Unable to run sudo on 40 or 41 containers if --privileged is present

[jsf9k]

On my local machine (Arch) I can run these four commands just fine:

❯ docker run -it fedora:40 sudo ls
afs  boot  etc   lib    media  opt   root  sbin  sys  usr
bin  dev   home  lib64  mnt    proc  run   srv   tmp  var

❯ docker run -it --privileged fedora:40 sudo ls
afs  boot  etc   lib    media  opt   root  sbin  sys  usr
bin  dev   home  lib64  mnt    proc  run   srv   tmp  var

❯ docker run -it fedora:41 sudo ls
afs  boot  etc   lib    media  opt   root  sbin  sys  usr
bin  dev   home  lib64  mnt    proc  run   srv   tmp  var

❯ docker run -it --privileged fedora:41 sudo ls
afs  boot  etc   lib    media  opt   root  sbin  sys  usr
bin  dev   home  lib64  mnt    proc  run   srv   tmp  var

On Ubuntu 24.04 (GitHub runner), though, I get errors running sudo if the containers are started with the --privileged flag:

$ docker run -it fedora:40 sudo ls
afs  boot  etc   lib    media  opt   root  sbin  sys  usr
bin  dev   home  lib64  mnt    proc  run   srv   tmp  var

$ docker run -it --privileged fedora:40 sudo ls
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo: a password is required

$ docker run -it fedora:41 sudo ls
afs  boot  etc   lib    media  opt   root  sbin  sys  usr
bin  dev   home  lib64  mnt    proc  run   srv   tmp  var

$ docker run -it --privileged fedora:41 sudo ls
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo: a password is required

In both cases I pulled fresh containers using docker pull.

We use these containers together with Molecule to test Ansible roles, and this is causing all our Fedora tests to break in GitHub Actions even though the same tests pass locally.

Does anyone have any idea what is going on? I believe this started happening about four days ago.

[jsf9k]

One other thing I noticed is that the --privileged containers on the GitHub runner allow sudo if I manually change the permissions on /etc/shadow and /etc/shadow- to 0644. (By default the file permissions are set to 0000.) This doesn't explain why it works with the default file permissions on my local machine, but perhaps it is a clue.

[jsf9k]

I did try upgrading all available packages on the GitHub runner, but that did not fix the issue. I have also upgraded all available packages inside the containers. No dice.

[jsf9k]

Another clue - when I run a command like sudo ls from inside the container I see output similar to the following in journalctl -xe:

Dec 17 22:41:01 fedora41-systemd-amd64 unix_chkpwd[486]: could not obtain user info (root)
Dec 17 22:41:01 fedora41-systemd-amd64 sudo[485]:     root : PAM account management error: Authentication service cannot retrieve authentication info ; TTY=pts/0 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/ls

[jsf9k]

I posted the same information in an issue in RedHat's Bugzilla page.

[cverna]

It looks like this is working correctly running from Fedora

╭─cverna@cverna-mac ~ 
╰─$ podman run -it --rm  --privileged quay.io/fedora/fedora:41 sudo ls
afs  bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
╭─cverna@cverna-mac ~ 
╰─$ podman run -it --rm  --privileged registry.fedoraproject.org/fedora:41 sudo ls

Trying to pull registry.fedoraproject.org/fedora:41...
Getting image source signatures
Copying blob sha256:3a5dcf98433267d8eceeac94cb2c6503c515e0d201cc861c970f90d075b55778
Copying config sha256:8d47c27dd42afc7ad103009dca52f01262ee072cc9a1779a930eef949f90e011
Writing manifest to image destination


afs  bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var

Going to try to run an Ubuntu VM to investigate

[jsf9k]

I was able to reproduce this on a Raspberry Pi 5 running a fresh install of Ubuntu 24.04 Server (SD card created using rpi-imager) after installing the official Docker packages as described here.

I also verified that the same issue occurs whether I pull the images from Docker Hub or registry.fedoraproject.org.

[felddy]

I was able to reproduce this on a Mac running Colima:

❯ docker run -it --rm --privileged fedora:40 sudo ls
Unable to find image 'fedora:40' locally
40: Pulling from library/fedora
6405a3879f35: Pull complete
Digest: sha256:7cdd2b48396929bb8723ea2fa60e03bee39cc22e2a853cbd891587fab4eb1bc9
Status: Downloaded newer image for fedora:40
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo: a password is required

❯ uname -mrsv
Darwin 24.2.0 Darwin Kernel Version 24.2.0: Fri Dec  6 19:01:59 PST 2024; root:xnu-11215.61.5~2/RELEASE_ARM64_T6000 arm64
❯ colima version && limactl --version && qemu-img --version
colima version 0.8.1
git commit: 96598cc5b64e5e9e1e64891642b91edc8ac49d16

runtime: docker
arch: aarch64
client: v27.4.1
server: v27.1.1
limactl version 1.0.3
qemu-img version 9.2.0
Copyright (c) 2003-2024 Fabrice Bellard and the QEMU Project developers
❯ docker info
Client: Docker Engine - Community
 Version:    27.4.1
 Context:    colima
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.19.3
    Path:     /opt/homebrew/lib/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  2.32.2
    Path:     /opt/homebrew/lib/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 4
 Server Version: 27.1.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 2bf793ef6dc9a18e00cb12efb64355c2c9d5eb41
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-39-generic
 Operating System: Ubuntu 24.04 LTS
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 15.59GiB
 Name: colima
 ID: 2064541f-8b09-4a6e-9bcf-f82297bba032
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

[jsf9k]

On my Arch Linux development machine, where I do not see this issue:

❯ uname --kernel-release
6.12.8-arch1-1
❯ systemctl --version
systemd 257 (257.2-1-arch)
+PAM +AUDIT -SELINUX -APPARMOR -IMA +IPE +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +BTF +XKBCOMMON +UTMP -SYSVINIT +LIBARCHIVE
❯ docker --version 
Docker version 27.3.1, build ce1223035a

On the Raspberry Pi 5 running Ubuntu 24.04, where I do see this issue:

$ uname --kernel-version 
#19-Ubuntu SMP PREEMPT_DYNAMIC Fri Dec  6 20:45:12 UTC 2024
$ uname --kernel-release
6.8.0-1017-raspi
$ systemctl --version 
systemd 255 (255.4-1ubuntu8.4)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified
$ docker --version 
Docker version 27.4.1, build b9d17ea

I'm happy to check any other software versions that folks think may be relevant.

[felddy]

I do not see the issue on my Raspberry Pi 4 Model B Rev 1.4 running Debian GNU/Linux 12 (bookworm):

❯ docker run -it --rm --privileged fedora:40 sudo ls
Unable to find image 'fedora:40' locally
40: Pulling from library/fedora
6405a3879f35: Pull complete
Digest: sha256:7cdd2b48396929bb8723ea2fa60e03bee39cc22e2a853cbd891587fab4eb1bc9
Status: Downloaded newer image for fedora:40
afs  bin  boot	dev  etc  home	lib  lib64  media  mnt	opt  proc  root  run  sbin  srv  sys  tmp  usr	var

System details:

❯ lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 12 (bookworm)
Release:	12
Codename:	bookworm
❯ cat /sys/firmware/devicetree/base/model
Raspberry Pi 4 Model B Rev 1.4
❯ uname -mrsv
Linux 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr  3 17:24:16 BST 2023 aarch64
❯ systemctl --version
systemd 252 (252.31-1~deb12u1)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified
❯ docker info
Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc., v0.9.1)

Server:
 Containers: 12
  Running: 11
  Paused: 0
  Stopped: 1
 Images: 28
 Server Version: 20.10.24+dfsg1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 1.6.20~ds1-1+b1
 runc version: 1.1.5+ds1-1+deb12u1
 init version:
 Security Options:
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 6.1.21-v8+
 Operating System: Debian GNU/Linux 12 (bookworm)
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 7.629GiB
 Name: appa
 ID: RKF3:S7B4:UJOO:EBUY:V6SP:C7BN:XY4O:WUXQ:KPPN:ZEI3:XPOY:FN2S
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

[jsf9k]

See also #118.