Unable to run sudo on 40 or 41 containers if --privileged is present

[jsf9k]

On my local machine (Arch) I can run these four commands just fine:

❯ docker run -it fedora:40 sudo ls
afs  boot  etc   lib    media  opt   root  sbin  sys  usr
bin  dev   home  lib64  mnt    proc  run   srv   tmp  var

❯ docker run -it --privileged fedora:40 sudo ls
afs  boot  etc   lib    media  opt   root  sbin  sys  usr
bin  dev   home  lib64  mnt    proc  run   srv   tmp  var

❯ docker run -it fedora:41 sudo ls
afs  boot  etc   lib    media  opt   root  sbin  sys  usr
bin  dev   home  lib64  mnt    proc  run   srv   tmp  var

❯ docker run -it --privileged fedora:41 sudo ls
afs  boot  etc   lib    media  opt   root  sbin  sys  usr
bin  dev   home  lib64  mnt    proc  run   srv   tmp  var

On Ubuntu 24.04 (GitHub runner), though, I get errors running sudo if the containers are started with the --privileged flag:

$ docker run -it fedora:40 sudo ls
afs  boot  etc   lib    media  opt   root  sbin  sys  usr
bin  dev   home  lib64  mnt    proc  run   srv   tmp  var

$ docker run -it --privileged fedora:40 sudo ls
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo: a password is required

$ docker run -it fedora:41 sudo ls
afs  boot  etc   lib    media  opt   root  sbin  sys  usr
bin  dev   home  lib64  mnt    proc  run   srv   tmp  var

$ docker run -it --privileged fedora:41 sudo ls
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo: a password is required

In both cases I pulled fresh containers using docker pull.

We use these containers together with Molecule to test Ansible roles, and this is causing all our Fedora tests to break in GitHub Actions even though the same tests pass locally.

Does anyone have any idea what is going on? I believe this started happening about four days ago.

[jsf9k]

One other thing I noticed is that the --privileged containers on the GitHub runner allow sudo if I manually change the permissions on /etc/shadow and /etc/shadow- to 0644. (By default the file permissions are set to 0000.) This doesn't explain why it works with the default file permissions on my local machine, but perhaps it is a clue.

[jsf9k]

I did try upgrading all available packages on the GitHub runner, but that did not fix the issue. I have also upgraded all available packages inside the containers. No dice.

[jsf9k]

Another clue - when I run a command like sudo ls from inside the container I see output similar to the following in journalctl -xe:

Dec 17 22:41:01 fedora41-systemd-amd64 unix_chkpwd[486]: could not obtain user info (root)
Dec 17 22:41:01 fedora41-systemd-amd64 sudo[485]:     root : PAM account management error: Authentication service cannot retrieve authentication info ; TTY=pts/0 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/ls

[jsf9k]

I posted the same information in an issue in RedHat's Bugzilla page.

[cverna]

It looks like this is working correctly running from Fedora

╭─cverna@cverna-mac ~ 
╰─$ podman run -it --rm  --privileged quay.io/fedora/fedora:41 sudo ls
afs  bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
╭─cverna@cverna-mac ~ 
╰─$ podman run -it --rm  --privileged registry.fedoraproject.org/fedora:41 sudo ls

Trying to pull registry.fedoraproject.org/fedora:41...
Getting image source signatures
Copying blob sha256:3a5dcf98433267d8eceeac94cb2c6503c515e0d201cc861c970f90d075b55778
Copying config sha256:8d47c27dd42afc7ad103009dca52f01262ee072cc9a1779a930eef949f90e011
Writing manifest to image destination


afs  bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var

Going to try to run an Ubuntu VM to investigate

[jsf9k]

I was able to reproduce this on a Raspberry Pi 5 running a fresh install of Ubuntu 24.04 Server (SD card created using rpi-imager) after installing the official Docker packages as described here.

I also verified that the same issue occurs whether I pull the images from Docker Hub or registry.fedoraproject.org.