build-push-action
build-push-action copied to clipboard
docker
PAM error inside buildx
Contributing guidelines
- [x] I've read the contributing guidelines and wholeheartedly agree
I've found a bug, and:
- [x] The documentation does not mention anything about my problem
- [x] There are no open or closed issues that are related to my problem
Description
Imagine a simple container like:
FROM registry.fedoraproject.org/fedora:latest
RUN useradd -m -G wheel -u 1001 user
RUN echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/user
USER user
WORKDIR /home/user
RUN sudo whoami
This will fail with a PAM error.
Expected behaviour
sudo executes successfully in the container.
Actual behaviour
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo
: a password is required
: a password is required
Repository URL
https://github.com/junghans/test-actions/tree/PAM_error
Workflow run URL
https://github.com/junghans/test-actions/actions/runs/12834771076
YAML workflow
name: CI
on:
push:
branches:
- master
- PAM_error
pull_request:
branches:
- master
concurrency:
group: ${ {github.event_name }}-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
CI:
runs-on: ubuntu-latest
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Checkout code
uses: actions/checkout@v4
- name: Build and Push Docker images for all Container Registries
uses: docker/build-push-action@v6
with:
file: Dockerfile
pull: true
push: false
Workflow logs
Full log
2025-01-17T18:29:17.6827427Z Current runner version: '2.321.0'
2025-01-17T18:29:17.6853609Z ##[group]Operating System
2025-01-17T18:29:17.6854514Z Ubuntu
2025-01-17T18:29:17.6855046Z 24.04.1
2025-01-17T18:29:17.6855496Z LTS
2025-01-17T18:29:17.6856044Z ##[endgroup]
2025-01-17T18:29:17.6856526Z ##[group]Runner Image
2025-01-17T18:29:17.6857094Z Image: ubuntu-24.04
2025-01-17T18:29:17.6857721Z Version: 20250105.1.0
2025-01-17T18:29:17.6858761Z Included Software: https://github.com/actions/runner-images/blob/ubuntu24/20250105.1/images/ubuntu/Ubuntu2404-Readme.md
2025-01-17T18:29:17.6860073Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu24%2F20250105.1
2025-01-17T18:29:17.6861033Z ##[endgroup]
2025-01-17T18:29:17.6861561Z ##[group]Runner Image Provisioner
2025-01-17T18:29:17.6862093Z 2.0.417.1
2025-01-17T18:29:17.6862636Z ##[endgroup]
2025-01-17T18:29:17.6865193Z ##[group]GITHUB_TOKEN Permissions
2025-01-17T18:29:17.6867251Z Actions: write
2025-01-17T18:29:17.6868033Z Attestations: write
2025-01-17T18:29:17.6868693Z Checks: write
2025-01-17T18:29:17.6869206Z Contents: write
2025-01-17T18:29:17.6869660Z Deployments: write
2025-01-17T18:29:17.6870259Z Discussions: write
2025-01-17T18:29:17.6870755Z Issues: write
2025-01-17T18:29:17.6871187Z Metadata: read
2025-01-17T18:29:17.6871760Z Packages: write
2025-01-17T18:29:17.6872263Z Pages: write
2025-01-17T18:29:17.6872703Z PullRequests: write
2025-01-17T18:29:17.6873905Z RepositoryProjects: write
2025-01-17T18:29:17.6874502Z SecurityEvents: write
2025-01-17T18:29:17.6874971Z Statuses: write
2025-01-17T18:29:17.6875562Z ##[endgroup]
2025-01-17T18:29:17.6878592Z Secret source: Actions
2025-01-17T18:29:17.6879262Z Prepare workflow directory
2025-01-17T18:29:17.7196652Z Prepare all required actions
2025-01-17T18:29:17.7233963Z Getting action download info
2025-01-17T18:29:17.9507744Z Download action repository 'docker/setup-buildx-action@v3' (SHA:6524bf65af31da8d45b59e8c27de4bd072b392f5)
2025-01-17T18:29:18.6524205Z Download action repository 'actions/checkout@v4' (SHA:11bd71901bbe5b1630ceea73d27597364c9af683)
2025-01-17T18:29:18.6888986Z Download action repository 'docker/build-push-action@v6' (SHA:67a2d409c0a876cbe6b11854e3e25193efe4e62d)
2025-01-17T18:29:19.3939832Z Complete job name: CI
2025-01-17T18:29:19.4697209Z ##[group]Run docker/setup-buildx-action@v3
2025-01-17T18:29:19.4698686Z with:
2025-01-17T18:29:19.4699462Z driver: docker-container
2025-01-17T18:29:19.4700372Z install: false
2025-01-17T18:29:19.4701164Z use: true
2025-01-17T18:29:19.4701973Z cache-binary: true
2025-01-17T18:29:19.4702810Z cleanup: true
2025-01-17T18:29:19.4704305Z ##[endgroup]
2025-01-17T18:29:19.7961474Z ##[group]Docker info
2025-01-17T18:29:19.7967267Z [command]/usr/bin/docker version
2025-01-17T18:29:19.8654982Z Client: Docker Engine - Community
2025-01-17T18:29:19.8657037Z Version: 26.1.3
2025-01-17T18:29:19.8665076Z API version: 1.45
2025-01-17T18:29:19.8666686Z Go version: go1.21.10
2025-01-17T18:29:19.8668214Z Git commit: b72abbb
2025-01-17T18:29:19.8669762Z Built: Thu May 16 08:33:35 2024
2025-01-17T18:29:19.8671464Z OS/Arch: linux/amd64
2025-01-17T18:29:19.8672547Z Context: default
2025-01-17T18:29:19.8673108Z
2025-01-17T18:29:19.8673822Z Server: Docker Engine - Community
2025-01-17T18:29:19.8674834Z Engine:
2025-01-17T18:29:19.8675548Z Version: 26.1.3
2025-01-17T18:29:19.8676487Z API version: 1.45 (minimum version 1.24)
2025-01-17T18:29:19.8677566Z Go version: go1.21.10
2025-01-17T18:29:19.8678459Z Git commit: 8e96db1
2025-01-17T18:29:19.8679393Z Built: Thu May 16 08:33:35 2024
2025-01-17T18:29:19.8680397Z OS/Arch: linux/amd64
2025-01-17T18:29:19.8681331Z Experimental: false
2025-01-17T18:29:19.8682196Z containerd:
2025-01-17T18:29:19.8682940Z Version: 1.7.24
2025-01-17T18:29:19.8684603Z GitCommit: 88bf19b2105c8b17560993bee28a01ddc2f97182
2025-01-17T18:29:19.8685802Z runc:
2025-01-17T18:29:19.8686506Z Version: 1.2.2
2025-01-17T18:29:19.8687717Z GitCommit: v1.2.2-0-g7cb3632
2025-01-17T18:29:19.8688703Z docker-init:
2025-01-17T18:29:19.8689452Z Version: 0.19.0
2025-01-17T18:29:19.8690329Z GitCommit: de40ad0
2025-01-17T18:29:19.8727309Z [command]/usr/bin/docker info
2025-01-17T18:29:20.0721464Z Client: Docker Engine - Community
2025-01-17T18:29:20.0725153Z Version: 26.1.3
2025-01-17T18:29:20.0726377Z Context: default
2025-01-17T18:29:20.0727577Z Debug Mode: false
2025-01-17T18:29:20.0728753Z Plugins:
2025-01-17T18:29:20.0729918Z buildx: Docker Buildx (Docker Inc.)
2025-01-17T18:29:20.0731506Z Version: v0.19.3
2025-01-17T18:29:20.0733060Z Path: /usr/libexec/docker/cli-plugins/docker-buildx
2025-01-17T18:29:20.0735318Z compose: Docker Compose (Docker Inc.)
2025-01-17T18:29:20.0737020Z Version: v2.27.1
2025-01-17T18:29:20.0738507Z Path: /usr/libexec/docker/cli-plugins/docker-compose
2025-01-17T18:29:20.0739854Z
2025-01-17T18:29:20.0740349Z Server:
2025-01-17T18:29:20.0741525Z Containers: 0
2025-01-17T18:29:20.0742409Z Running: 0
2025-01-17T18:29:20.0743617Z Paused: 0
2025-01-17T18:29:20.0744774Z Stopped: 0
2025-01-17T18:29:20.0745970Z Images: 0
2025-01-17T18:29:20.0747148Z Server Version: 26.1.3
2025-01-17T18:29:20.0748566Z Storage Driver: overlay2
2025-01-17T18:29:20.0750089Z Backing Filesystem: extfs
2025-01-17T18:29:20.0751611Z Supports d_type: true
2025-01-17T18:29:20.0753072Z Using metacopy: false
2025-01-17T18:29:20.0754745Z Native Overlay Diff: false
2025-01-17T18:29:20.0756269Z userxattr: false
2025-01-17T18:29:20.0757638Z Logging Driver: json-file
2025-01-17T18:29:20.0759189Z Cgroup Driver: systemd
2025-01-17T18:29:20.0760618Z Cgroup Version: 2
2025-01-17T18:29:20.0761913Z Plugins:
2025-01-17T18:29:20.0763171Z Volume: local
2025-01-17T18:29:20.0764865Z Network: bridge host ipvlan macvlan null overlay
2025-01-17T18:29:20.0767441Z Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
2025-01-17T18:29:20.0769815Z Swarm: inactive
2025-01-17T18:29:20.0771230Z Runtimes: runc io.containerd.runc.v2
2025-01-17T18:29:20.0772952Z Default Runtime: runc
2025-01-17T18:29:20.0774793Z Init Binary: docker-init
2025-01-17T18:29:20.0777191Z containerd version: 88bf19b2105c8b17560993bee28a01ddc2f97182
2025-01-17T18:29:20.0779380Z runc version: v1.2.2-0-g7cb3632
2025-01-17T18:29:20.0780958Z init version: de40ad0
2025-01-17T18:29:20.0782318Z Security Options:
2025-01-17T18:29:20.0783708Z apparmor
2025-01-17T18:29:20.0784824Z seccomp
2025-01-17T18:29:20.0785955Z Profile: builtin
2025-01-17T18:29:20.0787190Z cgroupns
2025-01-17T18:29:20.0788269Z Kernel Version: 6.8.0-1017-azure
2025-01-17T18:29:20.0789813Z Operating System: Ubuntu 24.04.1 LTS
2025-01-17T18:29:20.0791314Z OSType: linux
2025-01-17T18:29:20.0792435Z Architecture: x86_64
2025-01-17T18:29:20.0793811Z CPUs: 4
2025-01-17T18:29:20.0794673Z Total Memory: 15.62GiB
2025-01-17T18:29:20.0795485Z Name: fv-az1377-715
2025-01-17T18:29:20.0796304Z ID: fac863d2-75be-4525-b213-ce36ebbd9960
2025-01-17T18:29:20.0797322Z Docker Root Dir: /var/lib/docker
2025-01-17T18:29:20.0798220Z Debug Mode: false
2025-01-17T18:29:20.0799010Z Username: githubactions
2025-01-17T18:29:20.0799838Z Experimental: false
2025-01-17T18:29:20.0800616Z Insecure Registries:
2025-01-17T18:29:20.0801369Z 127.0.0.0/8
2025-01-17T18:29:20.0802079Z Live Restore Enabled: false
2025-01-17T18:29:20.0802637Z
2025-01-17T18:29:20.0804270Z ##[endgroup]
2025-01-17T18:29:20.1405805Z ##[group]Buildx version
2025-01-17T18:29:20.1432122Z [command]/usr/bin/docker buildx version
2025-01-17T18:29:20.1829965Z github.com/docker/buildx v0.19.3 48d6a3927a14668da1a0c4439a6d454a3abbdf05
2025-01-17T18:29:20.1859599Z ##[endgroup]
2025-01-17T18:29:20.2028531Z ##[group]Inspecting default docker context
2025-01-17T18:29:20.2170376Z [
2025-01-17T18:29:20.2171630Z {
2025-01-17T18:29:20.2172724Z "Name": "default",
2025-01-17T18:29:20.2174318Z "Metadata": {},
2025-01-17T18:29:20.2175619Z "Endpoints": {
2025-01-17T18:29:20.2177338Z "docker": {
2025-01-17T18:29:20.2178728Z "Host": "unix:///var/run/docker.sock",
2025-01-17T18:29:20.2180514Z "SkipTLSVerify": false
2025-01-17T18:29:20.2181991Z }
2025-01-17T18:29:20.2183163Z },
2025-01-17T18:29:20.2184556Z "TLSMaterial": {},
2025-01-17T18:29:20.2185993Z "Storage": {
2025-01-17T18:29:20.2187457Z "MetadataPath": "<IN MEMORY>",
2025-01-17T18:29:20.2189275Z "TLSPath": "<IN MEMORY>"
2025-01-17T18:29:20.2190816Z }
2025-01-17T18:29:20.2191938Z }
2025-01-17T18:29:20.2193037Z ]
2025-01-17T18:29:20.2195381Z ##[endgroup]
2025-01-17T18:29:20.2197636Z ##[group]Creating a new builder instance
2025-01-17T18:29:20.2787082Z [command]/usr/bin/docker buildx create --name builder-7764b229-6772-4d87-9422-87cbaee29d6b --driver docker-container --buildkitd-flags --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host --use
2025-01-17T18:29:20.3292006Z builder-7764b229-6772-4d87-9422-87cbaee29d6b
2025-01-17T18:29:20.3323921Z ##[endgroup]
2025-01-17T18:29:20.3325239Z ##[group]Booting builder
2025-01-17T18:29:20.3359256Z [command]/usr/bin/docker buildx inspect --bootstrap --builder builder-7764b229-6772-4d87-9422-87cbaee29d6b
2025-01-17T18:29:20.3763949Z docker/setup-buildx-action#1 [internal] booting buildkit
2025-01-17T18:29:20.5267811Z docker/setup-buildx-action#1 pulling image moby/buildkit:buildx-stable-1
2025-01-17T18:29:23.5915717Z docker/setup-buildx-action#1 pulling image moby/buildkit:buildx-stable-1 3.2s done
2025-01-17T18:29:23.7418248Z docker/setup-buildx-action#1 creating container buildx_buildkit_builder-7764b229-6772-4d87-9422-87cbaee29d6b0
2025-01-17T18:29:23.8712151Z docker/setup-buildx-action#1 creating container buildx_buildkit_builder-7764b229-6772-4d87-9422-87cbaee29d6b0 0.3s done
2025-01-17T18:29:23.8732594Z docker/setup-buildx-action#1 DONE 3.5s
2025-01-17T18:29:23.9052560Z Name: builder-7764b229-6772-4d87-9422-87cbaee29d6b
2025-01-17T18:29:23.9053811Z Driver: docker-container
2025-01-17T18:29:23.9054341Z Last Activity: 2025-01-17 18:29:20 +0000 UTC
2025-01-17T18:29:23.9054700Z
2025-01-17T18:29:23.9054860Z Nodes:
2025-01-17T18:29:23.9055378Z Name: builder-7764b229-6772-4d87-9422-87cbaee29d6b0
2025-01-17T18:29:23.9056002Z Endpoint: unix:///var/run/docker.sock
2025-01-17T18:29:23.9057140Z Status: running
2025-01-17T18:29:23.9058082Z BuildKit daemon flags: --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host
2025-01-17T18:29:23.9058956Z BuildKit version: v0.18.2
2025-01-17T18:29:23.9059362Z Platforms: linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386
2025-01-17T18:29:23.9059880Z Labels:
2025-01-17T18:29:23.9060164Z org.mobyproject.buildkit.worker.executor: oci
2025-01-17T18:29:23.9060626Z org.mobyproject.buildkit.worker.hostname: c379043b8b5a
2025-01-17T18:29:23.9061093Z org.mobyproject.buildkit.worker.network: host
2025-01-17T18:29:23.9061523Z org.mobyproject.buildkit.worker.oci.process-mode: sandbox
2025-01-17T18:29:23.9061965Z org.mobyproject.buildkit.worker.selinux.enabled: false
2025-01-17T18:29:23.9062429Z org.mobyproject.buildkit.worker.snapshotter: overlayfs
2025-01-17T18:29:23.9062815Z GC Policy rule#0:
2025-01-17T18:29:23.9063071Z All: false
2025-01-17T18:29:23.9063732Z Filters: type==source.local,type==exec.cachemount,type==source.git.checkout
2025-01-17T18:29:23.9064159Z Keep Duration: 48h0m0s
2025-01-17T18:29:23.9064429Z Max Used Space: 488.3MiB
2025-01-17T18:29:23.9064686Z GC Policy rule#1:
2025-01-17T18:29:23.9064922Z All: false
2025-01-17T18:29:23.9065296Z Keep Duration: 1440h0m0s
2025-01-17T18:29:23.9065582Z Reserved Space: 7.451GiB
2025-01-17T18:29:23.9065870Z Max Used Space: 54.02GiB
2025-01-17T18:29:23.9066121Z Min Free Space: 13.97GiB
2025-01-17T18:29:23.9066366Z GC Policy rule#2:
2025-01-17T18:29:23.9066613Z All: false
2025-01-17T18:29:23.9066850Z Reserved Space: 7.451GiB
2025-01-17T18:29:23.9067097Z Max Used Space: 54.02GiB
2025-01-17T18:29:23.9067341Z Min Free Space: 13.97GiB
2025-01-17T18:29:23.9067582Z GC Policy rule#3:
2025-01-17T18:29:23.9068043Z All: true
2025-01-17T18:29:23.9068278Z Reserved Space: 7.451GiB
2025-01-17T18:29:23.9068527Z Max Used Space: 54.02GiB
2025-01-17T18:29:23.9068780Z Min Free Space: 13.97GiB
2025-01-17T18:29:23.9102908Z ##[endgroup]
2025-01-17T18:29:23.9862942Z ##[group]Inspect builder
2025-01-17T18:29:23.9914224Z {
2025-01-17T18:29:23.9914688Z "nodes": [
2025-01-17T18:29:23.9915089Z {
2025-01-17T18:29:23.9915620Z "name": "builder-7764b229-6772-4d87-9422-87cbaee29d6b0",
2025-01-17T18:29:23.9916336Z "endpoint": "unix:///var/run/docker.sock",
2025-01-17T18:29:23.9916919Z "status": "running",
2025-01-17T18:29:23.9917923Z "buildkitd-flags": "--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host",
2025-01-17T18:29:23.9918976Z "buildkit": "v0.18.2",
2025-01-17T18:29:23.9919653Z "platforms": "linux/amd64,linux/amd64/v2,linux/amd64/v3,linux/386",
2025-01-17T18:29:23.9920392Z "features": {
2025-01-17T18:29:23.9921115Z "Automatically load images to the Docker Engine image store": true,
2025-01-17T18:29:23.9921867Z "Cache export": true,
2025-01-17T18:29:23.9922415Z "Docker exporter": true,
2025-01-17T18:29:23.9923041Z "Multi-platform build": true,
2025-01-17T18:29:23.9923854Z "OCI exporter": true
2025-01-17T18:29:23.9924283Z },
2025-01-17T18:29:23.9924592Z "labels": {
2025-01-17T18:29:23.9925064Z "org.mobyproject.buildkit.worker.executor": "oci",
2025-01-17T18:29:23.9925738Z "org.mobyproject.buildkit.worker.hostname": "c379043b8b5a",
2025-01-17T18:29:23.9926447Z "org.mobyproject.buildkit.worker.network": "host",
2025-01-17T18:29:23.9927208Z "org.mobyproject.buildkit.worker.oci.process-mode": "sandbox",
2025-01-17T18:29:23.9928015Z "org.mobyproject.buildkit.worker.selinux.enabled": "false",
2025-01-17T18:29:23.9928787Z "org.mobyproject.buildkit.worker.snapshotter": "overlayfs"
2025-01-17T18:29:23.9929382Z },
2025-01-17T18:29:23.9929739Z "gcPolicy": [
2025-01-17T18:29:23.9930108Z {
2025-01-17T18:29:23.9930446Z "all": false,
2025-01-17T18:29:23.9930823Z "filter": [
2025-01-17T18:29:23.9931513Z "type==source.local",
2025-01-17T18:29:23.9931992Z "type==exec.cachemount",
2025-01-17T18:29:23.9932473Z "type==source.git.checkout"
2025-01-17T18:29:23.9932929Z ],
2025-01-17T18:29:23.9933505Z "keepDuration": "48h0m0s"
2025-01-17T18:29:23.9933949Z },
2025-01-17T18:29:23.9934284Z {
2025-01-17T18:29:23.9934619Z "all": false,
2025-01-17T18:29:23.9935029Z "keepDuration": "1440h0m0s"
2025-01-17T18:29:23.9935473Z },
2025-01-17T18:29:23.9935799Z {
2025-01-17T18:29:23.9936134Z "all": false
2025-01-17T18:29:23.9936508Z },
2025-01-17T18:29:23.9936826Z {
2025-01-17T18:29:23.9937153Z "all": true
2025-01-17T18:29:23.9937523Z }
2025-01-17T18:29:23.9937894Z ]
2025-01-17T18:29:23.9938212Z }
2025-01-17T18:29:23.9938524Z ],
2025-01-17T18:29:23.9938952Z "name": "builder-7764b229-6772-4d87-9422-87cbaee29d6b",
2025-01-17T18:29:23.9939562Z "driver": "docker-container",
2025-01-17T18:29:23.9940024Z "lastActivity": "2025-01-17T18:29:20.000Z"
2025-01-17T18:29:23.9940450Z }
2025-01-17T18:29:23.9941117Z ##[endgroup]
2025-01-17T18:29:23.9941759Z ##[group]BuildKit version
2025-01-17T18:29:23.9942279Z builder-7764b229-6772-4d87-9422-87cbaee29d6b0: v0.18.2
2025-01-17T18:29:23.9943076Z ##[endgroup]
2025-01-17T18:29:24.0196158Z ##[group]Run actions/checkout@v4
2025-01-17T18:29:24.0196474Z with:
2025-01-17T18:29:24.0196708Z repository: junghans/test-actions
2025-01-17T18:29:24.0197144Z token: ***
2025-01-17T18:29:24.0197367Z ssh-strict: true
2025-01-17T18:29:24.0197590Z ssh-user: git
2025-01-17T18:29:24.0197829Z persist-credentials: true
2025-01-17T18:29:24.0198085Z clean: true
2025-01-17T18:29:24.0198323Z sparse-checkout-cone-mode: true
2025-01-17T18:29:24.0198808Z fetch-depth: 1
2025-01-17T18:29:24.0199064Z fetch-tags: false
2025-01-17T18:29:24.0199290Z show-progress: true
2025-01-17T18:29:24.0199524Z lfs: false
2025-01-17T18:29:24.0199736Z submodules: false
2025-01-17T18:29:24.0199962Z set-safe-directory: true
2025-01-17T18:29:24.0200213Z ##[endgroup]
2025-01-17T18:29:24.1202845Z Syncing repository: junghans/test-actions
2025-01-17T18:29:24.1203820Z ##[group]Getting Git version info
2025-01-17T18:29:24.1204346Z Working directory is '/home/runner/work/test-actions/test-actions'
2025-01-17T18:29:24.1204956Z [command]/usr/bin/git version
2025-01-17T18:29:24.1266953Z git version 2.47.1
2025-01-17T18:29:24.1292210Z ##[endgroup]
2025-01-17T18:29:24.1306169Z Temporarily overriding HOME='/home/runner/work/_temp/ace72073-0a07-4ed8-a59e-62e59b10d708' before making global git config changes
2025-01-17T18:29:24.1307003Z Adding repository directory to the temporary git global config as a safe directory
2025-01-17T18:29:24.1318388Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/test-actions/test-actions
2025-01-17T18:29:24.1351544Z Deleting the contents of '/home/runner/work/test-actions/test-actions'
2025-01-17T18:29:24.1355110Z ##[group]Initializing the repository
2025-01-17T18:29:24.1359144Z [command]/usr/bin/git init /home/runner/work/test-actions/test-actions
2025-01-17T18:29:24.1500112Z hint: Using 'master' as the name for the initial branch. This default branch name
2025-01-17T18:29:24.1501014Z hint: is subject to change. To configure the initial branch name to use in all
2025-01-17T18:29:24.1501687Z hint: of your new repositories, which will suppress this warning, call:
2025-01-17T18:29:24.1502091Z hint:
2025-01-17T18:29:24.1502408Z hint: git config --global init.defaultBranch <name>
2025-01-17T18:29:24.1502738Z hint:
2025-01-17T18:29:24.1503101Z hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
2025-01-17T18:29:24.1503801Z hint: 'development'. The just-created branch can be renamed via this command:
2025-01-17T18:29:24.1507602Z hint:
2025-01-17T18:29:24.1508020Z hint: git branch -m <name>
2025-01-17T18:29:24.1508651Z Initialized empty Git repository in /home/runner/work/test-actions/test-actions/.git/
2025-01-17T18:29:24.1518502Z [command]/usr/bin/git remote add origin https://github.com/junghans/test-actions
2025-01-17T18:29:24.1550993Z ##[endgroup]
2025-01-17T18:29:24.1551638Z ##[group]Disabling automatic garbage collection
2025-01-17T18:29:24.1555556Z [command]/usr/bin/git config --local gc.auto 0
2025-01-17T18:29:24.1582897Z ##[endgroup]
2025-01-17T18:29:24.1583747Z ##[group]Setting up auth
2025-01-17T18:29:24.1589897Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2025-01-17T18:29:24.1618474Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
2025-01-17T18:29:24.1963531Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2025-01-17T18:29:24.1991212Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :"
2025-01-17T18:29:24.2212120Z [command]/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic ***
2025-01-17T18:29:24.2248106Z ##[endgroup]
2025-01-17T18:29:24.2256375Z ##[group]Fetching the repository
2025-01-17T18:29:24.2258223Z [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules --depth=1 origin +41fd4643c0820d2804b9a15c5c1a9e4b3ac04090:refs/remotes/origin/PAM_error
2025-01-17T18:29:24.5919974Z From https://github.com/junghans/test-actions
2025-01-17T18:29:24.5920496Z * [new ref] 41fd4643c0820d2804b9a15c5c1a9e4b3ac04090 -> origin/PAM_error
2025-01-17T18:29:24.5945307Z ##[endgroup]
2025-01-17T18:29:24.5945680Z ##[group]Determining the checkout info
2025-01-17T18:29:24.5947780Z ##[endgroup]
2025-01-17T18:29:24.5952620Z [command]/usr/bin/git sparse-checkout disable
2025-01-17T18:29:24.5992433Z [command]/usr/bin/git config --local --unset-all extensions.worktreeConfig
2025-01-17T18:29:24.6024084Z ##[group]Checking out the ref
2025-01-17T18:29:24.6024530Z [command]/usr/bin/git checkout --progress --force -B PAM_error refs/remotes/origin/PAM_error
2025-01-17T18:29:24.6066003Z Switched to a new branch 'PAM_error'
2025-01-17T18:29:24.6069496Z branch 'PAM_error' set up to track 'origin/PAM_error'.
2025-01-17T18:29:24.6074487Z ##[endgroup]
2025-01-17T18:29:24.6111565Z [command]/usr/bin/git log -1 --format=%H
2025-01-17T18:29:24.6132926Z 41fd4643c0820d2804b9a15c5c1a9e4b3ac04090
2025-01-17T18:29:24.6308406Z ##[group]Run docker/build-push-action@v6
2025-01-17T18:29:24.6308677Z with:
2025-01-17T18:29:24.6308843Z file: Dockerfile
2025-01-17T18:29:24.6309022Z pull: true
2025-01-17T18:29:24.6309186Z push: false
2025-01-17T18:29:24.6309357Z load: false
2025-01-17T18:29:24.6309543Z no-cache: false
2025-01-17T18:29:24.6309853Z github-token: ***
2025-01-17T18:29:24.6310029Z ##[endgroup]
2025-01-17T18:29:24.8633076Z ##[group]GitHub Actions runtime token ACs
2025-01-17T18:29:24.8640992Z refs/heads/PAM_error: read/write
2025-01-17T18:29:24.8641457Z refs/heads/master: read
2025-01-17T18:29:24.8642627Z ##[endgroup]
2025-01-17T18:29:24.8643464Z ##[group]Docker info
2025-01-17T18:29:24.8716713Z [command]/usr/bin/docker version
2025-01-17T18:29:24.8922786Z Client: Docker Engine - Community
2025-01-17T18:29:24.8923733Z Version: 26.1.3
2025-01-17T18:29:24.8924224Z API version: 1.45
2025-01-17T18:29:24.8924753Z Go version: go1.21.10
2025-01-17T18:29:24.8925197Z Git commit: b72abbb
2025-01-17T18:29:24.8925564Z Built: Thu May 16 08:33:35 2024
2025-01-17T18:29:24.8925904Z OS/Arch: linux/amd64
2025-01-17T18:29:24.8926132Z Context: default
2025-01-17T18:29:24.8926272Z
2025-01-17T18:29:24.8926378Z Server: Docker Engine - Community
2025-01-17T18:29:24.8926605Z Engine:
2025-01-17T18:29:24.8926768Z Version: 26.1.3
2025-01-17T18:29:24.8926995Z API version: 1.45 (minimum version 1.24)
2025-01-17T18:29:24.8927261Z Go version: go1.21.10
2025-01-17T18:29:24.8927470Z Git commit: 8e96db1
2025-01-17T18:29:24.8927679Z Built: Thu May 16 08:33:35 2024
2025-01-17T18:29:24.8927924Z OS/Arch: linux/amd64
2025-01-17T18:29:24.8928140Z Experimental: false
2025-01-17T18:29:24.8928336Z containerd:
2025-01-17T18:29:24.8928505Z Version: 1.7.24
2025-01-17T18:29:24.8928763Z GitCommit: 88bf19b2105c8b17560993bee28a01ddc2f97182
2025-01-17T18:29:24.8929032Z runc:
2025-01-17T18:29:24.8929196Z Version: 1.2.2
2025-01-17T18:29:24.8929402Z GitCommit: v1.2.2-0-g7cb3632
2025-01-17T18:29:24.8929633Z docker-init:
2025-01-17T18:29:24.8929807Z Version: 0.19.0
2025-01-17T18:29:24.8930078Z GitCommit: de40ad0
2025-01-17T18:29:24.8973042Z [command]/usr/bin/docker info
2025-01-17T18:29:24.9394156Z Client: Docker Engine - Community
2025-01-17T18:29:24.9395276Z Version: 26.1.3
2025-01-17T18:29:24.9395783Z Context: default
2025-01-17T18:29:24.9396346Z Debug Mode: false
2025-01-17T18:29:24.9396905Z Plugins:
2025-01-17T18:29:24.9397735Z buildx: Docker Buildx (Docker Inc.)
2025-01-17T18:29:24.9398452Z Version: v0.19.3
2025-01-17T18:29:24.9399676Z Path: /usr/libexec/docker/cli-plugins/docker-buildx
2025-01-17T18:29:24.9400541Z compose: Docker Compose (Docker Inc.)
2025-01-17T18:29:24.9401213Z Version: v2.27.1
2025-01-17T18:29:24.9401911Z Path: /usr/libexec/docker/cli-plugins/docker-compose
2025-01-17T18:29:24.9402600Z
2025-01-17T18:29:24.9402862Z Server:
2025-01-17T18:29:24.9404171Z Containers: 1
2025-01-17T18:29:24.9404894Z Running: 1
2025-01-17T18:29:24.9405427Z Paused: 0
2025-01-17T18:29:24.9405957Z Stopped: 0
2025-01-17T18:29:24.9406929Z Images: 1
2025-01-17T18:29:24.9407533Z Server Version: 26.1.3
2025-01-17T18:29:24.9408775Z Storage Driver: overlay2
2025-01-17T18:29:24.9409468Z Backing Filesystem: extfs
2025-01-17T18:29:24.9410509Z Supports d_type: true
2025-01-17T18:29:24.9411201Z Using metacopy: false
2025-01-17T18:29:24.9411836Z Native Overlay Diff: false
2025-01-17T18:29:24.9412239Z userxattr: false
2025-01-17T18:29:24.9412570Z Logging Driver: json-file
2025-01-17T18:29:24.9412979Z Cgroup Driver: systemd
2025-01-17T18:29:24.9413818Z Cgroup Version: 2
2025-01-17T18:29:24.9414121Z Plugins:
2025-01-17T18:29:24.9414385Z Volume: local
2025-01-17T18:29:24.9414747Z Network: bridge host ipvlan macvlan null overlay
2025-01-17T18:29:24.9415773Z Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
2025-01-17T18:29:24.9416423Z Swarm: inactive
2025-01-17T18:29:24.9416780Z Runtimes: io.containerd.runc.v2 runc
2025-01-17T18:29:24.9417224Z Default Runtime: runc
2025-01-17T18:29:24.9417581Z Init Binary: docker-init
2025-01-17T18:29:24.9418066Z containerd version: 88bf19b2105c8b17560993bee28a01ddc2f97182
2025-01-17T18:29:24.9418617Z runc version: v1.2.2-0-g7cb3632
2025-01-17T18:29:24.9419007Z init version: de40ad0
2025-01-17T18:29:24.9419335Z Security Options:
2025-01-17T18:29:24.9419656Z apparmor
2025-01-17T18:29:24.9419949Z seccomp
2025-01-17T18:29:24.9420243Z Profile: builtin
2025-01-17T18:29:24.9420569Z cgroupns
2025-01-17T18:29:24.9420865Z Kernel Version: 6.8.0-1017-azure
2025-01-17T18:29:24.9421257Z Operating System: Ubuntu 24.04.1 LTS
2025-01-17T18:29:24.9421683Z OSType: linux
2025-01-17T18:29:24.9422098Z Architecture: x86_64
2025-01-17T18:29:24.9422485Z CPUs: 4
2025-01-17T18:29:24.9422773Z Total Memory: 15.62GiB
2025-01-17T18:29:24.9423174Z Name: fv-az1377-715
2025-01-17T18:29:24.9423788Z ID: fac863d2-75be-4525-b213-ce36ebbd9960
2025-01-17T18:29:24.9424179Z Docker Root Dir: /var/lib/docker
2025-01-17T18:29:24.9424408Z Debug Mode: false
2025-01-17T18:29:24.9424610Z Username: githubactions
2025-01-17T18:29:24.9424821Z Experimental: false
2025-01-17T18:29:24.9425019Z Insecure Registries:
2025-01-17T18:29:24.9425314Z 127.0.0.0/8
2025-01-17T18:29:24.9425520Z Live Restore Enabled: false
2025-01-17T18:29:24.9425660Z
2025-01-17T18:29:24.9426045Z ##[endgroup]
2025-01-17T18:29:24.9426490Z ##[group]Proxy configuration
2025-01-17T18:29:24.9426724Z No proxy configuration found
2025-01-17T18:29:24.9427042Z ##[endgroup]
2025-01-17T18:29:24.9959251Z ##[group]Buildx version
2025-01-17T18:29:24.9980134Z [command]/usr/bin/docker buildx version
2025-01-17T18:29:25.0380804Z github.com/docker/buildx v0.19.3 48d6a3927a14668da1a0c4439a6d454a3abbdf05
2025-01-17T18:29:25.0410136Z ##[endgroup]
2025-01-17T18:29:25.0410488Z ##[group]Builder info
2025-01-17T18:29:25.1168047Z {
2025-01-17T18:29:25.1168305Z "nodes": [
2025-01-17T18:29:25.1168481Z {
2025-01-17T18:29:25.1168722Z "name": "builder-7764b229-6772-4d87-9422-87cbaee29d6b0",
2025-01-17T18:29:25.1169050Z "endpoint": "unix:///var/run/docker.sock",
2025-01-17T18:29:25.1169326Z "status": "running",
2025-01-17T18:29:25.1169818Z "buildkitd-flags": "--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host",
2025-01-17T18:29:25.1170295Z "buildkit": "v0.18.2",
2025-01-17T18:29:25.1170586Z "platforms": "linux/amd64,linux/amd64/v2,linux/amd64/v3,linux/386",
2025-01-17T18:29:25.1170894Z "features": {
2025-01-17T18:29:25.1171170Z "Automatically load images to the Docker Engine image store": true,
2025-01-17T18:29:25.1171500Z "Cache export": true,
2025-01-17T18:29:25.1171712Z "Docker exporter": true,
2025-01-17T18:29:25.1171943Z "Multi-platform build": true,
2025-01-17T18:29:25.1172169Z "OCI exporter": true
2025-01-17T18:29:25.1172368Z },
2025-01-17T18:29:25.1172525Z "labels": {
2025-01-17T18:29:25.1172752Z "org.mobyproject.buildkit.worker.executor": "oci",
2025-01-17T18:29:25.1173113Z "org.mobyproject.buildkit.worker.hostname": "c379043b8b5a",
2025-01-17T18:29:25.1174083Z "org.mobyproject.buildkit.worker.network": "host",
2025-01-17T18:29:25.1174469Z "org.mobyproject.buildkit.worker.oci.process-mode": "sandbox",
2025-01-17T18:29:25.1174881Z "org.mobyproject.buildkit.worker.selinux.enabled": "false",
2025-01-17T18:29:25.1175271Z "org.mobyproject.buildkit.worker.snapshotter": "overlayfs"
2025-01-17T18:29:25.1175563Z },
2025-01-17T18:29:25.1175721Z "gcPolicy": [
2025-01-17T18:29:25.1175891Z {
2025-01-17T18:29:25.1176043Z "all": false,
2025-01-17T18:29:25.1176226Z "filter": [
2025-01-17T18:29:25.1176408Z "type==source.local",
2025-01-17T18:29:25.1176630Z "type==exec.cachemount",
2025-01-17T18:29:25.1177018Z "type==source.git.checkout"
2025-01-17T18:29:25.1177243Z ],
2025-01-17T18:29:25.1177413Z "keepDuration": "48h0m0s"
2025-01-17T18:29:25.1177621Z },
2025-01-17T18:29:25.1177787Z {
2025-01-17T18:29:25.1177933Z "all": false,
2025-01-17T18:29:25.1178132Z "keepDuration": "1440h0m0s"
2025-01-17T18:29:25.1178347Z },
2025-01-17T18:29:25.1178489Z {
2025-01-17T18:29:25.1178641Z "all": false
2025-01-17T18:29:25.1178807Z },
2025-01-17T18:29:25.1178954Z {
2025-01-17T18:29:25.1179104Z "all": true
2025-01-17T18:29:25.1179267Z }
2025-01-17T18:29:25.1179414Z ]
2025-01-17T18:29:25.1179564Z }
2025-01-17T18:29:25.1179702Z ],
2025-01-17T18:29:25.1179902Z "name": "builder-7764b229-6772-4d87-9422-87cbaee29d6b",
2025-01-17T18:29:25.1180184Z "driver": "docker-container",
2025-01-17T18:29:25.1180409Z "lastActivity": "2025-01-17T18:29:20.000Z"
2025-01-17T18:29:25.1180633Z }
2025-01-17T18:29:25.1181068Z ##[endgroup]
2025-01-17T18:29:25.2532534Z [command]/usr/bin/docker buildx build --file Dockerfile --iidfile /home/runner/work/_temp/docker-actions-toolkit-45YjkO/build-iidfile-1a693983d2.txt --attest type=provenance,mode=max,builder-id=https://github.com/junghans/test-actions/actions/runs/12834771076/attempts/1 --secret id=GIT_AUTH_TOKEN,src=/home/runner/work/_temp/docker-actions-toolkit-45YjkO/tmp-2249-NXoXcUxpKekS --metadata-file /home/runner/work/_temp/docker-actions-toolkit-45YjkO/build-metadata-20c4fba042.json --pull https://github.com/junghans/test-actions.git#41fd4643c0820d2804b9a15c5c1a9e4b3ac04090
2025-01-17T18:29:25.5156109Z #0 building with "builder-7764b229-6772-4d87-9422-87cbaee29d6b" instance using docker-container driver
2025-01-17T18:29:25.5156585Z
2025-01-17T18:29:25.5156968Z docker/setup-buildx-action#1 [internal] load git source https://github.com/junghans/test-actions.git#41fd4643c0820d2804b9a15c5c1a9e4b3ac04090
2025-01-17T18:29:25.5157781Z docker/setup-buildx-action#1 0.020 Initialized empty Git repository in /var/lib/buildkit/runc-overlayfs/snapshots/snapshots/1/fs/
2025-01-17T18:29:25.5158432Z docker/setup-buildx-action#1 0.023 fatal: Not a valid object name 41fd4643c0820d2804b9a15c5c1a9e4b3ac04090^{commit}
2025-01-17T18:29:25.9272861Z docker/setup-buildx-action#1 0.586 From https://github.com/junghans/test-actions
2025-01-17T18:29:25.9274158Z docker/setup-buildx-action#1 0.586 * branch 41fd4643c0820d2804b9a15c5c1a9e4b3ac04090 -> FETCH_HEAD
2025-01-17T18:29:26.1091633Z docker/setup-buildx-action#1 0.586 * [new tag] v1.6.1 -> v1.6.1
2025-01-17T18:29:26.1092157Z docker/setup-buildx-action#1 0.586 * [new tag] v1.7-dev -> v1.7-dev
2025-01-17T18:29:26.1092443Z docker/setup-buildx-action#1 DONE 0.6s
2025-01-17T18:29:26.1092556Z
2025-01-17T18:29:26.1092756Z docker/setup-buildx-action#2 [internal] load metadata for registry.fedoraproject.org/fedora:latest
2025-01-17T18:29:26.6571200Z docker/setup-buildx-action#2 DONE 0.7s
2025-01-17T18:29:26.8238474Z
2025-01-17T18:29:26.8239409Z docker/setup-buildx-action#3 [1/6] FROM registry.fedoraproject.org/fedora:latest@sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b
2025-01-17T18:29:26.8240294Z docker/setup-buildx-action#3 resolve registry.fedoraproject.org/fedora:latest@sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b done
2025-01-17T18:29:26.8304272Z docker/setup-buildx-action#3 sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c 18.87MB / 60.06MB 0.2s
2025-01-17T18:29:26.9786031Z docker/setup-buildx-action#3 sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c 60.06MB / 60.06MB 0.3s
2025-01-17T18:29:27.1570093Z docker/setup-buildx-action#3 sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c 60.06MB / 60.06MB 0.3s done
2025-01-17T18:29:27.1571207Z docker/setup-buildx-action#3 extracting sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c
2025-01-17T18:29:28.3801946Z docker/setup-buildx-action#3 extracting sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c 1.4s done
2025-01-17T18:29:28.3802735Z docker/setup-buildx-action#3 DONE 1.7s
2025-01-17T18:29:28.5311428Z
2025-01-17T18:29:28.5311962Z docker/setup-buildx-action#4 [2/6] RUN useradd -m -G wheel -u 1001 user
2025-01-17T18:29:28.6820001Z docker/setup-buildx-action#4 DONE 0.3s
2025-01-17T18:29:28.8075874Z
2025-01-17T18:29:28.8077177Z docker/setup-buildx-action#5 [3/6] RUN echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/user
2025-01-17T18:29:28.8078157Z docker/setup-buildx-action#5 DONE 0.1s
2025-01-17T18:29:28.8078299Z
2025-01-17T18:29:28.8078386Z docker/setup-buildx-action#6 [4/6] WORKDIR /home/user
2025-01-17T18:29:28.8078728Z docker/setup-buildx-action#6 DONE 0.0s
2025-01-17T18:29:28.8078836Z
2025-01-17T18:29:28.8078904Z docker/setup-buildx-action#7 [5/6] RUN whoami
2025-01-17T18:29:28.8079081Z docker/setup-buildx-action#7 0.050 user
2025-01-17T18:29:28.9026457Z docker/setup-buildx-action#7 DONE 0.1s
2025-01-17T18:29:28.9027248Z
2025-01-17T18:29:28.9027440Z docker/setup-buildx-action#8 [6/6] RUN sudo whoami
2025-01-17T18:29:28.9028200Z docker/setup-buildx-action#8 0.059 sudo: PAM account management error: Authentication service cannot retrieve authentication info
2025-01-17T18:29:28.9029011Z docker/setup-buildx-action#8 0.059 sudo: a password is required
2025-01-17T18:29:28.9029670Z docker/setup-buildx-action#8 ERROR: process "/bin/sh -c sudo whoami" did not complete successfully: exit code: 1
2025-01-17T18:29:28.9030298Z ------
2025-01-17T18:29:28.9030588Z > [6/6] RUN sudo whoami:
2025-01-17T18:29:28.9031218Z 0.059 sudo: PAM account management error: Authentication service cannot retrieve authentication info
2025-01-17T18:29:28.9031979Z 0.059 sudo: a password is required
2025-01-17T18:29:28.9032410Z ------
2025-01-17T18:29:28.9033761Z WARNING: No output specified with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load
2025-01-17T18:29:28.9087865Z Dockerfile:9
2025-01-17T18:29:28.9088198Z --------------------
2025-01-17T18:29:28.9088521Z 7 | WORKDIR /home/user
2025-01-17T18:29:28.9089031Z 8 | RUN whoami
2025-01-17T18:29:28.9089324Z 9 | >>> RUN sudo whoami
2025-01-17T18:29:28.9089647Z 10 |
2025-01-17T18:29:28.9089932Z --------------------
2025-01-17T18:29:28.9090423Z ERROR: failed to solve: process "/bin/sh -c sudo whoami" did not complete successfully: exit code: 1
2025-01-17T18:29:28.9132844Z ##[group]Reference
2025-01-17T18:29:28.9909445Z builder-7764b229-6772-4d87-9422-87cbaee29d6b/builder-7764b229-6772-4d87-9422-87cbaee29d6b0/v105fkcbtwd2pkgbdafam7dyb
2025-01-17T18:29:28.9910656Z ##[endgroup]
2025-01-17T18:29:28.9911008Z ##[group]Check build summary support
2025-01-17T18:29:28.9915244Z Build summary supported!
2025-01-17T18:29:28.9916123Z ##[endgroup]
2025-01-17T18:29:28.9936084Z ##[error]buildx failed with: ERROR: failed to solve: process "/bin/sh -c sudo whoami" did not complete successfully: exit code: 1
2025-01-17T18:29:29.0096826Z Post job cleanup.
2025-01-17T18:29:29.2457052Z ##[group]Generating build summary
2025-01-17T18:29:29.3320324Z exporting build record to /home/runner/work/_temp/docker-actions-toolkit-uuNZsE/export
2025-01-17T18:29:32.3384214Z [command]/usr/bin/mkfifo /home/runner/work/_temp/docker-actions-toolkit-uuNZsE/buildx-in-BAhf7s.fifo
2025-01-17T18:29:32.3438991Z [command]/usr/bin/mkfifo /home/runner/work/_temp/docker-actions-toolkit-uuNZsE/buildx-out-5bIuTM.fifo
2025-01-17T18:29:32.3480791Z [command]docker buildx --builder builder-7764b229-6772-4d87-9422-87cbaee29d6b dial-stdio
2025-01-17T18:29:32.3512638Z [command]docker run --rm -i -v /home/runner/.docker/buildx/refs:/buildx-refs -v /home/runner/work/_temp/docker-actions-toolkit-uuNZsE/export:/out docker.io/dockereng/export-build:latest --ref-state-dir=/buildx-refs --node=builder-7764b229-6772-4d87-9422-87cbaee29d6b/builder-7764b229-6772-4d87-9422-87cbaee29d6b0 --ref=v105fkcbtwd2pkgbdafam7dyb --uid=1001 --gid=118
2025-01-17T18:29:32.3664435Z Unable to find image 'dockereng/export-build:latest' locally
2025-01-17T18:29:33.3217461Z latest: Pulling from dockereng/export-build
2025-01-17T18:29:33.5865600Z fa05fab17045: Pulling fs layer
2025-01-17T18:29:33.5866043Z 3bee4e1c34fe: Pulling fs layer
2025-01-17T18:29:33.8325321Z 3bee4e1c34fe: Verifying Checksum
2025-01-17T18:29:33.8325852Z 3bee4e1c34fe: Download complete
2025-01-17T18:29:33.8847624Z fa05fab17045: Verifying Checksum
2025-01-17T18:29:33.8848067Z fa05fab17045: Download complete
2025-01-17T18:29:33.9840552Z fa05fab17045: Pull complete
2025-01-17T18:29:34.0155219Z 3bee4e1c34fe: Pull complete
2025-01-17T18:29:34.0203951Z Digest: sha256:3d41f110aedbe6c439e0002646f6c31b3063bc50f43a712c9a55710a9b5ae3f7
2025-01-17T18:29:34.0220554Z Status: Downloaded newer image for dockereng/export-build:latest
2025-01-17T18:29:34.2996287Z Process "docker run" exited with code 0
2025-01-17T18:29:34.3000923Z Parsing /home/runner/work/_temp/docker-actions-toolkit-uuNZsE/export/summary.json
2025-01-17T18:29:34.3004756Z Build record written to /home/runner/work/_temp/docker-actions-toolkit-uuNZsE/export/junghans~test-actions~V105FK.dockerbuild (12.83 KB)
2025-01-17T18:29:34.3021198Z Uploading junghans~test-actions~V105FK.dockerbuild to blob storage
2025-01-17T18:29:34.3366264Z ERROR: read unix @->/run/docker.sock: use of closed network connection
2025-01-17T18:29:34.3367613Z Process "buildx dial-stdio" was killed with signal SIGKILL
2025-01-17T18:29:34.6162922Z Beginning upload of artifact content to blob storage
2025-01-17T18:29:34.6251740Z Uploaded bytes 13135
2025-01-17T18:29:34.9429282Z Finished uploading artifact content to blob storage!
2025-01-17T18:29:34.9434437Z SHA256 hash of uploaded artifact is 5c49c4bf7677512dfdfafce44c12927b2b9e9a3a144baa35a6e95daad4b9e7e3
2025-01-17T18:29:34.9435599Z Finalizing artifact upload
2025-01-17T18:29:35.2465623Z Artifact successfully finalized (2448580225)
2025-01-17T18:29:35.2466981Z Artifact download URL: https://github.com/junghans/test-actions/actions/runs/12834771076/artifacts/2448580225
2025-01-17T18:29:35.2490949Z Writing summary
2025-01-17T18:29:35.2502603Z ##[endgroup]
2025-01-17T18:29:35.2503501Z ##[group]Removing temp folder /home/runner/work/_temp/docker-actions-toolkit-45YjkO
2025-01-17T18:29:35.2510870Z ##[endgroup]
2025-01-17T18:29:35.2511375Z ##[group]Post cache
2025-01-17T18:29:35.2512768Z State not set
2025-01-17T18:29:35.2513430Z ##[endgroup]
2025-01-17T18:29:35.2655174Z Post job cleanup.
2025-01-17T18:29:35.3582349Z [command]/usr/bin/git version
2025-01-17T18:29:35.3618769Z git version 2.47.1
2025-01-17T18:29:35.3660849Z Temporarily overriding HOME='/home/runner/work/_temp/0f39d43f-79d7-4877-913e-26481db75998' before making global git config changes
2025-01-17T18:29:35.3661724Z Adding repository directory to the temporary git global config as a safe directory
2025-01-17T18:29:35.3666414Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/test-actions/test-actions
2025-01-17T18:29:35.3701312Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2025-01-17T18:29:35.3732482Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
2025-01-17T18:29:35.3963403Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2025-01-17T18:29:35.3984674Z http.https://github.com/.extraheader
2025-01-17T18:29:35.3996651Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader
2025-01-17T18:29:35.4026928Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :"
2025-01-17T18:29:35.4344187Z Post job cleanup.
2025-01-17T18:29:35.6758990Z ##[group]Removing builder
2025-01-17T18:29:35.7617587Z [command]/usr/bin/docker buildx rm builder-7764b229-6772-4d87-9422-87cbaee29d6b
2025-01-17T18:29:36.1189317Z builder-7764b229-6772-4d87-9422-87cbaee29d6b removed
2025-01-17T18:29:36.1226799Z ##[endgroup]
2025-01-17T18:29:36.1228126Z ##[group]Cleaning up certificates
2025-01-17T18:29:36.1234573Z ##[endgroup]
2025-01-17T18:29:36.1235169Z ##[group]Post cache
2025-01-17T18:29:36.1237461Z State not set
2025-01-17T18:29:36.1238037Z ##[endgroup]
2025-01-17T18:29:36.1360612Z Cleaning up orphan processes
BuildKit logs
Additional info
The build from the same Dockerfile worked a couple of month ago.
https://github.com/junghans/test-actions/actions/runs/12834771076
This repo is about setup-buildx-action and I don't see any issue with it in this run:
Let me move this to build-push-action
sudoexecutes successfully in the container.
I don't think this is related to the action but your Dockerfile. Do you repro locally as well?
sudoexecutes successfully in the container.I don't think this is related to the action but your Dockerfile. Do you repro locally as well?
It works locally on my Fedora 41 machine.
Local test of F41
$ cat /etc/redhat-release
Fedora release 41 (Forty One)
$ docker --version
Docker version 27.5.0, build a187fa5
$ docker buildx version
github.com/docker/buildx v0.19.3 48d6a39
$ cat docker/Dockerfile
FROM registry.fedoraproject.org/fedora:latest
RUN useradd -m -G wheel -u 1001 user
RUN echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/user
USER user
WORKDIR /home/user
RUN sudo whoami
$ docker buildx build --progress plain docker/
#0 building with "default" instance using docker driver
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 294B done
#1 DONE 0.0s
#2 [internal] load metadata for registry.fedoraproject.org/fedora:latest
#2 DONE 0.8s
#3 [internal] load .dockerignore
#3 transferring context: 2B done
#3 DONE 0.0s
#4 [1/5] FROM registry.fedoraproject.org/fedora:latest@sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b
#4 resolve registry.fedoraproject.org/fedora:latest@sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b 0.0s done
#4 sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b 1.41kB / 1.41kB done
#4 sha256:ef58b9a9b4eeb929cb37b1b83d94a2f7258edd175f9837b1bfa01d3383d5cd09 504B / 504B done
#4 sha256:a432b057a522737c229d2aac9b029f55bf2a44eb3f423e4e4ece2acb8a304652 858B / 858B done
#4 DONE 0.1s
#5 [2/5] RUN useradd -m -G wheel -u 1001 user
#5 DONE 0.3s
#6 [3/5] RUN echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/user
#6 DONE 0.2s
#7 [4/5] WORKDIR /home/user
#7 DONE 0.1s
#8 [5/5] RUN sudo whoami
#8 0.173 root
#8 DONE 0.2s
#9 exporting to image
#9 exporting layers 0.1s done
#9 writing image sha256:cbd11e72bb4a5de21e6bc51e433189036192d36c9d0725e46fcd20eea1b2e18a done
#9 DONE 0.1s
Looks like it works with the Default builder (docker 27.5.0);
docker buildx inspect
Name: default
Driver: docker
Last Activity: 2025-01-17 23:48:47 +0000 UTC
Nodes:
Name: default
Endpoint: default
Status: running
BuildKit version: v0.18.2
Platforms: linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386
Labels:
org.mobyproject.buildkit.worker.moby.host-gateway-ip: 172.17.0.1
docker buildx build -t foo --load -<<'EOF'
FROM registry.fedoraproject.org/fedora:latest
RUN useradd -m -G wheel -u 1001 user
RUN echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/user
USER user
WORKDIR /home/user
RUN sudo whoami
EOF
[+] Building 6.7s (9/9) FINISHED docker:default
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 234B 0.0s
=> [internal] load metadata for registry.fedoraproject.org/fedora:latest 0.6s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [1/5] FROM registry.fedoraproject.org/fedora:latest@sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b 4.4s
=> => resolve registry.fedoraproject.org/fedora:latest@sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b 0.0s
=> => sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b 1.41kB / 1.41kB 0.0s
=> => sha256:ef58b9a9b4eeb929cb37b1b83d94a2f7258edd175f9837b1bfa01d3383d5cd09 504B / 504B 0.0s
=> => sha256:a432b057a522737c229d2aac9b029f55bf2a44eb3f423e4e4ece2acb8a304652 858B / 858B 0.0s
=> => sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c 60.06MB / 60.06MB 0.8s
=> => extracting sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c 3.3s
=> [2/5] RUN useradd -m -G wheel -u 1001 user 0.5s
=> [3/5] RUN echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/user 0.2s
=> [4/5] WORKDIR /home/user 0.1s
=> [5/5] RUN sudo whoami 0.3s
=> exporting to image 0.2s
=> => exporting layers 0.1s
=> => writing image sha256:cb32a41b3f9c46fcd2c337c20ac788780f4cef5a04ce9eab7b4e38f3b88f2bda 0.0s
=> => naming to docker.io/library/foo 0.0s
But with a custom builder, using steps from GitHub actions, it fails;
docker buildx create --name builder-7764b229-6772-4d87-9422-87cbaee29d6b --driver docker-container --buildkitd-flags '--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host' --use
docker buildx use builder-7764b229-6772-4d87-9422-87cbaee29d6b
[+] Building 8.0s (9/9) FINISHED docker-container:builder-7764b229-6772-4d87-9422-87cbaee29d6b
=> [internal] booting buildkit 1.8s
=> => pulling image moby/buildkit:buildx-stable-1 1.0s
=> => creating container buildx_buildkit_builder-7764b229-6772-4d87-9422-87cbaee29d6b0 0.8s
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 234B 0.0s
=> [internal] load metadata for registry.fedoraproject.org/fedora:latest 0.9s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [1/5] FROM registry.fedoraproject.org/fedora:latest@sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b 4.1s
=> => resolve registry.fedoraproject.org/fedora:latest@sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b 0.0s
=> => sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c 60.06MB / 60.06MB 0.6s
=> => extracting sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c 3.4s
=> [2/5] RUN useradd -m -G wheel -u 1001 user 0.4s
=> [3/5] RUN echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/user 0.1s
=> [4/5] WORKDIR /home/user 0.1s
=> ERROR [5/5] RUN sudo whoami 0.2s
------
> [5/5] RUN sudo whoami:
0.135 sudo: PAM account management error: Authentication service cannot retrieve authentication info
0.136 sudo: a password is required
------
Dockerfile:8
--------------------
6 | USER user
7 | WORKDIR /home/user
8 | >>> RUN sudo whoami
9 |
--------------------
ERROR: failed to solve: process "/bin/sh -c sudo whoami" did not complete successfully: exit code: 1
docker buildx inspect
Name: builder-7764b229-6772-4d87-9422-87cbaee29d6b
Driver: docker-container
Last Activity: 2025-01-17 23:51:36 +0000 UTC
Nodes:
Name: builder-7764b229-6772-4d87-9422-87cbaee29d6b0
Endpoint: unix:///var/run/docker.sock
Status: running
BuildKit daemon flags: --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host
BuildKit version: v0.18.2
Platforms: linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386
Labels:
org.mobyproject.buildkit.worker.executor: oci
org.mobyproject.buildkit.worker.hostname: 6b8648b69562
org.mobyproject.buildkit.worker.network: host
org.mobyproject.buildkit.worker.oci.process-mode: sandbox
org.mobyproject.buildkit.worker.selinux.enabled: false
org.mobyproject.buildkit.worker.snapshotter: overlayfs
GC Policy rule#0:
All: false
Filters: type==source.local,type==exec.cachemount,type==source.git.checkout
Keep Duration: 48h0m0s
Max Used Space: 488.3MiB
GC Policy rule#1:
All: false
Keep Duration: 1440h0m0s
Reserved Space: 2.794GiB
Max Used Space: 17.7GiB
Min Free Space: 4.657GiB
GC Policy rule#2:
All: false
Reserved Space: 2.794GiB
Max Used Space: 17.7GiB
Min Free Space: 4.657GiB
GC Policy rule#3:
All: true
Reserved Space: 2.794GiB
Max Used Space: 17.7GiB
Min Free Space: 4.657GiB
That was running on a Ubuntu 24.04 machine;
Kernel Version: 6.8.0-51-generic
Operating System: Ubuntu 24.04.1 LTS
Somewhat similar to the GitHub actions runner;
Kernel Version: 6.8.0-1017-azure
Operating System: Ubuntu 24.04.1 LTS
The custom builder would be running inside a docker container, so there's additional nesting happening (possibly relevant);
Quick search on github show various spots where the error can come from, one of them from systemd (which for sure won't be present inside the build container);
https://github.com/linux-pam/linux-pam/blob/e634a3a9be9484ada6e93970dfaf0f055ca17332/libpam/pam_strerror.c#L60-L61 https://github.com/canonical/lightdm/blob/f043bfd81e10a3499e865aafd99781a4df854784/tests/src/libsystem.c#L1547-L1548 https://github.com/systemd/systemd/blob/f55a6fc1e35f5e5a1b51cbade9a7673f3d660f27/src/login/pam_systemd_loadkey.c#L54-L58
Yeah; looks like it doesn't like running docker-in-docker;
on the host;
docker run -it --rm registry.fedoraproject.org/fedora:latest sudo whoami
root
Running inside a docker-in-docker container;
docker run -it --rm registry.fedoraproject.org/fedora:latest sudo whoami
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo: a password is required
sudo --version
Sudo version 1.9.15p5
@thaJeztah thanks for the detailed analysis. I am glad it is reproducible.
As a workaround for now, is there a way to switch the GitHub action to use the default builder?
As a workaround for now, is there a way to switch the GitHub action to use the default builder?
Yes you can set the docker driver:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver: docker
Did a quick check to see what could cause this; initially I was wondering if latest fedora versions perhaps switched to using systemd for handling sudo. On Docker Desktop, the problem didn't show;
docker run -d --quiet --rm --privileged --name=dind docker:27-dind -H unix:///var/run/docker.sock
docker exec -it dind sh
/ # docker run -it --quiet --rm registry.fedoraproject.org/fedora:40 sudo whoami
root
/ # docker run -it --quiet --rm registry.fedoraproject.org/fedora:41 sudo whoami
root
/ # docker run -it --quiet --rm registry.fedoraproject.org/fedora:latest sudo whoami
root
But running on ubuntu 24.04 it does;
docker run -d --rm --privileged --name=dind docker:27-dind -H unix:///var/run/docker.sock
docker exec -it dind sh
/ # docker run -it --quiet --rm registry.fedoraproject.org/fedora:40 sudo whoami
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo: a password is required
/ # docker run -it --quiet --rm registry.fedoraproject.org/fedora:41 sudo whoami
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo: a password is required
/ # docker run -it --quiet --rm registry.fedoraproject.org/fedora:latest sudo whoami
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo: a password is required
Checking syslog, it looks to be apparmor blocking these calls:
tail -n 100 /var/log/syslog
2025-01-20T12:25:10.207489+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: eth0: renamed from veth8ec412c
2025-01-20T12:25:10.217579+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 4(veth9fa62ac) entered blocking state
2025-01-20T12:25:10.217601+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 4(veth9fa62ac) entered forwarding state
2025-01-20T12:25:10.219176+00:00 ubuntu-s-1vcpu-1gb-ams3-01 systemd-networkd[643]: veth9fa62ac: Gained carrier
2025-01-20T12:25:11.434009+00:00 ubuntu-s-1vcpu-1gb-ams3-01 systemd-networkd[643]: veth9fa62ac: Gained IPv6LL
2025-01-20T12:25:35.518478+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(vethc5afc37) entered blocking state
2025-01-20T12:25:35.518508+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(vethc5afc37) entered disabled state
2025-01-20T12:25:35.518511+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: vethc5afc37: entered allmulticast mode
2025-01-20T12:25:35.518512+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: vethc5afc37: entered promiscuous mode
2025-01-20T12:25:35.835778+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: eth0: renamed from veth7108517
2025-01-20T12:25:35.839663+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(vethc5afc37) entered blocking state
2025-01-20T12:25:35.839682+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(vethc5afc37) entered forwarding state
2025-01-20T12:25:36.017483+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: audit: type=1400 audit(1737375936.015:129): apparmor="DENIED" operation="open" class="file" profile="unix-chkpwd" name="/dev/console" pid=84777 comm="unix_chkpwd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
2025-01-20T12:25:36.101077+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(vethc5afc37) entered disabled state
2025-01-20T12:25:36.102616+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7108517: renamed from eth0
2025-01-20T12:25:36.114763+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(vethc5afc37) entered disabled state
2025-01-20T12:25:36.114782+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: vethc5afc37 (unregistering): left allmulticast mode
2025-01-20T12:25:36.114784+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: vethc5afc37 (unregistering): left promiscuous mode
2025-01-20T12:25:36.114786+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(vethc5afc37) entered disabled state
2025-01-20T12:25:53.657476+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7f83543) entered blocking state
2025-01-20T12:25:53.657495+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7f83543) entered disabled state
2025-01-20T12:25:53.657496+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7f83543: entered allmulticast mode
2025-01-20T12:25:53.657497+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7f83543: entered promiscuous mode
2025-01-20T12:25:53.886468+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: eth0: renamed from veth4c7a0fd
2025-01-20T12:25:53.889491+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7f83543) entered blocking state
2025-01-20T12:25:53.889508+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7f83543) entered forwarding state
2025-01-20T12:25:54.105489+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: audit: type=1400 audit(1737375954.103:130): apparmor="DENIED" operation="open" class="file" profile="unix-chkpwd" name="/dev/console" pid=84859 comm="unix_chkpwd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
2025-01-20T12:25:54.172473+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7f83543) entered disabled state
2025-01-20T12:25:54.172504+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth4c7a0fd: renamed from eth0
2025-01-20T12:25:54.186495+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7f83543) entered disabled state
2025-01-20T12:25:54.186514+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7f83543 (unregistering): left allmulticast mode
2025-01-20T12:25:54.186516+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7f83543 (unregistering): left promiscuous mode
2025-01-20T12:25:54.186518+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7f83543) entered disabled state
2025-01-20T12:26:05.074481+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7d3aef0) entered blocking state
2025-01-20T12:26:05.074499+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7d3aef0) entered disabled state
2025-01-20T12:26:05.074500+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7d3aef0: entered allmulticast mode
2025-01-20T12:26:05.074501+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7d3aef0: entered promiscuous mode
2025-01-20T12:26:05.283530+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: eth0: renamed from vetha46b3df
2025-01-20T12:26:05.287526+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7d3aef0) entered blocking state
2025-01-20T12:26:05.287554+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7d3aef0) entered forwarding state
2025-01-20T12:26:05.409485+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: audit: type=1400 audit(1737375965.407:131): apparmor="DENIED" operation="open" class="file" profile="unix-chkpwd" name="/dev/console" pid=84940 comm="unix_chkpwd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
2025-01-20T12:26:05.476518+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7d3aef0) entered disabled state
2025-01-20T12:26:05.476537+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: vetha46b3df: renamed from eth0
2025-01-20T12:26:05.490473+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7d3aef0) entered disabled state
2025-01-20T12:26:05.491492+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7d3aef0 (unregistering): left allmulticast mode
2025-01-20T12:26:05.491507+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7d3aef0 (unregistering): left promiscuous mode
2025-01-20T12:26:05.491510+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7d3aef0) entered disabled state
Which makes me consider this could be similar to;
- https://github.com/moby/moby/issues/48734
And related to changes in Ubuntu no longer allowing "unconfined" processes, but requiring any process to be assigned a profile;
- https://github.com/moby/moby/pull/47749
Did some further testing;
:white_check_mark: Docker 27.5.0 on Docker Desktop works;
Kernel Version: 6.12.5-linuxkit
Operating System: Docker Desktop
:white_check_mark: Docker 27.5.0 on Ubuntu 20.04 works;
Kernel Version: 5.4.0-122-generic
Operating System: Ubuntu 20.04.4 LTS
:white_check_mark: Docker 27.5.0 on Ubuntu 22.04 works;
Kernel Version: 5.15.0-113-generic
Operating System: Ubuntu 22.04.4 LTS
:x: Docker 27.5.0 on Ubuntu 24.04 doesn't work;
Kernel Version: 6.8.0-51-generic
Operating System: Ubuntu 24.04.1 LTS
:x: Docker 27.5.0 on Ubuntu 24.10 doesn't work;
Kernel Version: 6.11.0-9-generic
Operating System: Ubuntu 24.10
Running sudo inside an Ubuntu container (inside the DIND container) also works;
docker run -it --quiet --rm ubuntu:24.04
# inside the container:
apt-get update && apt-get install -y sudo
sudo whoami
root
Location of the unix_chkpwd binary is the same, but setuid on it differs (shadow Ubuntu, and root on Fedora);
docker run -it --quiet --rm ubuntu:24.04 sh -c 'command -v unix_chkpwd'
/usr/sbin/unix_chkpwd
docker run -it --quiet --rm ubuntu:24.04 ls -la /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 31040 May 2 2024 /usr/sbin/unix_chkpwd
docker run -it --quiet --rm registry.fedoraproject.org/fedora:41 sh -c 'command -v unix_chkpwd'
/usr/sbin/unix_chkpwd
docker run -it --quiet --rm registry.fedoraproject.org/fedora:41 ls -la /usr/sbin/unix_chkpwd
-rwsr-xr-x 1 root root 32560 Nov 25 00:00 /usr/sbin/unix_chkpwd
comparing apparmor_status;
Ubuntu 20.04;
apparmor_status
apparmor module is loaded.
29 profiles are loaded.
29 profiles are in enforce mode.
/snap/snapd/16292/usr/lib/snapd/snap-confine
/snap/snapd/16292/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/sbin/tcpdump
/{,usr/}sbin/dhclient
docker-default
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
snap-update-ns.lxd
snap.lxd.activate
snap.lxd.benchmark
snap.lxd.buginfo
snap.lxd.check-kernel
snap.lxd.daemon
snap.lxd.hook.configure
snap.lxd.hook.install
snap.lxd.hook.remove
snap.lxd.lxc
snap.lxd.lxc-to-lxd
snap.lxd.lxd
snap.lxd.migrate
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
Ubuntu 22.04;
apparmor_status
apparmor module is loaded.
40 profiles are loaded.
40 profiles are in enforce mode.
/snap/snapd/21759/usr/lib/snapd/snap-confine
/snap/snapd/21759/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/{,usr/}sbin/dhclient
docker-default
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
snap-update-ns.lxd
snap.lxd.activate
snap.lxd.benchmark
snap.lxd.buginfo
snap.lxd.check-kernel
snap.lxd.daemon
snap.lxd.hook.configure
snap.lxd.hook.install
snap.lxd.hook.remove
snap.lxd.lxc
snap.lxd.lxc-to-lxd
snap.lxd.lxd
snap.lxd.migrate
snap.lxd.user-daemon
tcpdump
ubuntu_pro_apt_news
ubuntu_pro_esm_cache
ubuntu_pro_esm_cache//apt_methods
ubuntu_pro_esm_cache//apt_methods_gpgv
ubuntu_pro_esm_cache//cloud_id
ubuntu_pro_esm_cache//dpkg
ubuntu_pro_esm_cache//ps
ubuntu_pro_esm_cache//ubuntu_distro_info
ubuntu_pro_esm_cache_systemctl
ubuntu_pro_esm_cache_systemd_detect_virt
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
Ubuntu 24.04:
apparmor_status
apparmor module is loaded.
120 profiles are loaded.
25 profiles are in enforce mode.
/usr/bin/man
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
docker-default
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
plasmashell
plasmashell//QtWebEngineProcess
rsyslogd
tcpdump
ubuntu_pro_apt_news
ubuntu_pro_esm_cache
ubuntu_pro_esm_cache//apt_methods
ubuntu_pro_esm_cache//apt_methods_gpgv
ubuntu_pro_esm_cache//cloud_id
ubuntu_pro_esm_cache//dpkg
ubuntu_pro_esm_cache//ps
ubuntu_pro_esm_cache//ubuntu_distro_info
ubuntu_pro_esm_cache_systemctl
ubuntu_pro_esm_cache_systemd_detect_virt
unix-chkpwd
unprivileged_userns
4 profiles are in complain mode.
transmission-cli
transmission-daemon
transmission-gtk
transmission-qt
0 profiles are in prompt mode.
0 profiles are in kill mode.
91 profiles are in unconfined mode.
1password
Discord
MongoDB Compass
QtWebEngineProcess
balena-etcher
brave
buildah
busybox
cam
ch-checkns
ch-run
chrome
crun
devhelp
element-desktop
epiphany
evolution
firefox
flatpak
foliate
geary
github-desktop
goldendict
ipa_verify
kchmviewer
keybase
lc-compliance
libcamerify
linux-sandbox
loupe
lxc-attach
lxc-create
lxc-destroy
lxc-execute
lxc-stop
lxc-unshare
lxc-usernsexec
mmdebstrap
msedge
nautilus
notepadqq
obsidian
opam
opera
pageedit
podman
polypane
privacybrowser
qcam
qmapshack
qutebrowser
rootlesskit
rpm
rssguard
runc
sbuild
sbuild-abort
sbuild-adduser
sbuild-apt
sbuild-checkpackages
sbuild-clean
sbuild-createchroot
sbuild-destroychroot
sbuild-distupgrade
sbuild-hold
sbuild-shell
sbuild-unhold
sbuild-update
sbuild-upgrade
scide
signal-desktop
slack
slirp4netns
steam
stress-ng
surfshark
systemd-coredump
thunderbird
toybox
trinity
tup
tuxedo-control-center
userbindmount
uwsgi-core
vdens
virtiofsd
vivaldi-bin
vpnns
vscode
wike
wpcom
1 processes have profiles defined.
1 processes are in enforce mode.
/usr/sbin/rsyslogd (890) rsyslogd
0 processes are in complain mode.
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
In Ubuntu 24.04, there's many more profiles loaded, and I see unix-chkpwd in there. Checking what it contains, that looks indeed one that could block access;
cat /etc/apparmor.d/unix-chkpwd
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
# The apparmor.d project comes with several variables and abstractions
# that are not part of upstream AppArmor yet. Therefore this profile was
# adopted to use abstractions and variables that are available.
# Copyright (C) Christian Boltz 2024
abi <abi/4.0>,
include <tunables/global>
profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
include <abstractions/base>
include <abstractions/nameservice>
# To write records to the kernel auditing log.
capability audit_write,
network netlink raw,
/{,usr/}{,s}bin/unix_chkpwd mr,
/etc/shadow r,
# systemd userdb, used in nspawn
/run/host/userdb/*.user r,
/run/host/userdb/*.user-privileged r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/unix-chkpwd>
}
Can confirm this issue
building on 24.04 fails: https://github.com/gbraad-dotfiles/upstream/actions/runs/13344785502 building on 22.04 passes: https://github.com/gbraad-dotfiles/upstream/actions/runs/13344970015
This is only observed for Fedora. However, in my case I build with podman build on the system. So this looks more like an issue with the base image, something like apparmor or so.
Note: I do see AppArmor can cause issues: https://github.com/actions/runner-images/issues/10015 this did not fix it for me: https://github.com/gbraad-dotfiles/upstream/actions/runs/13345046803/job/37274475030
Note 2: This is an issue with the permissions for the file /etc/shadow:
# fix for PAM/SSH
RUN chmod 0640 /etc/shadow
It seems I had fixed this before in https://github.com/gbraad-devenv/fedora/commit/2a1a4063670353f29e96f764c871705448af0d29 and can confirm this works in: https://github.com/gbraad-dotfiles/upstream/actions/runs/13345214428
This is an issue with the Fedora image; this was not a problem for F40. A regression for F41. Can also confirm that my colleague had the same issue for another build process: https://github.com/praveenkumar/minp/commit/6ef284d93aec442aa478242cb5b35818610b6585
This "simple container" may not have sudo installed, to begin with, which means directory /etc/sudoers.d may not even exist.
And in case the directory should exist, this would be > to create the file, not >> to append to some file, which does not exist.
This is not a bug, but a typo. For example (known to be working with rpmbuild), where the filename also must not have a dot:
RUN echo '%docker ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/docker
And it's probably more alike this, to get any output:
ENTRYPOINT [ "sudo", "whoami" ]
In order to synchronize the GID and UID, one has to pass them as build-args.
The mere downside is, that build-args are not available for docker run ...
- shell: bash
id: setup
run: |
echo "RUNNER_GID=$(id -g)" >> $GITHUB_OUTPUT
echo "RUNNER_UID=$(id -u)" >> $GITHUB_OUTPUT
- uses: 'docker/build-push-action@v6'
with:
...
build-args: |
RUNNER_GID=${{ STEPS.SETUP.OUTPUTS.RUNNER_GID }}
RUNNER_UID=${{ STEPS.SETUP.OUTPUTS.RUNNER_UID }}
To be picked up in Dockerfile with:
ARG RUNNER_GID="118"
ARG RUNNER_UID="1001"
ENV GID="${RUNNER_GID}"
ENV UID="${RUNNER_UID}"
This might even make sense as default build-args for docker/setup-buildx-action, because it's boilerplate code.
The UID of the GitHub runner is always 1001, but from what I've seen, the GID seems to vary from 117 to 118.
This "simple container" may not have
sudoinstalled, to begin with, which means directory/etc/sudoers.dmay not even exist. And in case the directory should exist, this would be>to create the file, not>>to append to some file, which does not exist. This is not a bug, but a typo.
fedora:latest comes with sudo pre-installed and >> creates if the file doesn't exist and would fail with a permission, not a PAM, error if the directory wasn't there.
Either way, it also fails with the simpler case:
RUN echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
(https://github.com/junghans/test-actions/actions/runs/14453722375)
I didn't try if importing the GID helps.
Hi, I ran into this issue (see linked PR above) in my own github action and resolved it using the following patch:
- name: Edit apparmor profile for unix-chkpwd
run: |
sudo sed -i 's/capability audit_write,$/&\n # fix: read shadow permissions (linux-pam#686)\n capability dac_read_search,/' /etc/apparmor.d/unix-chkpwd
sudo apparmor_parser -r /etc/apparmor.d/unix-chkpwd
Explanation (not mine): https://www.tunbury.org/2025/05/13/ubuntu-apparmor/ , but fix that's preferable to disabling the rule altogether (which this implements in gha as a workaround): https://github.com/AOSC-Tracking/apparmor/commit/556396a172d09ea032404c7b346f4cf54a949a4e
I don't know if you want a patch like this in the github action itself, or if you prefer to leave this as a workaround for people to reference themselves since it is a bit out of scope of the actual action itself and hopefully will be resolved upstream. But if you'd like it included I can submit a PR.
