Docker containers can conflict with users on host system in Linux 3.15

[AkeemMcLennon]

Creating a new user in a docker container via the adduser command will cause an error if the user already exists on the host system and the command is used with the --gecos flag to supply finger information. This command is commonly run by package managers to create non-privileged users for daemons (e.g. mysql, postgresql).

Expected result:
A new user is created in docker container regardless of whether or not it already exists in the host system.

Actual Result:
Creating a new user fails with the error

chfn: PAM: System error
adduser: `/usr/bin/chfn -f PostgreSQL administrator postgres' returned error code 1. Exiting.

Steps to Reproduce:

1. Install the Linux 3.15 kernel on the host machine
2. Run the following command, replacing "postgres" with any user that exists on the host machine

docker run -i -t ubuntu adduser --system --quiet --home /var/lib/postgresql --no-create-home \
            --shell /bin/bash --group --gecos "PostgreSQL administrator" postgres

[tiagoantao]

As I started this discussion on the mailing list, I would like to add a few points: I thought this was kernel independent, but @BlueLaguna seems to be correct: this is probably 3.15 related. The reason I thought I got this on 3.13 was because we were in the midst of changing kernels. I now cannot replicate this on 3.13.

In my case the behaviour changed if mysql-server was installed or not in the HOST machine. MySQL server Not installed: no PAM problems. Installed: did not work

It seemed a PAM issue (which chfn complaining).

[LK4D4]

I'm actually can't add any user, not only existing on host machine. I'll retry with 3.14 soon.

[tianon]

This is definitely an odd one. Does it do the same thing when you use useradd instead of the adduser wrapper?

[LK4D4]

@tianon No, useradd works fine

[AkeemMcLennon]

I've been looking through the Kernel changelogs and perhaps this commit might be relevant:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=543bc6a1a987672b79d6ebe8e2ab10471d8f1047

[LK4D4]

Seems strange, it works for me on my work machine with 3.15.0-gentoo-r1
Ah, it doesn't now. Have no idea what changed.

[LK4D4]

Same on 3.15.1

[LK4D4]

Confirm, that all works fine with 3.14.8

[unclejack]

I've tried to revert this patch https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=543bc6a1a987672b79d6ebe8e2ab10471d8f1047 and it didn't fix the problem.

If you want to try to revert the patch, you'll have to revert it by hand because the code has been changed since this patch was merged and it won't get reverted cleanly.

[LK4D4]

There three commits about audit as I see here
Also maybe makes sense to do strace on chfn as @vmarmol suggested to see what syscall spawning an error. I'll look at it at weekend if I have time.

[LK4D4]

Also, to be sure, what graph driver are you guys using? Mine is btrfs.

[frank-dspeed]

Hello till this is fixed simply use a bash alias to re route the adduser command like this
-RUN DEBIAN_FRONTEND=noninteractive apt-get -y install mysql-server pwgen

+RUN alias adduser='useradd' && DEBIAN_FRONTEND=noninteractive apt-get -y install mysql-server pwgen