useradd and groupadd don't work in containers

[gdinnocenzo]

Dear all,
just as in subject: useradd and groupadd don't work in all the containers I tried so far (tested with Debian 8 and 9, Ubuntu 16.04 and 18.04, Fedora 25).
It looks like the commands are able to create their temporary files shadow+ and group+ but, for some reason, they cannot replace the originals with them.
Copying them over manually works and give me the user or group needed.

Any clue on why this is happening?

Thank you very much and thanks for this great software,

$ python2 udocker version
version: 1.1.1
tarball: https://owncloud.indigo-datacloud.eu/index.php/s/AFImjw8ii0X72xf/download https://cernbox.cern.ch/index.php/s/VC7GuVWA7mYRAiy/download http://repo.indigo-datacloud.eu/repository/indigo/2/centos7/x86_64/tgz/udocker-1.1.1.tar.gz
$ python2 udocker run deb9 bash
 
 ****************************************************************************** 
 *                                                                            * 
 *               STARTING cfe5bdd6-719f-3de8-ab75-d13cf0cc6579                * 
 *                                                                            * 
 ****************************************************************************** 
 executing: bash
root@boo:/# cat /etc/issue       
Debian GNU/Linux 9 \n \l

root@boo:/# useradd test
useradd: failure while writing changes to /etc/passwd
root@boo:/# groupadd test
groupadd: failure while writing changes to /etc/group
root@boo:/# diff /etc/passwd /etc/passwd+
20a21
> test:x:1000:1000::/home/test:

[jorge-lip]

udocker is a run-time to execute containers when docker is unavailable. Creation of containers including adding software and users should be done with other tools i.e. using docker (not udocker). There is some minimal support in udocker to do some of the sysadmin operations but this is really limited as in this case.

[nponeccop]

For me it appears that useradd works in Ubuntu. However, it's of little use as the host filesystem always has the user which ran the container as the owner of all the files in the container folder. So basically useradd -m foo works, but ls -l /home shows that /home/foo belongs to root. Now it's possible to do su - foo in the container, but under foo ls / magically shows that /bin belongs to foo now.

I think these are fundamental limitations of the rootless approach, and we need a chroot-based engine which will require root but won't require the namespaces and other kernel features we don't have in CentOS 6.

[gdinnocenzo]

The main problem with "useradd" is not so much with adding actual users, but with some packages that deploy their own service users during install/config and throw out errors when they try to do so, stopping the install process.

[jorge-lip]

In release 1.1.4 with can run with: run --containerauth. This should facilitate user and group add during package installation. Also changes made to passwd and group become permanent.

[gdinnocenzo]

In release 1.1.4 with can run with: run --containerauth. This should facilitate user and group add during package installation. Also changes made to passwd and group become permanent.

Tested and working. Thanks, that solves the main problem we had with udocker! Much appreciated!!

[jorge-lip]

For further information on installing software with udocker see the users manual section 7.6.
Thanks for the feedback, closing this issue.