Bugzilla – Bug 1182655
OS fails to identify executables
Last modified: 2021-02-26 08:07:43 UTC
I am unable to build Tumbleweed image with our internal GitLab toolchain (https://gitlab.isc.org/isc-projects/images/-/jobs/1521735) as the installation of the "system-user-nobody" package fails with: Installation of system-user-nobody-20170617-20.2.noarch failed: Error: Subprocess failed. Error: RPM failed: ERROR: neither groupadd nor busybox found! error: %prein(system-user-nobody-20170617-20.2.noarch) scriptlet failed, exit status 1 error: system-user-nobody-20170617-20.2.noarch: install failed The host is Debian 10 with docker from docker.com. But I see the same with Fedora 33 with moby-engine-19.03.13-1.ce.git4484c46.fc33.x86_64. The "neither groupadd nor busybox" error comes from /usr/sbin/sysusers2shadow (the sysuser-shadow package) which fails to identify /usr/sbin/groupadd as executable: if ! /usr/bin/getent group "$1" >> /dev/null; then if [ -x "/usr/sbin/groupadd" ]; then run /usr/sbin/groupadd -r $ARGUMENTS elif [ -x "$busybox" ]; then run $busybox addgroup -S $ARGUMENTS else echo "ERROR: neither groupadd nor busybox found!" exit 1 fi fi Which is weird as the "shadow" package is installed, I can even execute "/usr/sbin/groupadd --help" in my Dockerfile and "ls" reveals that /usr/sbin/groupadd has exec bits set. Running strace on sysusers2shadow I see: faccessat2(AT_FDCWD, "/usr/sbin/groupadd", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted) Other instances of this problem I found in the internet: https://forums.opensuse.org/showthread.php/550195-Install-git-in-docker https://github.com/profanity-im/profanity/commit/5c5c45321976c9a859694afa781178c68d076ee2 Can it be seccomp issue? This problem *does not* reproduce when I create container with "--privileged": $ docker create -it --cap-add=NET_ADMIN --cap-add=SYS_ADMIN --privileged opensuse/tumbleweed:latest /bin/bash $ docker start -ai efd11bcd9b1f748c37b5764c2319c6b53bd56a597644629d3023cc0e3f811a24 (13/13) Installing: system-user-nobody-20170617-20.2.noarch ...........[done] Additional rpm output: /usr/sbin/groupadd -r -g 65533 nogroup /usr/sbin/groupadd -r -g 65534 nobody /usr/sbin/useradd -r -s /sbin/nologin -c nobody -d /var/lib/nobody -g nobody -u 65534 nobody --- General reproducer (also see the non-fatal error "ERROR: fillup not found"): $ docker run --rm opensuse/tumbleweed zypper -n install system-user-nobody Retrieving repository 'openSUSE-Tumbleweed-Non-Oss' metadata [..done] Building repository 'openSUSE-Tumbleweed-Non-Oss' cache [....done] Retrieving repository 'openSUSE-Tumbleweed-Oss' metadata [......done] Building repository 'openSUSE-Tumbleweed-Oss' cache [....done] Retrieving repository 'openSUSE-Tumbleweed-Update' metadata [..done] Building repository 'openSUSE-Tumbleweed-Update' cache [....done] Loading repository data... Reading installed packages... Resolving package dependencies... The following 13 NEW packages are going to be installed: chkstat libaudit1 libcrypt1 libeconf0 libsemanage1 libsepol1 pam pam_unix permissions permissions-config shadow system-user-nobody sysuser-shadow 13 new packages to install. Overall download size: 2.3 MiB. Already cached: 0 B. After the operation, additional 7.2 MiB will be used. Continue? [y/n/v/...? shows all options] (y): y Retrieving package chkstat-1550_20210125-27.2.x86_64 (1/13), 413.4 KiB ( 1.2 MiB unpacked) Retrieving: chkstat-1550_20210125-27.2.x86_64.rpm [done] Retrieving package libaudit1-2.8.5-5.2.x86_64 (2/13), 92.0 KiB (110.7 KiB unpacked) Retrieving: libaudit1-2.8.5-5.2.x86_64.rpm [done] Retrieving package libcrypt1-4.4.17-1.2.x86_64 (3/13), 113.6 KiB (259.8 KiB unpacked) Retrieving: libcrypt1-4.4.17-1.2.x86_64.rpm [.done (3.8 KiB/s)] Retrieving package libeconf0-0.3.8+git20200710.5126fff-2.2.x86_64 (4/13), 29.0 KiB ( 31.5 KiB unpacked) Retrieving: libeconf0-0.3.8+git20200710.5126fff-2.2.x86_64.rpm [done] Retrieving package libsepol1-3.1-2.2.x86_64 (5/13), 280.1 KiB (705.2 KiB unpacked) Retrieving: libsepol1-3.1-2.2.x86_64.rpm [done] Retrieving package permissions-config-1550_20210125-27.2.x86_64 (6/13), 59.2 KiB ( 46.4 KiB unpacked) Retrieving: permissions-config-1550_20210125-27.2.x86_64.rpm [done] Retrieving package libsemanage1-3.1-1.2.x86_64 (7/13), 111.5 KiB (269.6 KiB unpacked) Retrieving: libsemanage1-3.1-1.2.x86_64.rpm [done] Retrieving package permissions-20210125.1550-27.2.x86_64 (8/13), 23.4 KiB ( 0 B unpacked) Retrieving: permissions-20210125.1550-27.2.x86_64.rpm [.done] Retrieving package pam_unix-1.5.1-3.1.x86_64 (9/13), 67.2 KiB ( 54.8 KiB unpacked) Retrieving: pam_unix-1.5.1-3.1.x86_64.rpm [done] Retrieving package pam-1.5.1-3.1.x86_64 (10/13), 429.6 KiB ( 1.6 MiB unpacked) Retrieving: pam-1.5.1-3.1.x86_64.rpm [done] Retrieving package shadow-4.8.1-5.2.x86_64 (11/13), 664.3 KiB ( 3.0 MiB unpacked) Retrieving: shadow-4.8.1-5.2.x86_64.rpm [done] Retrieving package sysuser-shadow-3.0-10.1.noarch (12/13), 12.0 KiB ( 2.3 KiB unpacked) Retrieving: sysuser-shadow-3.0-10.1.noarch.rpm [done] Retrieving package system-user-nobody-20170617-20.2.noarch (13/13), 12.4 KiB ( 99 B unpacked) Retrieving: system-user-nobody-20170617-20.2.noarch.rpm [.done] Checking for file conflicts: [.........done] ( 1/13) Installing: chkstat-1550_20210125-27.2.x86_64 [...........done] ( 2/13) Installing: libaudit1-2.8.5-5.2.x86_64 [.......done] ( 3/13) Installing: libcrypt1-4.4.17-1.2.x86_64 [...........done] ( 4/13) Installing: libeconf0-0.3.8+git20200710.5126fff-2.2.x86_64 [....done] ( 5/13) Installing: libsepol1-3.1-2.2.x86_64 [...........done] ( 6/13) Installing: permissions-config-1550_20210125-27.2.x86_64 [.......done] Additional rpm output: ERROR: fillup not found. This should not happen. Please compare /etc/sysconfig/security and /sysconfig.security and update by hand. error opening /etc/sysconfig/security: No such file or directory ( 7/13) Installing: libsemanage1-3.1-1.2.x86_64 [...........done] ( 8/13) Installing: permissions-20210125.1550-27.2.x86_64 [...done] ( 9/13) Installing: pam_unix-1.5.1-3.1.x86_64 [......done] (10/13) Installing: pam-1.5.1-3.1.x86_64 [............done] (11/13) Installing: shadow-4.8.1-5.2.x86_64 [............done] (12/13) Installing: sysuser-shadow-3.0-10.1.noarch [....done] (13/13) Installing: system-user-nobody-20170617-20.2.noarch [..error] Abort, retry, ignore? [a/r/i] (a): a Installation of system-user-nobody-20170617-20.2.noarch failed: Error: Subprocess failed. Error: RPM failed: ERROR: neither groupadd nor busybox found! error: %prein(system-user-nobody-20170617-20.2.noarch) scriptlet failed, exit status 1 error: system-user-nobody-20170617-20.2.noarch: install failed Warning: %posttrans scripts skipped while aborting: pam-1.5.1-3.1.x86_64.rpm shadow-4.8.1-5.2.x86_64.rpm Problem occurred during or after installation or removal of packages: Installation has been aborted as directed. Please see the above error message for a hint.
(In reply to Michal Nowak from comment #0) > Running strace on sysusers2shadow I see: > > faccessat2(AT_FDCWD, "/usr/sbin/groupadd", X_OK, AT_EACCESS) = -1 EPERM > (Operation not permitted) > > Other instances of this problem I found in the internet: > > https://forums.opensuse.org/showthread.php/550195-Install-git-in-docker > > https://github.com/profanity-im/profanity/commit/ > 5c5c45321976c9a859694afa781178c68d076ee2 > > Can it be seccomp issue? Yep! Another workaround is --security-opt seccomp:unconfined. *** This bug has been marked as a duplicate of bug 1182451 ***