Centos 7 docker has sudo issue (keeps on saying incorrect sudo password) on Fedora 35 host (works on Fedora 34)?

General
1

Hello everyone,

So I installed a fresh Fedora 35 in a vm for testing. Now When I spin up a centos 7 docker container and su into $USER (which is the same as my host user I passed to the container). When I run sudo, and type in my sudo password, it keeps complaining about incorrect password. I made sure I am typing it right and it keeps saying that. Has anything changed between F34 to F35 to do that?

Im using moby-engine and this is volumes i passed to my container:

#!/bin/bash

xhost +local:root

docker network ls | grep hostonly > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo Create host-only network for docker
docker network create -d bridge --internal hostonly
fi

#user should be a member of video and render to get full access to gpu

#export XAUTH_PROTO=$(xauth list | grep \hostname -s` | grep :0 |tail -1 |cut -d' ' -f3)`)
#export XAUTH_KEY=$(xauth list | grep \hostname -s` | grep :0 |tail -1 |cut -d' ' -f)5`)
#Do xauth list | grep unix:0
#inside docker shell xauth add :0 MIT-MAGIC... digest..

IMAGE=c7-systemd:latest

GIDS=( $(id -G) ) #All of my groups
unset GIDS[0] #remove primary group

for g in "${GIDS[@]}"
do
G+=" --group-add=$g"
done

#RM=""
RM=" --rm "

U=""
#U=" --user $(id -u):$(id -g) $G"

VOLS=' --volume=/etc/group:/etc/group:ro '
VOLS+='--volume=/etc/passwd:/etc/passwd:ro '
VOLS+='--volume=/etc/shadow:/etc/shadow:ro '
VOLS+='--volume=/etc/sudoers.d:/etc/sudoers.d:ro '
VOLS+='--volume=/tmp/.X11-unix:/tmp/.X11-unix:rw '
VOLS+="--volume=/home/.docker-home/CentOS-7-x86_64/home/:/home "
VOLS+="--volume=/home/.docker-home/CentOS-7-x86_64/root/:/root "
VOLS+='--volume=/opt/.docker-opt/CentOS-7-x86_64:/opt '
VOLS+='--volume=/run/media/ai-fe:/mnt '
VOLS+="--device=/dev/dri "
VOLS+="--device=/dev/snd "
VOLS+="--device=/dev/vga_arbiter "

NVS=( $(ls /dev/nvidia* 2>/dev/null) )
for N in "${NVS[@]}"
do
VOLS+="--device=$N "
done

NET='--network=host '

docker run $RM -it --cap-add=SYS_ADMIN --cap-add=SYS_PTRACE -v /sys/fs/cgroup:/sys/fs/cgroup:ro --log-driver none --shm-size=1g --ulimit nofile=262144:262144 $U --env="DISPLAY" --env="XAUTHORITY=$XAUTHORITY" --env="XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR" $VOLS -w="/home/${USER}" --ipc="host" $NET -w="/home/$USER" --hostname="localhost" --name="CentOS7" ${IMAGE} /usr/sbin/init
# EOF

This works fine in Fedora 34. Im testing on Fedora 35 vm before I commit to an upgrade. So hopefully some one might have a soluton here?

Thanks

2

Fedora 35 uses yescrypt for password hashes. CentOS doesn’t support it. At least not by default. If you can figure out how to make CentOS support this algorithm, you can install the necessary dependencies in the base image. The other solution could be changing the algorithm on the host for the user you want to use in the container.

1 Like
3

That makes sense, would you know how I would get yescrypt in CentOS-7?

I found this page: GitHub - besser82/libxcrypt: Extended crypt library for descrypt, md5crypt, bcrypt, and others

Will building this from source help?

Thank you :blush:

4

I don’t know. I tried to make yescript work in a centos 8 container, because that supports “libxcrypt” from the centos repository but it didn’t help. It probably requires additional configuration.

5

I tried and it did not work. I dont think even building from source includes tool to be able to rehash the password set in the host. I have read that yescript hashs any new password, so Im gonna see if I do an upgrade from F34 to F35, does the user created in F34 work in F35 inside the container. Otherwise, I just had luck removing the volume for passwd, shadow, sudoer, group and creating my own user inside the container. I am only using CentOS-7 purefly for its libraries for commericial cfd solvers. Creating a different user inside the container isn’t that big of a deal I guess.

Thank You