Bug 1272143 - Can't start containers that use supplemental groups but lack /etc/groups
Summary: Can't start containers that use supplemental groups but lack /etc/groups
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-15 14:47 UTC by Lokesh Mandvekar
Modified: 2019-03-06 01:32 UTC (History)
11 users (show)

Fixed In Version: docker-1.8.2-7.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1270529
Environment:
Last Closed: 2016-05-12 15:16:52 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1034 0 normal SHIPPED_LIVE Moderate: docker security, bug fix, and enhancement update 2016-05-12 19:15:01 UTC

Description Lokesh Mandvekar 2015-10-15 14:47:18 UTC
+++ This bug was initially created as a clone of Bug #1270529 +++

Description of problem:

Docker can't start containers that use supplemental groups but do not have an /etc/groups file in their filesystem.  

The bug has been fixed in runc:

https://github.com/opencontainers/runc/pull/313

And there is a patch for the Red Hat docker:

https://github.com/rhatdan/docker/pull/127

Version-Release number of selected component (if applicable):

1.8

How reproducible:

Create a busybox container and set supplemental groups on it:

docker run --group-add=[123] -it busybox id -G

Actual results:

Container fails

Expected results:

Container starts and prints '123'

--- Additional comment from Fedora Update System on 2015-10-15 09:36:46 CDT ---

docker-io-1.8.2-2.gitcb216be.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-891d60ea2b

Comment 2 Luwen Su 2015-10-25 10:05:46 UTC
In docker-1.8.2-7.el7.x86_64,

# docker run --group-add=123 -it busybox id -G
0 10 123

move to verified

Comment 4 errata-xmlrpc 2016-05-12 15:16:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-1034.html


Note You need to log in before you can comment on or make changes to this bug.