search

moby / buildkit

concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit
https://github.com/moby/moby/issues/34227
Apache License 2.0
8.1k stars 1.14k forks source link

BuildKit fails on running `adduser` #805

Open geimer opened 5 years ago

geimer commented 5 years ago

With Docker version 18.09.1 build 4c52b90, the following simple Dockerfile

$ cat Dockerfile
# syntax = docker/dockerfile
FROM ubuntu:18.04
RUN adduser --no-create-home --disabled-password --gecos "foo,,," foo
USER foo

fails for me with chfn: PAM: System error when using BuildKit:

$ DOCKER_BUILDKIT=1 docker build --no-cache -t foo . >buildkit.log 2>&1
$ cat buildkit.log
#2 [internal] load .dockerignore
#2       digest: sha256:8a3a9b1fb80b2f9f9a87457ad2fb2d3acb2090841ada093c260288e167131155
#2         name: "[internal] load .dockerignore"
#2      started: 2019-01-30 14:32:34.623889119 +0000 UTC
#2    completed: 2019-01-30 14:32:34.642525936 +0000 UTC
#2     duration: 18.636817ms
#2 transferring context: 2B done

#1 [internal] load build definition from Dockerfile
#1       digest: sha256:81c039fba186cd9cb30293f2d0eb18eca78862d17a100ce9c39c08ff44e89c64
#1         name: "[internal] load build definition from Dockerfile"
#1      started: 2019-01-30 14:32:34.623672243 +0000 UTC
#1    completed: 2019-01-30 14:32:34.638427184 +0000 UTC
#1     duration: 14.754941ms
#1 transferring dockerfile: 36B done

#3 resolve image config for docker.io/docker/dockerfile:latest
#3       digest: sha256:494bf185d71dfc7e69e3ae891398c981aec29bfecd003236f667d8d76cf85794
#3         name: "resolve image config for docker.io/docker/dockerfile:latest"
#3      started: 2019-01-30 14:32:34.671411798 +0000 UTC
#3    completed: 2019-01-30 14:32:35.951599815 +0000 UTC
#3     duration: 1.280188017s

#4 docker-image://docker.io/docker/dockerfile@sha256:653ad79c9cd2fe8105290b...
#4       digest: sha256:ff340eaeb9d45c6899fdef284af12d055587c0c5b51bac5c2b5253bb45dad31a
#4         name: "docker-image://docker.io/docker/dockerfile@sha256:653ad79c9cd2fe8105290b61bc0f261c6f73a9e9cb1780bdb529c396e04f9655"
#4      started: 2019-01-30 14:32:35.952101062 +0000 UTC
#4    completed: 2019-01-30 14:32:35.952136027 +0000 UTC
#4     duration: 34.965µs
#4       cached: true

#5 [internal] load metadata for docker.io/library/ubuntu:18.04
#5       digest: sha256:ae46bbb1b755529d0da663ca0256a22acd7c9fe21844946c149800baa67c4e4b
#5         name: "[internal] load metadata for docker.io/library/ubuntu:18.04"
#5      started: 2019-01-30 14:32:36.372073081 +0000 UTC
#5    completed: 2019-01-30 14:32:36.372469073 +0000 UTC
#5     duration: 395.992µs

#6 [1/2] FROM docker.io/library/ubuntu:18.04
#6       digest: sha256:5e691c7ba4998fa4b60d1218bbc4ed9845bfa527d7d91b0c48922bbea45ce425
#6         name: "[1/2] FROM docker.io/library/ubuntu:18.04"
#6      started: 2019-01-30 14:32:36.374950252 +0000 UTC
#6    completed: 2019-01-30 14:32:36.375020224 +0000 UTC
#6     duration: 69.972µs
#6       cached: true

#7 [2/2] RUN adduser --no-create-home --disabled-password --gecos "foo,,," ...
#7       digest: sha256:a53f8105fc262895877de6f8b45c3ebd1c006e334b11617fadbcba57259facf8
#7         name: "[2/2] RUN adduser --no-create-home --disabled-password --gecos \"foo,,,\" foo"
#7      started: 2019-01-30 14:32:36.375104115 +0000 UTC
#7 0.441 Adding user `foo' ...
#7 0.441 Adding new group `foo' (1000) ...
#7 0.473 Adding new user `foo' (1000) with group `foo' ...
#7 0.599 Not creating home directory `/home/foo'.
#7 0.645 chfn: PAM: System error
#7    completed: 2019-01-30 14:32:37.086762062 +0000 UTC
#7     duration: 711.657947ms
#7        error: "executor failed running [/bin/sh -c adduser --no-create-home --disabled-password --gecos \"foo,,,\" foo]: exit code: 1"
#7 0.645 adduser: `/usr/bin/chfn -f foo -r  foo' returned error code 1. Exiting.

rpc error: code = Unknown desc = executor failed running [/bin/sh -c adduser --no-create-home --disabled-password --gecos "foo,,," foo]: exit code: 1

However, it works fine with the "legacy builder":

$ docker build --no-cache -t foo . >docker.log 2>&1
$ cat docker.log
Sending build context to Docker daemon  6.656kB

Step 1/3 : FROM ubuntu:18.04
 ---> 20bb25d32758
Step 2/3 : RUN adduser --no-create-home --disabled-password --gecos "foo,,," foo
 ---> Running in 11a8fd44e761
Adding user `foo' ...
Adding new group `foo' (1000) ...
Adding new user `foo' (1000) with group `foo' ...
Not creating home directory `/home/foo'.
Removing intermediate container 11a8fd44e761
 ---> ef2fbab93fbf
Step 3/3 : USER foo
 ---> Running in 85ac16f4a778
Removing intermediate container 85ac16f4a778
 ---> 31a96e09cbaf
Successfully built 31a96e09cbaf
Successfully tagged foo:latest

Not sure whether https://github.com/moby/moby/issues/6345 is related, as the failure occurs even if the new user does not exist on the host system, but maybe the root cause is similar?

tonistiigi commented 5 years ago

Could not reproduce. Do you use any special daemon configuration or build options?

geimer commented 5 years ago

I'm using the Docker Debian package with this daemon configuration:

$ cat /etc/docker/daemon.json
{
  "default-ulimits": {
    "core": {
      "Name": "core",
      "soft": 0,
      "hard": 0
    },
    "memlock": {
      "Name": "memlock",
      "soft": 1048576,
      "hard": 1048576
    },
    "nofile": {
      "Name": "nofile",
      "soft": 512,
      "hard": 512
    }
  },
  "icc": false,
  "iptables": true,
  "live-restore": true,
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "10m",
    "max-file": "5"
  },
  "no-new-privileges": true,
  "storage-driver": "overlay2",
  "userland-proxy": false,
  "userns-remap": "default"
}