Occasionally automated builds on the Docker Hub fail with PAM system errors like the following, which are from two separate builds:
Preparing to unpack
.../mysql-server-5.5_5.5.38-0ubuntu0.14.04.1_amd64.deb ...
[91mchfn: PAM: System error
[0m
[91madduser: '/usr/bin/chfn -f MySQL Server mysql' returned error code
1. Exiting.
[0m
[91mdpkg: error processing archive
/var/cache/apt/archives/mysql-server-5.5_5.5.38-0ubuntu0.14.04.1_amd64.deb
(--unpack):
subprocess new pre-installation script returned error exit status 1
[0m
Preparing to unpack
.../redis-server_2%3a2.8.4-2_amd64.deb ...
[91mchfn: PAM: System error
[0m
[91madduser: '/usr/bin/chfn -f redis server redis' returned error code
1. Exiting.
[0m
[91mdpkg: error processing archive
/var/cache/apt/archives/redis-server_2%3a2.8.4-2_amd64.deb (--unpack):
subprocess new pre-installation script returned error exit status 1
[0m
Interestingly, this failure only happens intermittently and with identical Dockerfiles. Is there any way around this?
There is a workaround! It's a simple fix and doesn't appear to have any negative repercussions. Add the following symlink to the top of your Dockerfile:
RUN ln -s -f /bin/true /usr/bin/chfn
Subsequent builds should succeed.
This is the result of some recent kernel updates (see Github Issue #6345)
The kernel was recently updated to allow containers to send audit events, but they need CAP_AUDIT_WRITE to be able to write an audit event. (git-bisect was used to track this bug down
Before, PAM detected the auditing was unavailable/disabled (non-fatal error). Now that its available, PAM detects the auditing system and tries to use it, but fails writing the audit event (fatal error).
Possible Solutions:
Allow containers to have CAP_AUDIT_WRITE (the GitHub issue suggests this will be the default), but DockerHub doesn't let one grant this capability in their build system.
Disable Auditing Support in PAM. Someone has posted docker image for CentOS 6.5 and Ubuntu 14.04 to rebuild PAM and disable auditing. For a basic of how to rebuild PAM, you can look at the relevant Dockerfiles for CentOS and Ubuntu)
Disable /usr/bin/chfn
by linking it to /bin/true
(ln -s -f /bin/true /usr/bin/chfn
)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With