moby: docker build hangs/crashes when useradd with large UID
When I try to add a user during a “docker build .” the process hangs for approx 2-3 min and crashes with a
$ docker build .
Uploading context 5.12 kB
Uploading context
Step 0 : FROM ubuntu:14.04
---> 99ec81b80c55
Step 1 : RUN useradd -u 99900000 -g users mcieslik
---> Running in 3ba3c92673fd
2014/04/26 14:58:55 write /var/lib/docker/devicemapper/mnt/.../rootfs/var/log/lastlog: no space left on device
Dockerfile
FROM ubuntu:14.04
RUN useradd -u 99900000 -g users mcieslik
If I change the above to
FROM ubuntu:14.04
RUN useradd -u 1001 -g users mcieslik
or run
useradd -u 99900000 -g users mcieslik
in a
docker run -i -t ubuntu:14.04 /bin/bash
everything works fine
About this issue
- Original URL
- State: open
- Created 10 years ago
- Reactions: 26
- Comments: 35 (12 by maintainers)
Commits related to this issue
- Use --no-log-init when creating a user to avoid docker/docker#5419 — committed to zzak/mruby_hello_world_cli by zzak 9 years ago
- Merge pull request #2 from zzak/master Use --no-log-init when creating a user to avoid docker/docker#5419 — committed to hone/mruby_hello_world_cli by hone 9 years ago
- Pass -l to useradd to prevent "no space left on device" See https://github.com/docker/docker/issues/15585 See https://github.com/docker/docker/issues/5419 — committed to rcook/ibt by rcook 8 years ago
- [sonic-slave]: Fix issue "no space left on disk" while trying to add user in docker Note: related to https://github.com/docker/docker/issues/5419 Signed-off-by: Petro Karashchenko <petro.karashchenko... — committed to pkarashchenko/sonic-buildimage by deleted user 7 years ago
- [sonic-slave]: Fix issue "no space left on disk" while trying to add user in docker (#233) Note: related to https://github.com/docker/docker/issues/5419 Signed-off-by: Petro Karashchenko <petro.ka... — committed to sonic-net/sonic-buildimage by deleted user 7 years ago
- * added --force-badname for compatibility with local user naming policy * switched to useradd with -l as a workaround for https://github.com/docker/docker/issues/5419 — committed to mshcherbina-cb/x11docker by mshcherbina-cb 7 years ago
- workaround known log fault https://github.com/docker/docker/issues/5419 — committed to VirtualFlyBrain/AberOWL-VFB-Docker by Robbie1977 7 years ago
- Suggest passing --no-log-init to adduser (#3413) Running `useradd` without `--no-log-init` risks triggering a resource exhaustion issue: https://github.com/moby/moby/issues/15585 https://... — committed to docker/docs by memory 7 years ago
- Added -l parameter to useradd command to avoid MacOS docker issue The problem is that the docker.qcow2 file grows to max sparse volume size of 64GB and hangs pool_start.sh https://github.com/moby/mo... — committed to jljordan42/sovrin-environments by jljordan42 7 years ago
- Instead of using usermod, delete the users and create anew, so we can use --no-log-init option. Without this option, users with very large UID numbers were experiencing docker build hangs, and filling... — committed to provision-ops/provision by jonpugh 6 years ago
- Use useradd -l option for docker scripts This is a workaround for the Docker issue https://github.com/moby/moby/issues/5419 If you run the scripts with an very large uid the script hangs and it fill... — committed to eolivelli/bookkeeper by eolivelli 6 years ago
- Use useradd -l option for docker scripts This is a workaround for the Docker issue https://github.com/moby/moby/issues/5419 If you run the scripts with an very large uid the script hangs and it fill... — committed to apache/bookkeeper by eolivelli 6 years ago
- Use useradd -l option for docker scripts This is a workaround for the Docker issue https://github.com/moby/moby/issues/5419 If you run the scripts with an very large uid the script hangs and it fill... — committed to apache/bookkeeper by eolivelli 6 years ago
- Use useradd -l option for docker scripts This is a workaround for the Docker issue https://github.com/moby/moby/issues/5419 If you run the scripts with an very large uid the script hangs and it fill... — committed to apache/bookkeeper by eolivelli 6 years ago
- Fix for gvisor-builder image. As it happens gvisor/tools/bazel.mk:88 useradd --uid $(UID) --non-unique --no-create-home \ adds the user-id to /var/log/lastlog which happens to be a sparse file excep... — committed to google/gvisor by hbhasker 4 years ago
- Fix for gvisor-builder image. As it happens gvisor/tools/bazel.mk:88 useradd --uid $(UID) --non-unique --no-create-home \ adds the user-id to /var/log/lastlog which happens to be a sparse file excep... — committed to google/gvisor by hbhasker 4 years ago
- useradd -l https://github.com/moby/moby/issues/5419 — committed to FNNDSC/ChRIS_ultron_backEnd by jennydaman 3 years ago
- Support large arbitrary UID (#301) * useradd -l https://github.com/moby/moby/issues/5419 * Set arbitrary large UID in production Dockerfile — committed to FNNDSC/ChRIS_ultron_backEnd by jennydaman 3 years ago
- Add --no-log-init flag to docker sandbox. This adds the `--no-log-init` flag (`-l`) to the internal `useradd` command used to initial the docker sandbox environment. Without this flag, AD/LDAP/SS... — committed to psigen/bazel by psigen 3 years ago
- Add --no-log-init flag to docker sandbox. This adds the `--no-log-init` flag (`-l`) to the internal `useradd` command used to initial the docker sandbox environment. Without this flag, AD/LDAP/SSSD ... — committed to bazelbuild/bazel by psigen 3 years ago
As a work around can you try the
-lor--no-log-initin theDockerfileStill a problem! Can’t believe docker silently filled up my disk due to this. Visual Studio Code is recommending this pattern for having non-root users, so it’s important to get this fixed asap!
It gets worse - the disk space cannot be reclaimed unless docker is reinstalled. None of the
docker system pruneoptions work.Just came by to look for a solution for this issue, which is affecting me, too. To my disappointment I see now that this eight year old issue is still open and unresolved. Having read the comments and mentions, I assume that this issue is affecting a number of projects but appears to have no priority.
Besides recommending workarounds in Dockerfiles to everybody who is affected by this shortcoming, it seems to me that there is no activity related to a fix. Please note that these workarounds are sometimes not applicable. For instance does the
usermodcommand on the Linux distributions that I am familiar with (Debian up to v10, Gentoo) not have a--no-log-initoption.If there is no fix planned, what is then the anticipated way forward with this issue?
Thanks! This worked.
usermodcauses the same problem and it doesn’t have --no-log-initStorage Driver: aufsJust want to mention that a duplicated issue was opened then closed: https://github.com/moby/moby/issues/43133
As part of the up mentioned one, I’ve confirmed that - from software developer point of view - this issue can be used to DoS attack different environments - provided by different IaaS and/or PaaS - especially CICD ones and exactly, as a software developer I’m able to trigger a Jenkins build which builds such a Dockerfile file and as a result that Jenkins node becomes dead in few hours so IaaS and/or PaaS engineers are forced to reinstall OS on host which runs Jenkins node.
As a work around try for
usermodDockerfile
I also can confirm that @pnasrat’s workaround fixes this problem. I am now using:
instead of:
And the build succeeded.
My $HOST_USER_UID and $HOST_USER_GID contain 10 digit IDs
Unfortunately I can not help you with those as I have not used them inside docker yet. But if I find any issue/workaround I will post them here (until the problem is properly fixed).
Let’s get https://github.com/moby/moby/pull/35739 in first and see if we could use the new APIs in
archive/tar, such astar.DetectSparseHoles.So is this an issue with “docker commit” that it can’t handle sparse files and blots the file to the full size during commit. If yes, then I guess this is something which should be fixed in docker.
I created a 1G sparse file in a container (with overlay backend) and then did docker commit and top most layer size was 1G. So docker did inflate the file to 1G and that seems very inefficient.
The underlying issue is that a large sparse file is created (approximately 32 GB), but it’s not exactly a Docker bug. Docker could make an attempt to handle large sparse files better, but that’s a subject for the #docker-dev mailing list.
I’ll close this issue now. Please feel free to comment.