Can not add new user in docker container with mounted /etc/passwd and /etc/shadow

[ntrifunovic]

Example of the problem

docker run -ti -v my_passwd:/etc/passwd -v my_shadow:/etc/shadow --rm centos
[root@681a5489f3b0 /]# useradd test # does not work !?
useradd: failure while writing changes to /etc/passwd
[root@681a5489f3b0 /]# ll /etc/passwd /etc/shadow # permission check
-rw-r--r-- 1 root root 157 Oct  8 10:17 /etc/passwd
-rw-r----- 1 root root 100 Oct  7 18:02 /etc/shadow

The similar problem arises when using passwd:

[root@681a5489f3b0 /]# passwd test
Changing password for user test.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: Authentication token manipulation error

I have tried using the ubuntu image, but the same problem arises.

I can manually edit passwd file and shadow file from within container.

BUG REPORT INFORMATION

I am getting the same problem on following two bare metal machines:

Host OS: CentOS 7 - SELinux Disabled
Docker Version: 1.8.2, build 0a8c2e3

$ docker version
Client:
 Version:      1.8.2
 API version:  1.20
 Go version:   go1.4.2
 Git commit:   0a8c2e3
 Built:        Thu Sep 10 19:08:45 UTC 2015
 OS/Arch:      linux/amd64

Server:
 Version:      1.8.2
 API version:  1.20
 Go version:   go1.4.2
 Git commit:   0a8c2e3
 Built:        Thu Sep 10 19:08:45 UTC 2015
 OS/Arch:      linux/amd64
$ docker info
Containers: 29
Images: 1199
Storage Driver: devicemapper
 Pool Name: docker-253:2-1255606936-pool
 Pool Blocksize: 65.54 kB
 Backing Filesystem: xfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 71.59 GB
 Data Space Total: 107.4 GB
 Data Space Available: 35.78 GB
 Metadata Space Used: 77.43 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.07 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.93-RHEL7 (2015-01-28)
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 3.10.0-123.20.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
CPUs: 4
Total Memory: 14.47 GiB
Name: avala
ID: YCVL:R7K4:MFGG:ZHGX:YSIG:AQIM:MVKI:V7LZ:OWUC:YDAP:CPZZ:FANO
$ uname -a
Linux avala 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Host OS: CoreOS 766.4.0
Docker version: 1.7.1, build df2f73d-dirty

$ docker version
Client version: 1.7.1
Client API version: 1.19
Go version (client): go1.4.2
Git commit (client): df2f73d-dirty
OS/Arch (client): linux/amd64
Server version: 1.7.1
Server API version: 1.19
Go version (server): go1.4.2
Git commit (server): df2f73d-dirty
OS/Arch (server): linux/amd64
$ docker info
Containers: 40
Images: 389
Storage Driver: overlay
 Backing Filesystem: extfs
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 4.1.7-coreos
Operating System: CoreOS 766.4.0
CPUs: 8
Total Memory: 31.37 GiB
Name: tihi01
ID: H6LD:A7DD:ESM6:QG7V:NES5:LEEU:JFR3:I6MP:22MC:LCRD:FCPB:Y3KG
$ uname -a
Linux tihi01 4.1.7-coreos #2 SMP Wed Sep 16 22:54:37 UTC 2015 x86_64 Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz GenuineIntel GNU/Linux

[cpuguy83]

You cannot use -v with a relative path name as there is nothing to be relative to since this is done by the daemon.
This is creating a named volume, which would go into /var/lib/docker/volumes/my_passwd, and would be a dir.
I'm surprised the container even started since you it would be trying to mount a dir onto a file.

[ntrifunovic]

Mounting files with docker works fine for me.

The -v flag can also be used to mount a single file - instead of just directories - from the host machine.

Source: https://docs.docker.com/userguide/dockervolumes/

In fact the problem is related to the mounting of files, see: http://stackoverflow.com/a/33022690/4004007

[cpuguy83]

@ntrifunovic Yes, my point is -v foo:/bar will not mount a file, it will create a named volume since relative paths are not supported for the source.

[thaJeztah]

@ntrifunovic is this still an issue for you, or have you been able to resolve this?

[ntrifunovic]

Yes, I will close this issue now.
Issue is not related to docker, but to how passwd command works.

Maybe adding a more detailed explanation about mounting files in the documentation would be a good idea. (Example: if the mounted file is overridden with another file, the file would not be changed)