Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

"chfn: PAM: System Error" Intermittently in Docker Hub Builds

Tags:

github

docker

Occasionally automated builds on the Docker Hub fail with PAM system errors like the following, which are from two separate builds:

     Preparing to unpack 
    .../mysql-server-5.5_5.5.38-0ubuntu0.14.04.1_amd64.deb ... 
    [91mchfn: PAM: System error 
    [0m 
    [91madduser: '/usr/bin/chfn -f MySQL Server mysql' returned error code 
     1. Exiting.
    [0m
    [91mdpkg: error processing archive 
     /var/cache/apt/archives/mysql-server-5.5_5.5.38-0ubuntu0.14.04.1_amd64.deb 
    (--unpack):
     subprocess new pre-installation script returned error exit status 1
    [0m

     Preparing to unpack 
    .../redis-server_2%3a2.8.4-2_amd64.deb ... 
    [91mchfn: PAM: System error 
    [0m 
    [91madduser: '/usr/bin/chfn -f redis server redis' returned error code 
     1. Exiting. 
    [0m 
    [91mdpkg: error processing archive 
    /var/cache/apt/archives/redis-server_2%3a2.8.4-2_amd64.deb (--unpack): 
     subprocess new pre-installation script returned error exit status 1 
    [0m

Interestingly, this failure only happens intermittently and with identical Dockerfiles. Is there any way around this?

like image 818
HTOK Avatar asked Aug 07 '14 22:08

HTOK


Video Answer


2 Answers

There is a workaround! It's a simple fix and doesn't appear to have any negative repercussions. Add the following symlink to the top of your Dockerfile:

RUN ln -s -f /bin/true /usr/bin/chfn

Subsequent builds should succeed.

like image 160
HTOK Avatar answered Dec 05 '22 21:12

HTOK


This is the result of some recent kernel updates (see Github Issue #6345)

The kernel was recently updated to allow containers to send audit events, but they need CAP_AUDIT_WRITE to be able to write an audit event. (git-bisect was used to track this bug down

Before, PAM detected the auditing was unavailable/disabled (non-fatal error). Now that its available, PAM detects the auditing system and tries to use it, but fails writing the audit event (fatal error).

Possible Solutions:

  1. Allow containers to have CAP_AUDIT_WRITE (the GitHub issue suggests this will be the default), but DockerHub doesn't let one grant this capability in their build system.

  2. Disable Auditing Support in PAM. Someone has posted docker image for CentOS 6.5 and Ubuntu 14.04 to rebuild PAM and disable auditing. For a basic of how to rebuild PAM, you can look at the relevant Dockerfiles for CentOS and Ubuntu)

  3. Disable /usr/bin/chfn by linking it to /bin/true (ln -s -f /bin/true /usr/bin/chfn)

like image 27
Reece45 Avatar answered Dec 05 '22 21:12

Reece45