071127-17.el6_4.2 will be installed ---> Package upstart.x86_64 0:0.6.5-13.el6_5.3 will be installed --> Running transaction check ---> Package iptables.x86_64 0:1.4.7-11.el6 will be installed --> Processing Dependency: policycoreutils for package: iptables-1.4.7-11.el6.x86_64 --> Running transaction check ---> Package policycoreutils.x86_64 0:2.0.83-19.39.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: httpd x86_64 2.2.15-30.el6.centos updates 821 k Installing for dependencies: apr x86_64 1.3.9-5.el6_2 base 123 k apr-util x86_64 1.3.9-3.el6_0.1 base 87 k apr-util-ldap x86_64 1.3.9-3.el6_0.1 base 15 k ethtool x86_64 2:3.5-1.4.el6_5 updates 101 k httpd-tools x86_64 2.2.15-30.el6.centos updates 73 k initscripts x86_64 9.03.40-2.el6.centos.1 updates 940 k iproute x86_64 2.6.32-31.el6 base 365 k iptables x86_64 1.4.7-11.el6 base 252 k iputils x86_64 20071127-17.el6_4.2 base 120 k mailcap noarch 2.1.31-2.el6 base 27 k policycoreutils x86_64 2.0.83-19.39.el6 base 648 k redhat-logos noarch 60.0.14-12.el6.centos base 15 M upstart x86_64 0.6.5-13.el6_5.3 updates 177 k Transaction Summary ================================================================================ Install 14 Package(s) Total download size: 18 M Installed size: 30 M Downloading Packages: -------------------------------------------------------------------------------- Total 536 kB/s | 18 MB 00:34 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Importing GPG key 0xC105B9DE: Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key> Package: centos-release-6-5.el6.centos.11.2.x86_64 (@CentOS-Updates/$releasever) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Warning: RPMDB altered outside of yum. ** Found 2 pre-existing rpmdb problem(s), 'yum check' output follows: udev-147-2.51.el6.x86_64 has missing requires of /sbin/service udev-147-2.51.el6.x86_64 has missing requires of MAKEDEV >= ('0', '3.11', None) Installing : apr-1.3.9-5.el6_2.x86_64 1/14 Installing : apr-util-1.3.9-3.el6_0.1.x86_64 2/14 Installing : apr-util-ldap-1.3.9-3.el6_0.1.x86_64 3/14 Installing : httpd-tools-2.2.15-30.el6.centos.x86_64 4/14 Installing : mailcap-2.1.31-2.el6.noarch 5/14 Installing : upstart-0.6.5-13.el6_5.3.x86_64 6/14 Installing : redhat-logos-60.0.14-12.el6.centos.noarch 7/14 Installing : 2:ethtool-3.5-1.4.el6_5.x86_64 8/14 Installing : iputils-20071127-17.el6_4.2.x86_64 9/14 Installing : iproute-2.6.32-31.el6.x86_64 10/14 Installing : initscripts-9.03.40-2.el6.centos.1.x86_64 11/14 Installing : policycoreutils-2.0.83-19.39.el6.x86_64 12/14 Installing : iptables-1.4.7-11.el6.x86_64 13/14 Installing : httpd-2.2.15-30.el6.centos.x86_64 14/14 groupadd: failure while writing changes to /etc/group useradd: group 'apache' does not exist warning: group apache does not exist - using root warning: user apache does not exist - using root warning: group apache does not exist - using root warning: user apache does not exist - using root warning: group apache does not exist - using root warning: group apache does not exist - using root Verifying : httpd-2.2.15-30.el6.centos.x86_64 1/14 Verifying : apr-1.3.9-5.el6_2.x86_64 2/14 Verifying : 2:ethtool-3.5-1.4.el6_5.x86_64 3/14 Verifying : apr-util-ldap-1.3.9-3.el6_0.1.x86_64 4/14 Verifying : initscripts-9.03.40-2.el6.centos.1.x86_64 5/14 Verifying : iputils-20071127-17.el6_4.2.x86_64 6/14 Verifying : redhat-logos-60.0.14-12.el6.centos.noarch 7/14 Verifying : iptables-1.4.7-11.el6.x86_64 8/14 Verifying : upstart-0.6.5-13.el6_5.3.x86_64 9/14 Verifying : iproute-2.6.32-31.el6.x86_64 10/14 Verifying : mailcap-2.1.31-2.el6.noarch 11/14 Verifying : httpd-tools-2.2.15-30.el6.centos.x86_64 12/14 Verifying : apr-util-1.3.9-3.el6_0.1.x86_64 13/14 Verifying : policycoreutils-2.0.83-19.39.el6.x86_64 14/14 Installed: httpd.x86_64 0:2.2.15-30.el6.centos Dependency Installed: apr.x86_64 0:1.3.9-5.el6_2 apr-util.x86_64 0:1.3.9-3.el6_0.1 apr-util-ldap.x86_64 0:1.3.9-3.el6_0.1 ethtool.x86_64 2:3.5-1.4.el6_5 httpd-tools.x86_64 0:2.2.15-30.el6.centos initscripts.x86_64 0:9.03.40-2.el6.centos.1 iproute.x86_64 0:2.6.32-31.el6 iptables.x86_64 0:1.4.7-11.el6 iputils.x86_64 0:20071127-17.el6_4.2 mailcap.noarch 0:2.1.31-2.el6 policycoreutils.x86_64 0:2.0.83-19.39.el6 redhat-logos.noarch 0:60.0.14-12.el6.centos upstart.x86_64 0:0.6.5-13.el6_5.3 Complete! Loaded plugins: fastestmirror Cleaning repos: base extras updates Cleaning up Everything ---> 544b2a692924 Removing intermediate container 783dae15dd6c Step 3 : CMD service httpd start ; bash ---> Running in 0ede7efeb3cc ---> 140c0aaa7f53 Removing intermediate container 0ede7efeb3cc Step 4 : EXPOSE 80 ---> Running in 17025c7e85dc ---> 085199e5b898 Removing intermediate container 17025c7e85dc Successfully built 085199e5b898 17:03:37 (..ainers/centos/test)$ docker run --rm -it test Starting httpd: httpd: bad user name apache [FAILED] while everything builds and then run just fine, from index.docker.io: https://index.docker.io/u/pantinor/centos_httpd/
Similar error installing postgresql in a fedora based image. Dockerfile: FROM fedora RUN yum install -y postgresql-server postgresql postgresql-contrib USER postgres RUN /usr/bin/initdb -D /var/lib/pgsql/data When installing postgres, the following warnings appear: . . Installing : postgresql-server-9.3.4-1.fc20.x86_64 6/6 warning: user postgres does not exist - using root warning: group postgres does not exist - using root . . . And when running the initdb: . . Step 3 : RUN /usr/bin/initdb -D /var/lib/pgsql/data ---> Running in 9bb388ecf911 finalize namespace setup user get supplementary groups Unable to find user postgres The command [/bin/sh -c /usr/bin/initdb -D /var/lib/pgsql/data] returned a non-zero code: 1 . .
In a container created with docker 0.9.1 and running with docker 0.11, if I try to do a "su - postgres" it fails: bash-4.2# su - postgres su: System error It runs in the same container, when running with docker 0.9.1
The problem is the libselinux in the centos image is reporting that SELinux is enabled to processes running within the container. This is tools like useradd and groupadd to attempt to write to /proc/self/attr/* files in order to setup proper labeling for SELinux. Since /proc is now mounted read/only within the container, the writes are denied and useradd/groupadd fail. The fix is to get an updated version of libselinux into the Centos 6 images. RHEL7/RHEL6 and Current Fedora images have the fix. Privileged containers and systems with SELInux disabled will not have this issue. I believe the Fedora bugs reported are a separate issue, and it looks like the postgresql user needs to be added.
(In reply to Daniel Walsh from comment #4) > The problem is the libselinux in the centos image is reporting that SELinux > is enabled to processes running within the container. This is tools like > useradd and groupadd to attempt to write to /proc/self/attr/* files in order > to setup proper labeling for SELinux. Since /proc is now mounted read/only > within the container, the writes are denied and useradd/groupadd fail. > > The fix is to get an updated version of libselinux into the Centos 6 images. > RHEL7/RHEL6 and Current Fedora images have the fix. > > Privileged containers and systems with SELInux disabled will not have this > issue. > > I believe the Fedora bugs reported are a separate issue, and it looks like > the postgresql user needs to be added. Hi Daniel, thanks for your comment. I just trust every of your word about selinux, but I think that the problem cannot be just inside Centos image, since it builds fine on index.docker.io: https://index.docker.io/u/pantinor/centos_httpd/build_id/5062/code/bhwqycbcpdi5twzphkkoxzi/ Here the full log if that link is private: http://fpaste.org/103787/ I am not sure which linux flavour is in use on index.docker.io, I suspect coreOs. I was able to compile correctly even on a boot2docker images. On my last test I have temporarely disable SElinux, built as root, and obviously not enable --privileged since it's not an option for the build sub command. http://fpaste.org/103787/ And still seeing these lines that are not present while building on other platforms: groupadd: failure while writing changes to /etc/group useradd: group 'apache' does not exist warning: group apache does not exist - using root warning: user apache does not exist - using root warning: group apache does not exist - using root warning: user apache does not exist - using root warning: group apache does not exist - using root warning: group apache does not exist - using root thank you paolo
When you say you disabled it, did you just put it in permissive mode? In permissive mode the problem will continue, since it is not SELinux denying access it is actually the fact that /proc is mounted Read/Only. Previous versions of docker did not do this. If you ran a container and just strace groupadd or useradd you will see it a permission denied while trying to write to /proc which is readonly. It would build fine on any platform that did not have "selinux enabled" in permissive or enforcing mode.
oh, I see. I was just putting it in permissive mode. Thanks for explanation.
Thanks Daniel, after an yum update of the host, postgresql runs again.
I have pushed an updated libselinux for rhel6.6 into http://people.redhat.com/dwalsh/SELinux/RHEL6 If you install this version of libselinux into your rhel6 base image, I believe the useradd/groupadd problems will go away. We plan on adding this version to any docker images for rhel6 that we ship even prior to the release of rhel6.6.
(In reply to Daniel Walsh from comment #12) > I have pushed an updated libselinux for rhel6.6 into > > http://people.redhat.com/dwalsh/SELinux/RHEL6 > > If you install this version of libselinux into your rhel6 base image, I > believe the useradd/groupadd problems will go away. We plan on adding this > version to any docker images for rhel6 that we ship even prior to the > release of rhel6.6. This fixes the issue for me.
I have same exactly problem but using Fedora 20 with Docker version 0.11.1, build fb99f99/0.11.1
I have provided a fixed libselinux package which can be used to build your rhel6 image, We will soon be shipping a RHEL6 image with the newer libselinux package. I have also provided patches for libselinux to centos
Thanks to Daniel half of my problem is solved. I am now able to build successfully with Centos base image, adding his packages as the very first step: FROM centos:latest # keep this until these packages get into the official image with Cenots 6.6 # see http://bugs.centos.org/view.php?id=7126 RUN yum install -y http://mirror.centos.org/centos/6.5/centosplus/x86_64/Packages/libselinux-2.0.94-5.3.0.1.el6.centos.plus.x86_64.rpm http://mirror.centos.org/centos/6.5/centosplus/x86_64/Packages/libselinux-utils-2.0.94-5.3.0.1.el6.centos.plus.x86_64.rpm RUN yum install -y httpd ; yum -y clean all CMD service httpd start ; bash EXPOSE 80
Centos base image has been officially updated with the new packages, so the manual installation is no longer needed. I still have problem connecting to sshd if I do not run the container as privileged, but I have open the ticket on Docker side now.