Can't sudo in a container

[yakbulut]

Hi all,

I am trying to run a service, i.e mysql, inside a container. I gathered the ubuntu rootfs from docker pull ubuntu:latest.

Although whoami returns root, sudo command fails with sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted

As a result, I can't apt-get install or do any other sudo tasks.
How can I get around this issue?

Thanks in advance,

[jessfraz]

sudo is not installed in the container you do not need to use it to apt-get
something

On Tue, Jul 14, 2015 at 4:36 PM, yakbulut notifications@github.com wrote:

Hi all,

I am trying to run a service, i.e mysql, inside a container. I gathered
the ubuntu rootfs from docker pull ubuntu:latest.

Although whoami returns root, sudo command fails with sudo: PERM_SUDOERS:
setresuid(-1, 1, -1): Operation not permitted

As a result, I can't apt-get install or do any other sudo tasks.
How can I get around this issue?

Thanks in advance,

—
Reply to this email directly or view it on GitHub
#126.

[wking]

On Tue, Jul 14, 2015 at 04:38:49PM -0700, Jessie Frazelle wrote:

sudo is not installed in the container…

I don't think that's the problem (if it was, @yakbulut would be
getting something like “sudo: command not found”).

Although whoami returns root, sudo command fails with sudo:
PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted

PERM_SUDOERS seems to be a SELinux permission 1. I'm not sure how
that relates to linux.capabilities in the runc config, but you might
want to poke around there.

[wking]

On Tue, Jul 14, 2015 at 04:38:49PM -0700, Jessie Frazelle wrote:

you do not need to use it to apt-get something

^ this part I agree with ;).

[jessfraz]

I know for a fact in that rootfs it is not installed

On Tue, Jul 14, 2015 at 4:49 PM, W. Trevor King notifications@github.com
wrote:

On Tue, Jul 14, 2015 at 04:38:49PM -0700, Jessie Frazelle wrote:

you do not need to use it to apt-get something

^ this part I agree with ;).

—
Reply to this email directly or view it on GitHub
#126 (comment)
.

[jessfraz]

jk its not debian, i take that back

On Tue, Jul 14, 2015 at 4:56 PM, Jessie Frazelle jess@docker.com wrote:

I know for a fact in that rootfs it is not installed

On Tue, Jul 14, 2015 at 4:49 PM, W. Trevor King notifications@github.com
wrote:

On Tue, Jul 14, 2015 at 04:38:49PM -0700, Jessie Frazelle wrote:

you do not need to use it to apt-get something

^ this part I agree with ;).

—
Reply to this email directly or view it on GitHub
#126 (comment)
.

[yakbulut]

My first impression was that it was related to sudo. If try apt-get install mysql-server the following error occurs

useradd: failure while writing changes to /etc/shadow adduser: /usr/sbin/useradd -d /nonexistent -g mysql -s /bin/false -u 102 mysql' returned error code 1. Exiting.
dpkg: error processing archive /var/cache/apt/archives/mysql-server-5.5_5.5.35+dfsg-1ubuntu1_amd64.deb (--unpack):
subprocess new pre-installation script returned error exit status 1
Errors were encountered while processing:
/var/cache/apt/archives/mysql-server-5.5_5.5.35+dfsg-1ubuntu1_amd64.deb
W: chown to root:adm of file /var/log/apt/term.log failed - OpenLog (1: Operation not permitted)
E: Sub-process /usr/bin/dpkg returned an error code (1)`

Here is linux capabilities. Am I missing something here ?

            "AUDIT_WRITE",
            "KILL",
            "NET_BIND_SERVICE",
            "NET_RAW" 

[wking]

On Tue, Jul 14, 2015 at 05:04:17PM -0700, yakbulut wrote:

adduser:`/usr/sbin/useradd -d /nonexistent -g mysql -s /bin/false -u 102 mysql' returned error code 1. Exiting.

Have you mounted your /etc/shadow read-only? Maybe stracing that
useradd command will turn up something useful. From useradd(8):

EXIT VALUES
…
1
can't update password file

so I suspect a mount-access or permissions issue.

[yakbulut]

Hi all,

Thanks for all the tips. It turns out that I had to include bunch of linux capabilities.
You certainly do not need to sudo to run root commands.