PAM error inside buildx

[junghans]

Contributing guidelines

• I've read the contributing guidelines and wholeheartedly agree

I've found a bug, and:

• The documentation does not mention anything about my problem
• There are no open or closed issues that are related to my problem

Description

Imagine a simple container like:

FROM registry.fedoraproject.org/fedora:latest

RUN useradd -m -G wheel -u 1001 user
RUN echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/user

USER user
WORKDIR /home/user
RUN sudo whoami

This will fail with a PAM error.

Expected behaviour

sudo executes successfully in the container.

Actual behaviour

sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo
: a password is required
: a password is required

Repository URL

https://github.com/junghans/test-actions/tree/PAM_error

Workflow run URL

https://github.com/junghans/test-actions/actions/runs/12834771076

YAML workflow

name: CI
on:
  push:
    branches:
      - master
      - PAM_error
  pull_request:
    branches:
      - master

concurrency:
  group: ${ {github.event_name }}-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true 

jobs:
  CI:
    runs-on: ubuntu-latest
    steps:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Checkout code    
        uses: actions/checkout@v4
      - name: Build and Push Docker images for all Container Registries
        uses: docker/build-push-action@v6
        with:
          file: Dockerfile 
          pull: true
          push: false

Workflow logs

Full log

2025-01-17T18:29:17.6827427Z Current runner version: '2.321.0'
2025-01-17T18:29:17.6853609Z ##[group]Operating System
2025-01-17T18:29:17.6854514Z Ubuntu
2025-01-17T18:29:17.6855046Z 24.04.1
2025-01-17T18:29:17.6855496Z LTS
2025-01-17T18:29:17.6856044Z ##[endgroup]
2025-01-17T18:29:17.6856526Z ##[group]Runner Image
2025-01-17T18:29:17.6857094Z Image: ubuntu-24.04
2025-01-17T18:29:17.6857721Z Version: 20250105.1.0
2025-01-17T18:29:17.6858761Z Included Software: https://github.com/actions/runner-images/blob/ubuntu24/20250105.1/images/ubuntu/Ubuntu2404-Readme.md
2025-01-17T18:29:17.6860073Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu24%2F20250105.1
2025-01-17T18:29:17.6861033Z ##[endgroup]
2025-01-17T18:29:17.6861561Z ##[group]Runner Image Provisioner
2025-01-17T18:29:17.6862093Z 2.0.417.1
2025-01-17T18:29:17.6862636Z ##[endgroup]
2025-01-17T18:29:17.6865193Z ##[group]GITHUB_TOKEN Permissions
2025-01-17T18:29:17.6867251Z Actions: write
2025-01-17T18:29:17.6868033Z Attestations: write
2025-01-17T18:29:17.6868693Z Checks: write
2025-01-17T18:29:17.6869206Z Contents: write
2025-01-17T18:29:17.6869660Z Deployments: write
2025-01-17T18:29:17.6870259Z Discussions: write
2025-01-17T18:29:17.6870755Z Issues: write
2025-01-17T18:29:17.6871187Z Metadata: read
2025-01-17T18:29:17.6871760Z Packages: write
2025-01-17T18:29:17.6872263Z Pages: write
2025-01-17T18:29:17.6872703Z PullRequests: write
2025-01-17T18:29:17.6873905Z RepositoryProjects: write
2025-01-17T18:29:17.6874502Z SecurityEvents: write
2025-01-17T18:29:17.6874971Z Statuses: write
2025-01-17T18:29:17.6875562Z ##[endgroup]
2025-01-17T18:29:17.6878592Z Secret source: Actions
2025-01-17T18:29:17.6879262Z Prepare workflow directory
2025-01-17T18:29:17.7196652Z Prepare all required actions
2025-01-17T18:29:17.7233963Z Getting action download info
2025-01-17T18:29:17.9507744Z Download action repository 'docker/setup-buildx-action@v3' (SHA:6524bf65af31da8d45b59e8c27de4bd072b392f5)
2025-01-17T18:29:18.6524205Z Download action repository 'actions/checkout@v4' (SHA:11bd71901bbe5b1630ceea73d27597364c9af683)
2025-01-17T18:29:18.6888986Z Download action repository 'docker/build-push-action@v6' (SHA:67a2d409c0a876cbe6b11854e3e25193efe4e62d)
2025-01-17T18:29:19.3939832Z Complete job name: CI
2025-01-17T18:29:19.4697209Z ##[group]Run docker/setup-buildx-action@v3
2025-01-17T18:29:19.4698686Z with:
2025-01-17T18:29:19.4699462Z   driver: docker-container
2025-01-17T18:29:19.4700372Z   install: false
2025-01-17T18:29:19.4701164Z   use: true
2025-01-17T18:29:19.4701973Z   cache-binary: true
2025-01-17T18:29:19.4702810Z   cleanup: true
2025-01-17T18:29:19.4704305Z ##[endgroup]
2025-01-17T18:29:19.7961474Z ##[group]Docker info
2025-01-17T18:29:19.7967267Z [command]/usr/bin/docker version
2025-01-17T18:29:19.8654982Z Client: Docker Engine - Community
2025-01-17T18:29:19.8657037Z  Version:           26.1.3
2025-01-17T18:29:19.8665076Z  API version:       1.45
2025-01-17T18:29:19.8666686Z  Go version:        go1.21.10
2025-01-17T18:29:19.8668214Z  Git commit:        b72abbb
2025-01-17T18:29:19.8669762Z  Built:             Thu May 16 08:33:35 2024
2025-01-17T18:29:19.8671464Z  OS/Arch:           linux/amd64
2025-01-17T18:29:19.8672547Z  Context:           default
2025-01-17T18:29:19.8673108Z 
2025-01-17T18:29:19.8673822Z Server: Docker Engine - Community
2025-01-17T18:29:19.8674834Z  Engine:
2025-01-17T18:29:19.8675548Z   Version:          26.1.3
2025-01-17T18:29:19.8676487Z   API version:      1.45 (minimum version 1.24)
2025-01-17T18:29:19.8677566Z   Go version:       go1.21.10
2025-01-17T18:29:19.8678459Z   Git commit:       8e96db1
2025-01-17T18:29:19.8679393Z   Built:            Thu May 16 08:33:35 2024
2025-01-17T18:29:19.8680397Z   OS/Arch:          linux/amd64
2025-01-17T18:29:19.8681331Z   Experimental:     false
2025-01-17T18:29:19.8682196Z  containerd:
2025-01-17T18:29:19.8682940Z   Version:          1.7.24
2025-01-17T18:29:19.8684603Z   GitCommit:        88bf19b2105c8b17560993bee28a01ddc2f97182
2025-01-17T18:29:19.8685802Z  runc:
2025-01-17T18:29:19.8686506Z   Version:          1.2.2
2025-01-17T18:29:19.8687717Z   GitCommit:        v1.2.2-0-g7cb3632
2025-01-17T18:29:19.8688703Z  docker-init:
2025-01-17T18:29:19.8689452Z   Version:          0.19.0
2025-01-17T18:29:19.8690329Z   GitCommit:        de40ad0
2025-01-17T18:29:19.8727309Z [command]/usr/bin/docker info
2025-01-17T18:29:20.0721464Z Client: Docker Engine - Community
2025-01-17T18:29:20.0725153Z  Version:    26.1.3
2025-01-17T18:29:20.0726377Z  Context:    default
2025-01-17T18:29:20.0727577Z  Debug Mode: false
2025-01-17T18:29:20.0728753Z  Plugins:
2025-01-17T18:29:20.0729918Z   buildx: Docker Buildx (Docker Inc.)
2025-01-17T18:29:20.0731506Z     Version:  v0.19.3
2025-01-17T18:29:20.0733060Z     Path:     /usr/libexec/docker/cli-plugins/docker-buildx
2025-01-17T18:29:20.0735318Z   compose: Docker Compose (Docker Inc.)
2025-01-17T18:29:20.0737020Z     Version:  v2.27.1
2025-01-17T18:29:20.0738507Z     Path:     /usr/libexec/docker/cli-plugins/docker-compose
2025-01-17T18:29:20.0739854Z 
2025-01-17T18:29:20.0740349Z Server:
2025-01-17T18:29:20.0741525Z  Containers: 0
2025-01-17T18:29:20.0742409Z   Running: 0
2025-01-17T18:29:20.0743617Z   Paused: 0
2025-01-17T18:29:20.0744774Z   Stopped: 0
2025-01-17T18:29:20.0745970Z  Images: 0
2025-01-17T18:29:20.0747148Z  Server Version: 26.1.3
2025-01-17T18:29:20.0748566Z  Storage Driver: overlay2
2025-01-17T18:29:20.0750089Z   Backing Filesystem: extfs
2025-01-17T18:29:20.0751611Z   Supports d_type: true
2025-01-17T18:29:20.0753072Z   Using metacopy: false
2025-01-17T18:29:20.0754745Z   Native Overlay Diff: false
2025-01-17T18:29:20.0756269Z   userxattr: false
2025-01-17T18:29:20.0757638Z  Logging Driver: json-file
2025-01-17T18:29:20.0759189Z  Cgroup Driver: systemd
2025-01-17T18:29:20.0760618Z  Cgroup Version: 2
2025-01-17T18:29:20.0761913Z  Plugins:
2025-01-17T18:29:20.0763171Z   Volume: local
2025-01-17T18:29:20.0764865Z   Network: bridge host ipvlan macvlan null overlay
2025-01-17T18:29:20.0767441Z   Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
2025-01-17T18:29:20.0769815Z  Swarm: inactive
2025-01-17T18:29:20.0771230Z  Runtimes: runc io.containerd.runc.v2
2025-01-17T18:29:20.0772952Z  Default Runtime: runc
2025-01-17T18:29:20.0774793Z  Init Binary: docker-init
2025-01-17T18:29:20.0777191Z  containerd version: 88bf19b2105c8b17560993bee28a01ddc2f97182
2025-01-17T18:29:20.0779380Z  runc version: v1.2.2-0-g7cb3632
2025-01-17T18:29:20.0780958Z  init version: de40ad0
2025-01-17T18:29:20.0782318Z  Security Options:
2025-01-17T18:29:20.0783708Z   apparmor
2025-01-17T18:29:20.0784824Z   seccomp
2025-01-17T18:29:20.0785955Z    Profile: builtin
2025-01-17T18:29:20.0787190Z   cgroupns
2025-01-17T18:29:20.0788269Z  Kernel Version: 6.8.0-1017-azure
2025-01-17T18:29:20.0789813Z  Operating System: Ubuntu 24.04.1 LTS
2025-01-17T18:29:20.0791314Z  OSType: linux
2025-01-17T18:29:20.0792435Z  Architecture: x86_64
2025-01-17T18:29:20.0793811Z  CPUs: 4
2025-01-17T18:29:20.0794673Z  Total Memory: 15.62GiB
2025-01-17T18:29:20.0795485Z  Name: fv-az1377-715
2025-01-17T18:29:20.0796304Z  ID: fac863d2-75be-4525-b213-ce36ebbd9960
2025-01-17T18:29:20.0797322Z  Docker Root Dir: /var/lib/docker
2025-01-17T18:29:20.0798220Z  Debug Mode: false
2025-01-17T18:29:20.0799010Z  Username: githubactions
2025-01-17T18:29:20.0799838Z  Experimental: false
2025-01-17T18:29:20.0800616Z  Insecure Registries:
2025-01-17T18:29:20.0801369Z   127.0.0.0/8
2025-01-17T18:29:20.0802079Z  Live Restore Enabled: false
2025-01-17T18:29:20.0802637Z 
2025-01-17T18:29:20.0804270Z ##[endgroup]
2025-01-17T18:29:20.1405805Z ##[group]Buildx version
2025-01-17T18:29:20.1432122Z [command]/usr/bin/docker buildx version
2025-01-17T18:29:20.1829965Z github.com/docker/buildx v0.19.3 48d6a3927a14668da1a0c4439a6d454a3abbdf05
2025-01-17T18:29:20.1859599Z ##[endgroup]
2025-01-17T18:29:20.2028531Z ##[group]Inspecting default docker context
2025-01-17T18:29:20.2170376Z [
2025-01-17T18:29:20.2171630Z   {
2025-01-17T18:29:20.2172724Z     "Name": "default",
2025-01-17T18:29:20.2174318Z     "Metadata": {},
2025-01-17T18:29:20.2175619Z     "Endpoints": {
2025-01-17T18:29:20.2177338Z       "docker": {
2025-01-17T18:29:20.2178728Z         "Host": "unix:///var/run/docker.sock",
2025-01-17T18:29:20.2180514Z         "SkipTLSVerify": false
2025-01-17T18:29:20.2181991Z       }
2025-01-17T18:29:20.2183163Z     },
2025-01-17T18:29:20.2184556Z     "TLSMaterial": {},
2025-01-17T18:29:20.2185993Z     "Storage": {
2025-01-17T18:29:20.2187457Z       "MetadataPath": "<IN MEMORY>",
2025-01-17T18:29:20.2189275Z       "TLSPath": "<IN MEMORY>"
2025-01-17T18:29:20.2190816Z     }
2025-01-17T18:29:20.2191938Z   }
2025-01-17T18:29:20.2193037Z ]
2025-01-17T18:29:20.2195381Z ##[endgroup]
2025-01-17T18:29:20.2197636Z ##[group]Creating a new builder instance
2025-01-17T18:29:20.2787082Z [command]/usr/bin/docker buildx create --name builder-7764b229-6772-4d87-9422-87cbaee29d6b --driver docker-container --buildkitd-flags --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host --use
2025-01-17T18:29:20.3292006Z builder-7764b229-6772-4d87-9422-87cbaee29d6b
2025-01-17T18:29:20.3323921Z ##[endgroup]
2025-01-17T18:29:20.3325239Z ##[group]Booting builder
2025-01-17T18:29:20.3359256Z [command]/usr/bin/docker buildx inspect --bootstrap --builder builder-7764b229-6772-4d87-9422-87cbaee29d6b
2025-01-17T18:29:20.3763949Z docker/setup-buildx-action#1 [internal] booting buildkit
2025-01-17T18:29:20.5267811Z docker/setup-buildx-action#1 pulling image moby/buildkit:buildx-stable-1
2025-01-17T18:29:23.5915717Z docker/setup-buildx-action#1 pulling image moby/buildkit:buildx-stable-1 3.2s done
2025-01-17T18:29:23.7418248Z docker/setup-buildx-action#1 creating container buildx_buildkit_builder-7764b229-6772-4d87-9422-87cbaee29d6b0
2025-01-17T18:29:23.8712151Z docker/setup-buildx-action#1 creating container buildx_buildkit_builder-7764b229-6772-4d87-9422-87cbaee29d6b0 0.3s done
2025-01-17T18:29:23.8732594Z docker/setup-buildx-action#1 DONE 3.5s
2025-01-17T18:29:23.9052560Z Name:          builder-7764b229-6772-4d87-9422-87cbaee29d6b
2025-01-17T18:29:23.9053811Z Driver:        docker-container
2025-01-17T18:29:23.9054341Z Last Activity: 2025-01-17 18:29:20 +0000 UTC
2025-01-17T18:29:23.9054700Z 
2025-01-17T18:29:23.9054860Z Nodes:
2025-01-17T18:29:23.9055378Z Name:                  builder-7764b229-6772-4d87-9422-87cbaee29d6b0
2025-01-17T18:29:23.9056002Z Endpoint:              unix:///var/run/docker.sock
2025-01-17T18:29:23.9057140Z Status:                running
2025-01-17T18:29:23.9058082Z BuildKit daemon flags: --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host
2025-01-17T18:29:23.9058956Z BuildKit version:      v0.18.2
2025-01-17T18:29:23.9059362Z Platforms:             linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386
2025-01-17T18:29:23.9059880Z Labels:
2025-01-17T18:29:23.9060164Z  org.mobyproject.buildkit.worker.executor:         oci
2025-01-17T18:29:23.9060626Z  org.mobyproject.buildkit.worker.hostname:         c379043b8b5a
2025-01-17T18:29:23.9061093Z  org.mobyproject.buildkit.worker.network:          host
2025-01-17T18:29:23.9061523Z  org.mobyproject.buildkit.worker.oci.process-mode: sandbox
2025-01-17T18:29:23.9061965Z  org.mobyproject.buildkit.worker.selinux.enabled:  false
2025-01-17T18:29:23.9062429Z  org.mobyproject.buildkit.worker.snapshotter:      overlayfs
2025-01-17T18:29:23.9062815Z GC Policy rule#0:
2025-01-17T18:29:23.9063071Z  All:            false
2025-01-17T18:29:23.9063732Z  Filters:        type==source.local,type==exec.cachemount,type==source.git.checkout
2025-01-17T18:29:23.9064159Z  Keep Duration:  48h0m0s
2025-01-17T18:29:23.9064429Z  Max Used Space: 488.3MiB
2025-01-17T18:29:23.9064686Z GC Policy rule#1:
2025-01-17T18:29:23.9064922Z  All:            false
2025-01-17T18:29:23.9065296Z  Keep Duration:  1440h0m0s
2025-01-17T18:29:23.9065582Z  Reserved Space: 7.451GiB
2025-01-17T18:29:23.9065870Z  Max Used Space: 54.02GiB
2025-01-17T18:29:23.9066121Z  Min Free Space: 13.97GiB
2025-01-17T18:29:23.9066366Z GC Policy rule#2:
2025-01-17T18:29:23.9066613Z  All:            false
2025-01-17T18:29:23.9066850Z  Reserved Space: 7.451GiB
2025-01-17T18:29:23.9067097Z  Max Used Space: 54.02GiB
2025-01-17T18:29:23.9067341Z  Min Free Space: 13.97GiB
2025-01-17T18:29:23.9067582Z GC Policy rule#3:
2025-01-17T18:29:23.9068043Z  All:            true
2025-01-17T18:29:23.9068278Z  Reserved Space: 7.451GiB
2025-01-17T18:29:23.9068527Z  Max Used Space: 54.02GiB
2025-01-17T18:29:23.9068780Z  Min Free Space: 13.97GiB
2025-01-17T18:29:23.9102908Z ##[endgroup]
2025-01-17T18:29:23.9862942Z ##[group]Inspect builder
2025-01-17T18:29:23.9914224Z {
2025-01-17T18:29:23.9914688Z   "nodes": [
2025-01-17T18:29:23.9915089Z     {
2025-01-17T18:29:23.9915620Z       "name": "builder-7764b229-6772-4d87-9422-87cbaee29d6b0",
2025-01-17T18:29:23.9916336Z       "endpoint": "unix:///var/run/docker.sock",
2025-01-17T18:29:23.9916919Z       "status": "running",
2025-01-17T18:29:23.9917923Z       "buildkitd-flags": "--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host",
2025-01-17T18:29:23.9918976Z       "buildkit": "v0.18.2",
2025-01-17T18:29:23.9919653Z       "platforms": "linux/amd64,linux/amd64/v2,linux/amd64/v3,linux/386",
2025-01-17T18:29:23.9920392Z       "features": {
2025-01-17T18:29:23.9921115Z         "Automatically load images to the Docker Engine image store": true,
2025-01-17T18:29:23.9921867Z         "Cache export": true,
2025-01-17T18:29:23.9922415Z         "Docker exporter": true,
2025-01-17T18:29:23.9923041Z         "Multi-platform build": true,
2025-01-17T18:29:23.9923854Z         "OCI exporter": true
2025-01-17T18:29:23.9924283Z       },
2025-01-17T18:29:23.9924592Z       "labels": {
2025-01-17T18:29:23.9925064Z         "org.mobyproject.buildkit.worker.executor": "oci",
2025-01-17T18:29:23.9925738Z         "org.mobyproject.buildkit.worker.hostname": "c379043b8b5a",
2025-01-17T18:29:23.9926447Z         "org.mobyproject.buildkit.worker.network": "host",
2025-01-17T18:29:23.9927208Z         "org.mobyproject.buildkit.worker.oci.process-mode": "sandbox",
2025-01-17T18:29:23.9928015Z         "org.mobyproject.buildkit.worker.selinux.enabled": "false",
2025-01-17T18:29:23.9928787Z         "org.mobyproject.buildkit.worker.snapshotter": "overlayfs"
2025-01-17T18:29:23.9929382Z       },
2025-01-17T18:29:23.9929739Z       "gcPolicy": [
2025-01-17T18:29:23.9930108Z         {
2025-01-17T18:29:23.9930446Z           "all": false,
2025-01-17T18:29:23.9930823Z           "filter": [
2025-01-17T18:29:23.9931513Z             "type==source.local",
2025-01-17T18:29:23.9931992Z             "type==exec.cachemount",
2025-01-17T18:29:23.9932473Z             "type==source.git.checkout"
2025-01-17T18:29:23.9932929Z           ],
2025-01-17T18:29:23.9933505Z           "keepDuration": "48h0m0s"
2025-01-17T18:29:23.9933949Z         },
2025-01-17T18:29:23.9934284Z         {
2025-01-17T18:29:23.9934619Z           "all": false,
2025-01-17T18:29:23.9935029Z           "keepDuration": "1440h0m0s"
2025-01-17T18:29:23.9935473Z         },
2025-01-17T18:29:23.9935799Z         {
2025-01-17T18:29:23.9936134Z           "all": false
2025-01-17T18:29:23.9936508Z         },
2025-01-17T18:29:23.9936826Z         {
2025-01-17T18:29:23.9937153Z           "all": true
2025-01-17T18:29:23.9937523Z         }
2025-01-17T18:29:23.9937894Z       ]
2025-01-17T18:29:23.9938212Z     }
2025-01-17T18:29:23.9938524Z   ],
2025-01-17T18:29:23.9938952Z   "name": "builder-7764b229-6772-4d87-9422-87cbaee29d6b",
2025-01-17T18:29:23.9939562Z   "driver": "docker-container",
2025-01-17T18:29:23.9940024Z   "lastActivity": "2025-01-17T18:29:20.000Z"
2025-01-17T18:29:23.9940450Z }
2025-01-17T18:29:23.9941117Z ##[endgroup]
2025-01-17T18:29:23.9941759Z ##[group]BuildKit version
2025-01-17T18:29:23.9942279Z builder-7764b229-6772-4d87-9422-87cbaee29d6b0: v0.18.2
2025-01-17T18:29:23.9943076Z ##[endgroup]
2025-01-17T18:29:24.0196158Z ##[group]Run actions/checkout@v4
2025-01-17T18:29:24.0196474Z with:
2025-01-17T18:29:24.0196708Z   repository: junghans/test-actions
2025-01-17T18:29:24.0197144Z   token: ***
2025-01-17T18:29:24.0197367Z   ssh-strict: true
2025-01-17T18:29:24.0197590Z   ssh-user: git
2025-01-17T18:29:24.0197829Z   persist-credentials: true
2025-01-17T18:29:24.0198085Z   clean: true
2025-01-17T18:29:24.0198323Z   sparse-checkout-cone-mode: true
2025-01-17T18:29:24.0198808Z   fetch-depth: 1
2025-01-17T18:29:24.0199064Z   fetch-tags: false
2025-01-17T18:29:24.0199290Z   show-progress: true
2025-01-17T18:29:24.0199524Z   lfs: false
2025-01-17T18:29:24.0199736Z   submodules: false
2025-01-17T18:29:24.0199962Z   set-safe-directory: true
2025-01-17T18:29:24.0200213Z ##[endgroup]
2025-01-17T18:29:24.1202845Z Syncing repository: junghans/test-actions
2025-01-17T18:29:24.1203820Z ##[group]Getting Git version info
2025-01-17T18:29:24.1204346Z Working directory is '/home/runner/work/test-actions/test-actions'
2025-01-17T18:29:24.1204956Z [command]/usr/bin/git version
2025-01-17T18:29:24.1266953Z git version 2.47.1
2025-01-17T18:29:24.1292210Z ##[endgroup]
2025-01-17T18:29:24.1306169Z Temporarily overriding HOME='/home/runner/work/_temp/ace72073-0a07-4ed8-a59e-62e59b10d708' before making global git config changes
2025-01-17T18:29:24.1307003Z Adding repository directory to the temporary git global config as a safe directory
2025-01-17T18:29:24.1318388Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/test-actions/test-actions
2025-01-17T18:29:24.1351544Z Deleting the contents of '/home/runner/work/test-actions/test-actions'
2025-01-17T18:29:24.1355110Z ##[group]Initializing the repository
2025-01-17T18:29:24.1359144Z [command]/usr/bin/git init /home/runner/work/test-actions/test-actions
2025-01-17T18:29:24.1500112Z hint: Using 'master' as the name for the initial branch. This default branch name
2025-01-17T18:29:24.1501014Z hint: is subject to change. To configure the initial branch name to use in all
2025-01-17T18:29:24.1501687Z hint: of your new repositories, which will suppress this warning, call:
2025-01-17T18:29:24.1502091Z hint:
2025-01-17T18:29:24.1502408Z hint: 	git config --global init.defaultBranch <name>
2025-01-17T18:29:24.1502738Z hint:
2025-01-17T18:29:24.1503101Z hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
2025-01-17T18:29:24.1503801Z hint: 'development'. The just-created branch can be renamed via this command:
2025-01-17T18:29:24.1507602Z hint:
2025-01-17T18:29:24.1508020Z hint: 	git branch -m <name>
2025-01-17T18:29:24.1508651Z Initialized empty Git repository in /home/runner/work/test-actions/test-actions/.git/
2025-01-17T18:29:24.1518502Z [command]/usr/bin/git remote add origin https://github.com/junghans/test-actions
2025-01-17T18:29:24.1550993Z ##[endgroup]
2025-01-17T18:29:24.1551638Z ##[group]Disabling automatic garbage collection
2025-01-17T18:29:24.1555556Z [command]/usr/bin/git config --local gc.auto 0
2025-01-17T18:29:24.1582897Z ##[endgroup]
2025-01-17T18:29:24.1583747Z ##[group]Setting up auth
2025-01-17T18:29:24.1589897Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2025-01-17T18:29:24.1618474Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
2025-01-17T18:29:24.1963531Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2025-01-17T18:29:24.1991212Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :"
2025-01-17T18:29:24.2212120Z [command]/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic ***
2025-01-17T18:29:24.2248106Z ##[endgroup]
2025-01-17T18:29:24.2256375Z ##[group]Fetching the repository
2025-01-17T18:29:24.2258223Z [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules --depth=1 origin +41fd4643c0820d2804b9a15c5c1a9e4b3ac04090:refs/remotes/origin/PAM_error
2025-01-17T18:29:24.5919974Z From https://github.com/junghans/test-actions
2025-01-17T18:29:24.5920496Z  * [new ref]         41fd4643c0820d2804b9a15c5c1a9e4b3ac04090 -> origin/PAM_error
2025-01-17T18:29:24.5945307Z ##[endgroup]
2025-01-17T18:29:24.5945680Z ##[group]Determining the checkout info
2025-01-17T18:29:24.5947780Z ##[endgroup]
2025-01-17T18:29:24.5952620Z [command]/usr/bin/git sparse-checkout disable
2025-01-17T18:29:24.5992433Z [command]/usr/bin/git config --local --unset-all extensions.worktreeConfig
2025-01-17T18:29:24.6024084Z ##[group]Checking out the ref
2025-01-17T18:29:24.6024530Z [command]/usr/bin/git checkout --progress --force -B PAM_error refs/remotes/origin/PAM_error
2025-01-17T18:29:24.6066003Z Switched to a new branch 'PAM_error'
2025-01-17T18:29:24.6069496Z branch 'PAM_error' set up to track 'origin/PAM_error'.
2025-01-17T18:29:24.6074487Z ##[endgroup]
2025-01-17T18:29:24.6111565Z [command]/usr/bin/git log -1 --format=%H
2025-01-17T18:29:24.6132926Z 41fd4643c0820d2804b9a15c5c1a9e4b3ac04090
2025-01-17T18:29:24.6308406Z ##[group]Run docker/build-push-action@v6
2025-01-17T18:29:24.6308677Z with:
2025-01-17T18:29:24.6308843Z   file: Dockerfile
2025-01-17T18:29:24.6309022Z   pull: true
2025-01-17T18:29:24.6309186Z   push: false
2025-01-17T18:29:24.6309357Z   load: false
2025-01-17T18:29:24.6309543Z   no-cache: false
2025-01-17T18:29:24.6309853Z   github-token: ***
2025-01-17T18:29:24.6310029Z ##[endgroup]
2025-01-17T18:29:24.8633076Z ##[group]GitHub Actions runtime token ACs
2025-01-17T18:29:24.8640992Z refs/heads/PAM_error: read/write
2025-01-17T18:29:24.8641457Z refs/heads/master: read
2025-01-17T18:29:24.8642627Z ##[endgroup]
2025-01-17T18:29:24.8643464Z ##[group]Docker info
2025-01-17T18:29:24.8716713Z [command]/usr/bin/docker version
2025-01-17T18:29:24.8922786Z Client: Docker Engine - Community
2025-01-17T18:29:24.8923733Z  Version:           26.1.3
2025-01-17T18:29:24.8924224Z  API version:       1.45
2025-01-17T18:29:24.8924753Z  Go version:        go1.21.10
2025-01-17T18:29:24.8925197Z  Git commit:        b72abbb
2025-01-17T18:29:24.8925564Z  Built:             Thu May 16 08:33:35 2024
2025-01-17T18:29:24.8925904Z  OS/Arch:           linux/amd64
2025-01-17T18:29:24.8926132Z  Context:           default
2025-01-17T18:29:24.8926272Z 
2025-01-17T18:29:24.8926378Z Server: Docker Engine - Community
2025-01-17T18:29:24.8926605Z  Engine:
2025-01-17T18:29:24.8926768Z   Version:          26.1.3
2025-01-17T18:29:24.8926995Z   API version:      1.45 (minimum version 1.24)
2025-01-17T18:29:24.8927261Z   Go version:       go1.21.10
2025-01-17T18:29:24.8927470Z   Git commit:       8e96db1
2025-01-17T18:29:24.8927679Z   Built:            Thu May 16 08:33:35 2024
2025-01-17T18:29:24.8927924Z   OS/Arch:          linux/amd64
2025-01-17T18:29:24.8928140Z   Experimental:     false
2025-01-17T18:29:24.8928336Z  containerd:
2025-01-17T18:29:24.8928505Z   Version:          1.7.24
2025-01-17T18:29:24.8928763Z   GitCommit:        88bf19b2105c8b17560993bee28a01ddc2f97182
2025-01-17T18:29:24.8929032Z  runc:
2025-01-17T18:29:24.8929196Z   Version:          1.2.2
2025-01-17T18:29:24.8929402Z   GitCommit:        v1.2.2-0-g7cb3632
2025-01-17T18:29:24.8929633Z  docker-init:
2025-01-17T18:29:24.8929807Z   Version:          0.19.0
2025-01-17T18:29:24.8930078Z   GitCommit:        de40ad0
2025-01-17T18:29:24.8973042Z [command]/usr/bin/docker info
2025-01-17T18:29:24.9394156Z Client: Docker Engine - Community
2025-01-17T18:29:24.9395276Z  Version:    26.1.3
2025-01-17T18:29:24.9395783Z  Context:    default
2025-01-17T18:29:24.9396346Z  Debug Mode: false
2025-01-17T18:29:24.9396905Z  Plugins:
2025-01-17T18:29:24.9397735Z   buildx: Docker Buildx (Docker Inc.)
2025-01-17T18:29:24.9398452Z     Version:  v0.19.3
2025-01-17T18:29:24.9399676Z     Path:     /usr/libexec/docker/cli-plugins/docker-buildx
2025-01-17T18:29:24.9400541Z   compose: Docker Compose (Docker Inc.)
2025-01-17T18:29:24.9401213Z     Version:  v2.27.1
2025-01-17T18:29:24.9401911Z     Path:     /usr/libexec/docker/cli-plugins/docker-compose
2025-01-17T18:29:24.9402600Z 
2025-01-17T18:29:24.9402862Z Server:
2025-01-17T18:29:24.9404171Z  Containers: 1
2025-01-17T18:29:24.9404894Z   Running: 1
2025-01-17T18:29:24.9405427Z   Paused: 0
2025-01-17T18:29:24.9405957Z   Stopped: 0
2025-01-17T18:29:24.9406929Z  Images: 1
2025-01-17T18:29:24.9407533Z  Server Version: 26.1.3
2025-01-17T18:29:24.9408775Z  Storage Driver: overlay2
2025-01-17T18:29:24.9409468Z   Backing Filesystem: extfs
2025-01-17T18:29:24.9410509Z   Supports d_type: true
2025-01-17T18:29:24.9411201Z   Using metacopy: false
2025-01-17T18:29:24.9411836Z   Native Overlay Diff: false
2025-01-17T18:29:24.9412239Z   userxattr: false
2025-01-17T18:29:24.9412570Z  Logging Driver: json-file
2025-01-17T18:29:24.9412979Z  Cgroup Driver: systemd
2025-01-17T18:29:24.9413818Z  Cgroup Version: 2
2025-01-17T18:29:24.9414121Z  Plugins:
2025-01-17T18:29:24.9414385Z   Volume: local
2025-01-17T18:29:24.9414747Z   Network: bridge host ipvlan macvlan null overlay
2025-01-17T18:29:24.9415773Z   Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
2025-01-17T18:29:24.9416423Z  Swarm: inactive
2025-01-17T18:29:24.9416780Z  Runtimes: io.containerd.runc.v2 runc
2025-01-17T18:29:24.9417224Z  Default Runtime: runc
2025-01-17T18:29:24.9417581Z  Init Binary: docker-init
2025-01-17T18:29:24.9418066Z  containerd version: 88bf19b2105c8b17560993bee28a01ddc2f97182
2025-01-17T18:29:24.9418617Z  runc version: v1.2.2-0-g7cb3632
2025-01-17T18:29:24.9419007Z  init version: de40ad0
2025-01-17T18:29:24.9419335Z  Security Options:
2025-01-17T18:29:24.9419656Z   apparmor
2025-01-17T18:29:24.9419949Z   seccomp
2025-01-17T18:29:24.9420243Z    Profile: builtin
2025-01-17T18:29:24.9420569Z   cgroupns
2025-01-17T18:29:24.9420865Z  Kernel Version: 6.8.0-1017-azure
2025-01-17T18:29:24.9421257Z  Operating System: Ubuntu 24.04.1 LTS
2025-01-17T18:29:24.9421683Z  OSType: linux
2025-01-17T18:29:24.9422098Z  Architecture: x86_64
2025-01-17T18:29:24.9422485Z  CPUs: 4
2025-01-17T18:29:24.9422773Z  Total Memory: 15.62GiB
2025-01-17T18:29:24.9423174Z  Name: fv-az1377-715
2025-01-17T18:29:24.9423788Z  ID: fac863d2-75be-4525-b213-ce36ebbd9960
2025-01-17T18:29:24.9424179Z  Docker Root Dir: /var/lib/docker
2025-01-17T18:29:24.9424408Z  Debug Mode: false
2025-01-17T18:29:24.9424610Z  Username: githubactions
2025-01-17T18:29:24.9424821Z  Experimental: false
2025-01-17T18:29:24.9425019Z  Insecure Registries:
2025-01-17T18:29:24.9425314Z   127.0.0.0/8
2025-01-17T18:29:24.9425520Z  Live Restore Enabled: false
2025-01-17T18:29:24.9425660Z 
2025-01-17T18:29:24.9426045Z ##[endgroup]
2025-01-17T18:29:24.9426490Z ##[group]Proxy configuration
2025-01-17T18:29:24.9426724Z No proxy configuration found
2025-01-17T18:29:24.9427042Z ##[endgroup]
2025-01-17T18:29:24.9959251Z ##[group]Buildx version
2025-01-17T18:29:24.9980134Z [command]/usr/bin/docker buildx version
2025-01-17T18:29:25.0380804Z github.com/docker/buildx v0.19.3 48d6a3927a14668da1a0c4439a6d454a3abbdf05
2025-01-17T18:29:25.0410136Z ##[endgroup]
2025-01-17T18:29:25.0410488Z ##[group]Builder info
2025-01-17T18:29:25.1168047Z {
2025-01-17T18:29:25.1168305Z   "nodes": [
2025-01-17T18:29:25.1168481Z     {
2025-01-17T18:29:25.1168722Z       "name": "builder-7764b229-6772-4d87-9422-87cbaee29d6b0",
2025-01-17T18:29:25.1169050Z       "endpoint": "unix:///var/run/docker.sock",
2025-01-17T18:29:25.1169326Z       "status": "running",
2025-01-17T18:29:25.1169818Z       "buildkitd-flags": "--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host",
2025-01-17T18:29:25.1170295Z       "buildkit": "v0.18.2",
2025-01-17T18:29:25.1170586Z       "platforms": "linux/amd64,linux/amd64/v2,linux/amd64/v3,linux/386",
2025-01-17T18:29:25.1170894Z       "features": {
2025-01-17T18:29:25.1171170Z         "Automatically load images to the Docker Engine image store": true,
2025-01-17T18:29:25.1171500Z         "Cache export": true,
2025-01-17T18:29:25.1171712Z         "Docker exporter": true,
2025-01-17T18:29:25.1171943Z         "Multi-platform build": true,
2025-01-17T18:29:25.1172169Z         "OCI exporter": true
2025-01-17T18:29:25.1172368Z       },
2025-01-17T18:29:25.1172525Z       "labels": {
2025-01-17T18:29:25.1172752Z         "org.mobyproject.buildkit.worker.executor": "oci",
2025-01-17T18:29:25.1173113Z         "org.mobyproject.buildkit.worker.hostname": "c379043b8b5a",
2025-01-17T18:29:25.1174083Z         "org.mobyproject.buildkit.worker.network": "host",
2025-01-17T18:29:25.1174469Z         "org.mobyproject.buildkit.worker.oci.process-mode": "sandbox",
2025-01-17T18:29:25.1174881Z         "org.mobyproject.buildkit.worker.selinux.enabled": "false",
2025-01-17T18:29:25.1175271Z         "org.mobyproject.buildkit.worker.snapshotter": "overlayfs"
2025-01-17T18:29:25.1175563Z       },
2025-01-17T18:29:25.1175721Z       "gcPolicy": [
2025-01-17T18:29:25.1175891Z         {
2025-01-17T18:29:25.1176043Z           "all": false,
2025-01-17T18:29:25.1176226Z           "filter": [
2025-01-17T18:29:25.1176408Z             "type==source.local",
2025-01-17T18:29:25.1176630Z             "type==exec.cachemount",
2025-01-17T18:29:25.1177018Z             "type==source.git.checkout"
2025-01-17T18:29:25.1177243Z           ],
2025-01-17T18:29:25.1177413Z           "keepDuration": "48h0m0s"
2025-01-17T18:29:25.1177621Z         },
2025-01-17T18:29:25.1177787Z         {
2025-01-17T18:29:25.1177933Z           "all": false,
2025-01-17T18:29:25.1178132Z           "keepDuration": "1440h0m0s"
2025-01-17T18:29:25.1178347Z         },
2025-01-17T18:29:25.1178489Z         {
2025-01-17T18:29:25.1178641Z           "all": false
2025-01-17T18:29:25.1178807Z         },
2025-01-17T18:29:25.1178954Z         {
2025-01-17T18:29:25.1179104Z           "all": true
2025-01-17T18:29:25.1179267Z         }
2025-01-17T18:29:25.1179414Z       ]
2025-01-17T18:29:25.1179564Z     }
2025-01-17T18:29:25.1179702Z   ],
2025-01-17T18:29:25.1179902Z   "name": "builder-7764b229-6772-4d87-9422-87cbaee29d6b",
2025-01-17T18:29:25.1180184Z   "driver": "docker-container",
2025-01-17T18:29:25.1180409Z   "lastActivity": "2025-01-17T18:29:20.000Z"
2025-01-17T18:29:25.1180633Z }
2025-01-17T18:29:25.1181068Z ##[endgroup]
2025-01-17T18:29:25.2532534Z [command]/usr/bin/docker buildx build --file Dockerfile --iidfile /home/runner/work/_temp/docker-actions-toolkit-45YjkO/build-iidfile-1a693983d2.txt --attest type=provenance,mode=max,builder-id=https://github.com/junghans/test-actions/actions/runs/12834771076/attempts/1 --secret id=GIT_AUTH_TOKEN,src=/home/runner/work/_temp/docker-actions-toolkit-45YjkO/tmp-2249-NXoXcUxpKekS --metadata-file /home/runner/work/_temp/docker-actions-toolkit-45YjkO/build-metadata-20c4fba042.json --pull https://github.com/junghans/test-actions.git#41fd4643c0820d2804b9a15c5c1a9e4b3ac04090
2025-01-17T18:29:25.5156109Z #0 building with "builder-7764b229-6772-4d87-9422-87cbaee29d6b" instance using docker-container driver
2025-01-17T18:29:25.5156585Z 
2025-01-17T18:29:25.5156968Z docker/setup-buildx-action#1 [internal] load git source https://github.com/junghans/test-actions.git#41fd4643c0820d2804b9a15c5c1a9e4b3ac04090
2025-01-17T18:29:25.5157781Z docker/setup-buildx-action#1 0.020 Initialized empty Git repository in /var/lib/buildkit/runc-overlayfs/snapshots/snapshots/1/fs/
2025-01-17T18:29:25.5158432Z docker/setup-buildx-action#1 0.023 fatal: Not a valid object name 41fd4643c0820d2804b9a15c5c1a9e4b3ac04090^{commit}
2025-01-17T18:29:25.9272861Z docker/setup-buildx-action#1 0.586 From https://github.com/junghans/test-actions
2025-01-17T18:29:25.9274158Z docker/setup-buildx-action#1 0.586  * branch            41fd4643c0820d2804b9a15c5c1a9e4b3ac04090 -> FETCH_HEAD
2025-01-17T18:29:26.1091633Z docker/setup-buildx-action#1 0.586  * [new tag]         v1.6.1     -> v1.6.1
2025-01-17T18:29:26.1092157Z docker/setup-buildx-action#1 0.586  * [new tag]         v1.7-dev   -> v1.7-dev
2025-01-17T18:29:26.1092443Z docker/setup-buildx-action#1 DONE 0.6s
2025-01-17T18:29:26.1092556Z 
2025-01-17T18:29:26.1092756Z docker/setup-buildx-action#2 [internal] load metadata for registry.fedoraproject.org/fedora:latest
2025-01-17T18:29:26.6571200Z docker/setup-buildx-action#2 DONE 0.7s
2025-01-17T18:29:26.8238474Z 
2025-01-17T18:29:26.8239409Z docker/setup-buildx-action#3 [1/6] FROM registry.fedoraproject.org/fedora:latest@sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b
2025-01-17T18:29:26.8240294Z docker/setup-buildx-action#3 resolve registry.fedoraproject.org/fedora:latest@sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b done
2025-01-17T18:29:26.8304272Z docker/setup-buildx-action#3 sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c 18.87MB / 60.06MB 0.2s
2025-01-17T18:29:26.9786031Z docker/setup-buildx-action#3 sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c 60.06MB / 60.06MB 0.3s
2025-01-17T18:29:27.1570093Z docker/setup-buildx-action#3 sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c 60.06MB / 60.06MB 0.3s done
2025-01-17T18:29:27.1571207Z docker/setup-buildx-action#3 extracting sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c
2025-01-17T18:29:28.3801946Z docker/setup-buildx-action#3 extracting sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c 1.4s done
2025-01-17T18:29:28.3802735Z docker/setup-buildx-action#3 DONE 1.7s
2025-01-17T18:29:28.5311428Z 
2025-01-17T18:29:28.5311962Z docker/setup-buildx-action#4 [2/6] RUN useradd -m -G wheel -u 1001 user
2025-01-17T18:29:28.6820001Z docker/setup-buildx-action#4 DONE 0.3s
2025-01-17T18:29:28.8075874Z 
2025-01-17T18:29:28.8077177Z docker/setup-buildx-action#5 [3/6] RUN echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/user
2025-01-17T18:29:28.8078157Z docker/setup-buildx-action#5 DONE 0.1s
2025-01-17T18:29:28.8078299Z 
2025-01-17T18:29:28.8078386Z docker/setup-buildx-action#6 [4/6] WORKDIR /home/user
2025-01-17T18:29:28.8078728Z docker/setup-buildx-action#6 DONE 0.0s
2025-01-17T18:29:28.8078836Z 
2025-01-17T18:29:28.8078904Z docker/setup-buildx-action#7 [5/6] RUN whoami
2025-01-17T18:29:28.8079081Z docker/setup-buildx-action#7 0.050 user
2025-01-17T18:29:28.9026457Z docker/setup-buildx-action#7 DONE 0.1s
2025-01-17T18:29:28.9027248Z 
2025-01-17T18:29:28.9027440Z docker/setup-buildx-action#8 [6/6] RUN sudo whoami
2025-01-17T18:29:28.9028200Z docker/setup-buildx-action#8 0.059 sudo: PAM account management error: Authentication service cannot retrieve authentication info
2025-01-17T18:29:28.9029011Z docker/setup-buildx-action#8 0.059 sudo: a password is required
2025-01-17T18:29:28.9029670Z docker/setup-buildx-action#8 ERROR: process "/bin/sh -c sudo whoami" did not complete successfully: exit code: 1
2025-01-17T18:29:28.9030298Z ------
2025-01-17T18:29:28.9030588Z  > [6/6] RUN sudo whoami:
2025-01-17T18:29:28.9031218Z 0.059 sudo: PAM account management error: Authentication service cannot retrieve authentication info
2025-01-17T18:29:28.9031979Z 0.059 sudo: a password is required
2025-01-17T18:29:28.9032410Z ------
2025-01-17T18:29:28.9033761Z WARNING: No output specified with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load
2025-01-17T18:29:28.9087865Z Dockerfile:9
2025-01-17T18:29:28.9088198Z --------------------
2025-01-17T18:29:28.9088521Z    7 |     WORKDIR /home/user
2025-01-17T18:29:28.9089031Z    8 |     RUN whoami
2025-01-17T18:29:28.9089324Z    9 | >>> RUN sudo whoami
2025-01-17T18:29:28.9089647Z   10 |     
2025-01-17T18:29:28.9089932Z --------------------
2025-01-17T18:29:28.9090423Z ERROR: failed to solve: process "/bin/sh -c sudo whoami" did not complete successfully: exit code: 1
2025-01-17T18:29:28.9132844Z ##[group]Reference
2025-01-17T18:29:28.9909445Z builder-7764b229-6772-4d87-9422-87cbaee29d6b/builder-7764b229-6772-4d87-9422-87cbaee29d6b0/v105fkcbtwd2pkgbdafam7dyb
2025-01-17T18:29:28.9910656Z ##[endgroup]
2025-01-17T18:29:28.9911008Z ##[group]Check build summary support
2025-01-17T18:29:28.9915244Z Build summary supported!
2025-01-17T18:29:28.9916123Z ##[endgroup]
2025-01-17T18:29:28.9936084Z ##[error]buildx failed with: ERROR: failed to solve: process "/bin/sh -c sudo whoami" did not complete successfully: exit code: 1
2025-01-17T18:29:29.0096826Z Post job cleanup.
2025-01-17T18:29:29.2457052Z ##[group]Generating build summary
2025-01-17T18:29:29.3320324Z exporting build record to /home/runner/work/_temp/docker-actions-toolkit-uuNZsE/export
2025-01-17T18:29:32.3384214Z [command]/usr/bin/mkfifo /home/runner/work/_temp/docker-actions-toolkit-uuNZsE/buildx-in-BAhf7s.fifo
2025-01-17T18:29:32.3438991Z [command]/usr/bin/mkfifo /home/runner/work/_temp/docker-actions-toolkit-uuNZsE/buildx-out-5bIuTM.fifo
2025-01-17T18:29:32.3480791Z [command]docker buildx --builder builder-7764b229-6772-4d87-9422-87cbaee29d6b dial-stdio
2025-01-17T18:29:32.3512638Z [command]docker run --rm -i -v /home/runner/.docker/buildx/refs:/buildx-refs -v /home/runner/work/_temp/docker-actions-toolkit-uuNZsE/export:/out docker.io/dockereng/export-build:latest --ref-state-dir=/buildx-refs --node=builder-7764b229-6772-4d87-9422-87cbaee29d6b/builder-7764b229-6772-4d87-9422-87cbaee29d6b0 --ref=v105fkcbtwd2pkgbdafam7dyb --uid=1001 --gid=118
2025-01-17T18:29:32.3664435Z Unable to find image 'dockereng/export-build:latest' locally
2025-01-17T18:29:33.3217461Z latest: Pulling from dockereng/export-build
2025-01-17T18:29:33.5865600Z fa05fab17045: Pulling fs layer
2025-01-17T18:29:33.5866043Z 3bee4e1c34fe: Pulling fs layer
2025-01-17T18:29:33.8325321Z 3bee4e1c34fe: Verifying Checksum
2025-01-17T18:29:33.8325852Z 3bee4e1c34fe: Download complete
2025-01-17T18:29:33.8847624Z fa05fab17045: Verifying Checksum
2025-01-17T18:29:33.8848067Z fa05fab17045: Download complete
2025-01-17T18:29:33.9840552Z fa05fab17045: Pull complete
2025-01-17T18:29:34.0155219Z 3bee4e1c34fe: Pull complete
2025-01-17T18:29:34.0203951Z Digest: sha256:3d41f110aedbe6c439e0002646f6c31b3063bc50f43a712c9a55710a9b5ae3f7
2025-01-17T18:29:34.0220554Z Status: Downloaded newer image for dockereng/export-build:latest
2025-01-17T18:29:34.2996287Z Process "docker run" exited with code 0
2025-01-17T18:29:34.3000923Z Parsing /home/runner/work/_temp/docker-actions-toolkit-uuNZsE/export/summary.json
2025-01-17T18:29:34.3004756Z Build record written to /home/runner/work/_temp/docker-actions-toolkit-uuNZsE/export/junghans~test-actions~V105FK.dockerbuild (12.83 KB)
2025-01-17T18:29:34.3021198Z Uploading junghans~test-actions~V105FK.dockerbuild to blob storage
2025-01-17T18:29:34.3366264Z ERROR: read unix @->/run/docker.sock: use of closed network connection
2025-01-17T18:29:34.3367613Z Process "buildx dial-stdio" was killed with signal SIGKILL
2025-01-17T18:29:34.6162922Z Beginning upload of artifact content to blob storage
2025-01-17T18:29:34.6251740Z Uploaded bytes 13135
2025-01-17T18:29:34.9429282Z Finished uploading artifact content to blob storage!
2025-01-17T18:29:34.9434437Z SHA256 hash of uploaded artifact is 5c49c4bf7677512dfdfafce44c12927b2b9e9a3a144baa35a6e95daad4b9e7e3
2025-01-17T18:29:34.9435599Z Finalizing artifact upload
2025-01-17T18:29:35.2465623Z Artifact successfully finalized (2448580225)
2025-01-17T18:29:35.2466981Z Artifact download URL: https://github.com/junghans/test-actions/actions/runs/12834771076/artifacts/2448580225
2025-01-17T18:29:35.2490949Z Writing summary
2025-01-17T18:29:35.2502603Z ##[endgroup]
2025-01-17T18:29:35.2503501Z ##[group]Removing temp folder /home/runner/work/_temp/docker-actions-toolkit-45YjkO
2025-01-17T18:29:35.2510870Z ##[endgroup]
2025-01-17T18:29:35.2511375Z ##[group]Post cache
2025-01-17T18:29:35.2512768Z State not set
2025-01-17T18:29:35.2513430Z ##[endgroup]
2025-01-17T18:29:35.2655174Z Post job cleanup.
2025-01-17T18:29:35.3582349Z [command]/usr/bin/git version
2025-01-17T18:29:35.3618769Z git version 2.47.1
2025-01-17T18:29:35.3660849Z Temporarily overriding HOME='/home/runner/work/_temp/0f39d43f-79d7-4877-913e-26481db75998' before making global git config changes
2025-01-17T18:29:35.3661724Z Adding repository directory to the temporary git global config as a safe directory
2025-01-17T18:29:35.3666414Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/test-actions/test-actions
2025-01-17T18:29:35.3701312Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2025-01-17T18:29:35.3732482Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
2025-01-17T18:29:35.3963403Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2025-01-17T18:29:35.3984674Z http.https://github.com/.extraheader
2025-01-17T18:29:35.3996651Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader
2025-01-17T18:29:35.4026928Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :"
2025-01-17T18:29:35.4344187Z Post job cleanup.
2025-01-17T18:29:35.6758990Z ##[group]Removing builder
2025-01-17T18:29:35.7617587Z [command]/usr/bin/docker buildx rm builder-7764b229-6772-4d87-9422-87cbaee29d6b
2025-01-17T18:29:36.1189317Z builder-7764b229-6772-4d87-9422-87cbaee29d6b removed
2025-01-17T18:29:36.1226799Z ##[endgroup]
2025-01-17T18:29:36.1228126Z ##[group]Cleaning up certificates
2025-01-17T18:29:36.1234573Z ##[endgroup]
2025-01-17T18:29:36.1235169Z ##[group]Post cache
2025-01-17T18:29:36.1237461Z State not set
2025-01-17T18:29:36.1238037Z ##[endgroup]
2025-01-17T18:29:36.1360612Z Cleaning up orphan processes

BuildKit logs

Additional info

The build from the same Dockerfile worked a couple of month ago.

[crazy-max]

https://github.com/junghans/test-actions/actions/runs/12834771076

This repo is about setup-buildx-action and I don't see any issue with it in this run:

Let me move this to build-push-action

[crazy-max]

sudo executes successfully in the container.

I don't think this is related to the action but your Dockerfile. Do you repro locally as well?

[junghans]

sudo executes successfully in the container.

I don't think this is related to the action but your Dockerfile. Do you repro locally as well?

It works locally on my Fedora 41 machine.

[junghans]

Local test of F41

$ cat /etc/redhat-release
Fedora release 41 (Forty One)
$ docker --version
Docker version 27.5.0, build a187fa5
$ docker buildx version
github.com/docker/buildx v0.19.3 48d6a39
$ cat docker/Dockerfile
FROM registry.fedoraproject.org/fedora:latest

RUN useradd -m -G wheel -u 1001 user
RUN echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/user

USER user
WORKDIR /home/user
RUN sudo whoami
$ docker buildx build --progress plain docker/
#0 building with "default" instance using docker driver

#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 294B done
#1 DONE 0.0s

#2 [internal] load metadata for registry.fedoraproject.org/fedora:latest
#2 DONE 0.8s

#3 [internal] load .dockerignore
#3 transferring context: 2B done
#3 DONE 0.0s

#4 [1/5] FROM registry.fedoraproject.org/fedora:latest@sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b
#4 resolve registry.fedoraproject.org/fedora:latest@sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b 0.0s done
#4 sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b 1.41kB / 1.41kB done
#4 sha256:ef58b9a9b4eeb929cb37b1b83d94a2f7258edd175f9837b1bfa01d3383d5cd09 504B / 504B done
#4 sha256:a432b057a522737c229d2aac9b029f55bf2a44eb3f423e4e4ece2acb8a304652 858B / 858B done
#4 DONE 0.1s

#5 [2/5] RUN useradd -m -G wheel -u 1001 user
#5 DONE 0.3s

#6 [3/5] RUN echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/user
#6 DONE 0.2s

#7 [4/5] WORKDIR /home/user
#7 DONE 0.1s

#8 [5/5] RUN sudo whoami
#8 0.173 root
#8 DONE 0.2s

#9 exporting to image
#9 exporting layers 0.1s done
#9 writing image sha256:cbd11e72bb4a5de21e6bc51e433189036192d36c9d0725e46fcd20eea1b2e18a done
#9 DONE 0.1s

[thaJeztah]

Looks like it works with the Default builder (docker 27.5.0);

docker buildx inspect
Name:          default
Driver:        docker
Last Activity: 2025-01-17 23:48:47 +0000 UTC

Nodes:
Name:             default
Endpoint:         default
Status:           running
BuildKit version: v0.18.2
Platforms:        linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386
Labels:
 org.mobyproject.buildkit.worker.moby.host-gateway-ip: 172.17.0.1

docker buildx build -t foo --load -<<'EOF'
FROM registry.fedoraproject.org/fedora:latest

RUN useradd -m -G wheel -u 1001 user
RUN echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/user

USER user
WORKDIR /home/user
RUN sudo whoami
EOF

[+] Building 6.7s (9/9) FINISHED                                                                                                                                                                                     docker:default
 => [internal] load build definition from Dockerfile                                                                                                                                                                           0.0s
 => => transferring dockerfile: 234B                                                                                                                                                                                           0.0s
 => [internal] load metadata for registry.fedoraproject.org/fedora:latest                                                                                                                                                      0.6s
 => [internal] load .dockerignore                                                                                                                                                                                              0.0s
 => => transferring context: 2B                                                                                                                                                                                                0.0s
 => [1/5] FROM registry.fedoraproject.org/fedora:latest@sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b                                                                                                4.4s
 => => resolve registry.fedoraproject.org/fedora:latest@sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b                                                                                                0.0s
 => => sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b 1.41kB / 1.41kB                                                                                                                                 0.0s
 => => sha256:ef58b9a9b4eeb929cb37b1b83d94a2f7258edd175f9837b1bfa01d3383d5cd09 504B / 504B                                                                                                                                     0.0s
 => => sha256:a432b057a522737c229d2aac9b029f55bf2a44eb3f423e4e4ece2acb8a304652 858B / 858B                                                                                                                                     0.0s
 => => sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c 60.06MB / 60.06MB                                                                                                                               0.8s
 => => extracting sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c                                                                                                                                      3.3s
 => [2/5] RUN useradd -m -G wheel -u 1001 user                                                                                                                                                                                 0.5s
 => [3/5] RUN echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/user                                                                                                                                                     0.2s
 => [4/5] WORKDIR /home/user                                                                                                                                                                                                   0.1s
 => [5/5] RUN sudo whoami                                                                                                                                                                                                      0.3s
 => exporting to image                                                                                                                                                                                                         0.2s
 => => exporting layers                                                                                                                                                                                                        0.1s
 => => writing image sha256:cb32a41b3f9c46fcd2c337c20ac788780f4cef5a04ce9eab7b4e38f3b88f2bda                                                                                                                                   0.0s
 => => naming to docker.io/library/foo                                                                                                                                                                                         0.0s

But with a custom builder, using steps from GitHub actions, it fails;

docker buildx create --name builder-7764b229-6772-4d87-9422-87cbaee29d6b --driver docker-container --buildkitd-flags '--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host' --use

docker buildx use builder-7764b229-6772-4d87-9422-87cbaee29d6b

[+] Building 8.0s (9/9) FINISHED                                                                                                                                      docker-container:builder-7764b229-6772-4d87-9422-87cbaee29d6b
 => [internal] booting buildkit                                                                                                                                                                                                1.8s
 => => pulling image moby/buildkit:buildx-stable-1                                                                                                                                                                             1.0s
 => => creating container buildx_buildkit_builder-7764b229-6772-4d87-9422-87cbaee29d6b0                                                                                                                                        0.8s
 => [internal] load build definition from Dockerfile                                                                                                                                                                           0.1s
 => => transferring dockerfile: 234B                                                                                                                                                                                           0.0s
 => [internal] load metadata for registry.fedoraproject.org/fedora:latest                                                                                                                                                      0.9s
 => [internal] load .dockerignore                                                                                                                                                                                              0.1s
 => => transferring context: 2B                                                                                                                                                                                                0.0s
 => [1/5] FROM registry.fedoraproject.org/fedora:latest@sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b                                                                                                4.1s
 => => resolve registry.fedoraproject.org/fedora:latest@sha256:991a06b2425c13613ef8ace721a9055e52a64f65cd96c2b18c72bde43fe1308b                                                                                                0.0s
 => => sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c 60.06MB / 60.06MB                                                                                                                               0.6s
 => => extracting sha256:a52c777f25d4afed9d7958da2f249de731ed6e4479ead4f00621589d0398610c                                                                                                                                      3.4s
 => [2/5] RUN useradd -m -G wheel -u 1001 user                                                                                                                                                                                 0.4s
 => [3/5] RUN echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/user                                                                                                                                                     0.1s
 => [4/5] WORKDIR /home/user                                                                                                                                                                                                   0.1s
 => ERROR [5/5] RUN sudo whoami                                                                                                                                                                                                0.2s
------
 > [5/5] RUN sudo whoami:
0.135 sudo: PAM account management error: Authentication service cannot retrieve authentication info
0.136 sudo: a password is required
------
Dockerfile:8
--------------------
   6 |     USER user
   7 |     WORKDIR /home/user
   8 | >>> RUN sudo whoami
   9 |
--------------------
ERROR: failed to solve: process "/bin/sh -c sudo whoami" did not complete successfully: exit code: 1

docker buildx inspect
Name:          builder-7764b229-6772-4d87-9422-87cbaee29d6b
Driver:        docker-container
Last Activity: 2025-01-17 23:51:36 +0000 UTC

Nodes:
Name:                  builder-7764b229-6772-4d87-9422-87cbaee29d6b0
Endpoint:              unix:///var/run/docker.sock
Status:                running
BuildKit daemon flags: --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host
BuildKit version:      v0.18.2
Platforms:             linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386
Labels:
 org.mobyproject.buildkit.worker.executor:         oci
 org.mobyproject.buildkit.worker.hostname:         6b8648b69562
 org.mobyproject.buildkit.worker.network:          host
 org.mobyproject.buildkit.worker.oci.process-mode: sandbox
 org.mobyproject.buildkit.worker.selinux.enabled:  false
 org.mobyproject.buildkit.worker.snapshotter:      overlayfs
GC Policy rule#0:
 All:            false
 Filters:        type==source.local,type==exec.cachemount,type==source.git.checkout
 Keep Duration:  48h0m0s
 Max Used Space: 488.3MiB
GC Policy rule#1:
 All:            false
 Keep Duration:  1440h0m0s
 Reserved Space: 2.794GiB
 Max Used Space: 17.7GiB
 Min Free Space: 4.657GiB
GC Policy rule#2:
 All:            false
 Reserved Space: 2.794GiB
 Max Used Space: 17.7GiB
 Min Free Space: 4.657GiB
GC Policy rule#3:
 All:            true
 Reserved Space: 2.794GiB
 Max Used Space: 17.7GiB
 Min Free Space: 4.657GiB

[thaJeztah]

That was running on a Ubuntu 24.04 machine;

Kernel Version: 6.8.0-51-generic
 Operating System: Ubuntu 24.04.1 LTS

Somewhat similar to the GitHub actions runner;

Kernel Version: 6.8.0-1017-azure
Operating System: Ubuntu 24.04.1 LTS

The custom builder would be running inside a docker container, so there's additional nesting happening (possibly relevant);

Quick search on github show various spots where the error can come from, one of them from systemd (which for sure won't be present inside the build container);

https://github.com/linux-pam/linux-pam/blob/e634a3a9be9484ada6e93970dfaf0f055ca17332/libpam/pam_strerror.c#L60-L61
https://github.com/canonical/lightdm/blob/f043bfd81e10a3499e865aafd99781a4df854784/tests/src/libsystem.c#L1547-L1548
https://github.com/systemd/systemd/blob/f55a6fc1e35f5e5a1b51cbade9a7673f3d660f27/src/login/pam_systemd_loadkey.c#L54-L58

[thaJeztah]

Yeah; looks like it doesn't like running docker-in-docker;

on the host;

docker run -it --rm registry.fedoraproject.org/fedora:latest sudo whoami
root

Running inside a docker-in-docker container;

docker run -it --rm registry.fedoraproject.org/fedora:latest sudo whoami
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo: a password is required

sudo --version
Sudo version 1.9.15p5

[junghans]

@thaJeztah thanks for the detailed analysis. I am glad it is reproducible.

As a workaround for now, is there a way to switch the GitHub action to use the default builder?

[crazy-max]

As a workaround for now, is there a way to switch the GitHub action to use the default builder?

Yes you can set the docker driver:

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          driver: docker

[thaJeztah]

Did a quick check to see what could cause this; initially I was wondering if latest fedora versions perhaps switched to using systemd for handling sudo. On Docker Desktop, the problem didn't show;

docker run -d --quiet --rm --privileged --name=dind docker:27-dind -H unix:///var/run/docker.sock
docker exec -it dind sh
/ # docker run -it --quiet --rm registry.fedoraproject.org/fedora:40 sudo whoami
root
/ # docker run -it --quiet --rm registry.fedoraproject.org/fedora:41 sudo whoami
root
/ # docker run -it --quiet --rm registry.fedoraproject.org/fedora:latest sudo whoami
root

But running on ubuntu 24.04 it does;

docker run -d --rm --privileged --name=dind docker:27-dind -H unix:///var/run/docker.sock
docker exec -it dind sh
/ # docker run -it --quiet --rm registry.fedoraproject.org/fedora:40 sudo whoami
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo: a password is required
/ # docker run -it --quiet --rm registry.fedoraproject.org/fedora:41 sudo whoami
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo: a password is required
/ # docker run -it --quiet --rm registry.fedoraproject.org/fedora:latest sudo whoami
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo: a password is required

Checking syslog, it looks to be apparmor blocking these calls:

tail -n 100  /var/log/syslog

2025-01-20T12:25:10.207489+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: eth0: renamed from veth8ec412c
2025-01-20T12:25:10.217579+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 4(veth9fa62ac) entered blocking state
2025-01-20T12:25:10.217601+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 4(veth9fa62ac) entered forwarding state
2025-01-20T12:25:10.219176+00:00 ubuntu-s-1vcpu-1gb-ams3-01 systemd-networkd[643]: veth9fa62ac: Gained carrier
2025-01-20T12:25:11.434009+00:00 ubuntu-s-1vcpu-1gb-ams3-01 systemd-networkd[643]: veth9fa62ac: Gained IPv6LL
2025-01-20T12:25:35.518478+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(vethc5afc37) entered blocking state
2025-01-20T12:25:35.518508+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(vethc5afc37) entered disabled state
2025-01-20T12:25:35.518511+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: vethc5afc37: entered allmulticast mode
2025-01-20T12:25:35.518512+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: vethc5afc37: entered promiscuous mode
2025-01-20T12:25:35.835778+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: eth0: renamed from veth7108517
2025-01-20T12:25:35.839663+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(vethc5afc37) entered blocking state
2025-01-20T12:25:35.839682+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(vethc5afc37) entered forwarding state
2025-01-20T12:25:36.017483+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: audit: type=1400 audit(1737375936.015:129): apparmor="DENIED" operation="open" class="file" profile="unix-chkpwd" name="/dev/console" pid=84777 comm="unix_chkpwd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
2025-01-20T12:25:36.101077+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(vethc5afc37) entered disabled state
2025-01-20T12:25:36.102616+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7108517: renamed from eth0
2025-01-20T12:25:36.114763+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(vethc5afc37) entered disabled state
2025-01-20T12:25:36.114782+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: vethc5afc37 (unregistering): left allmulticast mode
2025-01-20T12:25:36.114784+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: vethc5afc37 (unregistering): left promiscuous mode
2025-01-20T12:25:36.114786+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(vethc5afc37) entered disabled state
2025-01-20T12:25:53.657476+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7f83543) entered blocking state
2025-01-20T12:25:53.657495+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7f83543) entered disabled state
2025-01-20T12:25:53.657496+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7f83543: entered allmulticast mode
2025-01-20T12:25:53.657497+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7f83543: entered promiscuous mode
2025-01-20T12:25:53.886468+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: eth0: renamed from veth4c7a0fd
2025-01-20T12:25:53.889491+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7f83543) entered blocking state
2025-01-20T12:25:53.889508+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7f83543) entered forwarding state
2025-01-20T12:25:54.105489+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: audit: type=1400 audit(1737375954.103:130): apparmor="DENIED" operation="open" class="file" profile="unix-chkpwd" name="/dev/console" pid=84859 comm="unix_chkpwd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
2025-01-20T12:25:54.172473+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7f83543) entered disabled state
2025-01-20T12:25:54.172504+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth4c7a0fd: renamed from eth0
2025-01-20T12:25:54.186495+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7f83543) entered disabled state
2025-01-20T12:25:54.186514+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7f83543 (unregistering): left allmulticast mode
2025-01-20T12:25:54.186516+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7f83543 (unregistering): left promiscuous mode
2025-01-20T12:25:54.186518+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7f83543) entered disabled state
2025-01-20T12:26:05.074481+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7d3aef0) entered blocking state
2025-01-20T12:26:05.074499+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7d3aef0) entered disabled state
2025-01-20T12:26:05.074500+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7d3aef0: entered allmulticast mode
2025-01-20T12:26:05.074501+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7d3aef0: entered promiscuous mode
2025-01-20T12:26:05.283530+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: eth0: renamed from vetha46b3df
2025-01-20T12:26:05.287526+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7d3aef0) entered blocking state
2025-01-20T12:26:05.287554+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7d3aef0) entered forwarding state
2025-01-20T12:26:05.409485+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: audit: type=1400 audit(1737375965.407:131): apparmor="DENIED" operation="open" class="file" profile="unix-chkpwd" name="/dev/console" pid=84940 comm="unix_chkpwd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
2025-01-20T12:26:05.476518+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7d3aef0) entered disabled state
2025-01-20T12:26:05.476537+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: vetha46b3df: renamed from eth0
2025-01-20T12:26:05.490473+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7d3aef0) entered disabled state
2025-01-20T12:26:05.491492+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7d3aef0 (unregistering): left allmulticast mode
2025-01-20T12:26:05.491507+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: veth7d3aef0 (unregistering): left promiscuous mode
2025-01-20T12:26:05.491510+00:00 ubuntu-s-1vcpu-1gb-ams3-01 kernel: docker0: port 1(veth7d3aef0) entered disabled state

Which makes me consider this could be similar to;

• apparmor:unconfined does not really unconfined containers moby/moby#48734

And related to changes in Ubuntu no longer allowing "unconfined" processes, but requiring any process to be assigned a profile;

• apparmor: Allow confined runc to kill containers moby/moby#47749

[thaJeztah]

Did some further testing;

✅ Docker 27.5.0 on Docker Desktop works;

 Kernel Version: 6.12.5-linuxkit
 Operating System: Docker Desktop

✅ Docker 27.5.0 on Ubuntu 20.04 works;

Kernel Version: 5.4.0-122-generic
 Operating System: Ubuntu 20.04.4 LTS

✅ Docker 27.5.0 on Ubuntu 22.04 works;

Kernel Version: 5.15.0-113-generic
 Operating System: Ubuntu 22.04.4 LTS

❌ Docker 27.5.0 on Ubuntu 24.04 doesn't work;

Kernel Version: 6.8.0-51-generic
 Operating System: Ubuntu 24.04.1 LTS

❌ Docker 27.5.0 on Ubuntu 24.10 doesn't work;

Kernel Version: 6.11.0-9-generic
 Operating System: Ubuntu 24.10

Running sudo inside an Ubuntu container (inside the DIND container) also works;

docker run -it --quiet --rm ubuntu:24.04

# inside the container:
apt-get update && apt-get install -y sudo
sudo whoami
root

Location of the unix_chkpwd binary is the same, but setuid on it differs (shadow Ubuntu, and root on Fedora);

docker run -it --quiet --rm ubuntu:24.04 sh -c 'command -v unix_chkpwd'
/usr/sbin/unix_chkpwd

docker run -it --quiet --rm ubuntu:24.04 ls -la /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 31040 May  2  2024 /usr/sbin/unix_chkpwd

docker run -it --quiet --rm registry.fedoraproject.org/fedora:41 sh -c 'command -v unix_chkpwd'
/usr/sbin/unix_chkpwd

docker run -it --quiet --rm registry.fedoraproject.org/fedora:41 ls -la /usr/sbin/unix_chkpwd
-rwsr-xr-x 1 root root 32560 Nov 25 00:00 /usr/sbin/unix_chkpwd

[thaJeztah]

comparing apparmor_status;

Ubuntu 20.04;

apparmor_status
apparmor module is loaded.
29 profiles are loaded.
29 profiles are in enforce mode.
   /snap/snapd/16292/usr/lib/snapd/snap-confine
   /snap/snapd/16292/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/tcpdump
   /{,usr/}sbin/dhclient
   docker-default
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.lxd
   snap.lxd.activate
   snap.lxd.benchmark
   snap.lxd.buginfo
   snap.lxd.check-kernel
   snap.lxd.daemon
   snap.lxd.hook.configure
   snap.lxd.hook.install
   snap.lxd.hook.remove
   snap.lxd.lxc
   snap.lxd.lxc-to-lxd
   snap.lxd.lxd
   snap.lxd.migrate
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Ubuntu 22.04;

apparmor_status
apparmor module is loaded.
40 profiles are loaded.
40 profiles are in enforce mode.
   /snap/snapd/21759/usr/lib/snapd/snap-confine
   /snap/snapd/21759/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /{,usr/}sbin/dhclient
   docker-default
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.lxd
   snap.lxd.activate
   snap.lxd.benchmark
   snap.lxd.buginfo
   snap.lxd.check-kernel
   snap.lxd.daemon
   snap.lxd.hook.configure
   snap.lxd.hook.install
   snap.lxd.hook.remove
   snap.lxd.lxc
   snap.lxd.lxc-to-lxd
   snap.lxd.lxd
   snap.lxd.migrate
   snap.lxd.user-daemon
   tcpdump
   ubuntu_pro_apt_news
   ubuntu_pro_esm_cache
   ubuntu_pro_esm_cache//apt_methods
   ubuntu_pro_esm_cache//apt_methods_gpgv
   ubuntu_pro_esm_cache//cloud_id
   ubuntu_pro_esm_cache//dpkg
   ubuntu_pro_esm_cache//ps
   ubuntu_pro_esm_cache//ubuntu_distro_info
   ubuntu_pro_esm_cache_systemctl
   ubuntu_pro_esm_cache_systemd_detect_virt
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

Ubuntu 24.04:

apparmor_status
apparmor module is loaded.
120 profiles are loaded.
25 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   docker-default
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   plasmashell
   plasmashell//QtWebEngineProcess
   rsyslogd
   tcpdump
   ubuntu_pro_apt_news
   ubuntu_pro_esm_cache
   ubuntu_pro_esm_cache//apt_methods
   ubuntu_pro_esm_cache//apt_methods_gpgv
   ubuntu_pro_esm_cache//cloud_id
   ubuntu_pro_esm_cache//dpkg
   ubuntu_pro_esm_cache//ps
   ubuntu_pro_esm_cache//ubuntu_distro_info
   ubuntu_pro_esm_cache_systemctl
   ubuntu_pro_esm_cache_systemd_detect_virt
   unix-chkpwd
   unprivileged_userns
4 profiles are in complain mode.
   transmission-cli
   transmission-daemon
   transmission-gtk
   transmission-qt
0 profiles are in prompt mode.
0 profiles are in kill mode.
91 profiles are in unconfined mode.
   1password
   Discord
   MongoDB Compass
   QtWebEngineProcess
   balena-etcher
   brave
   buildah
   busybox
   cam
   ch-checkns
   ch-run
   chrome
   crun
   devhelp
   element-desktop
   epiphany
   evolution
   firefox
   flatpak
   foliate
   geary
   github-desktop
   goldendict
   ipa_verify
   kchmviewer
   keybase
   lc-compliance
   libcamerify
   linux-sandbox
   loupe
   lxc-attach
   lxc-create
   lxc-destroy
   lxc-execute
   lxc-stop
   lxc-unshare
   lxc-usernsexec
   mmdebstrap
   msedge
   nautilus
   notepadqq
   obsidian
   opam
   opera
   pageedit
   podman
   polypane
   privacybrowser
   qcam
   qmapshack
   qutebrowser
   rootlesskit
   rpm
   rssguard
   runc
   sbuild
   sbuild-abort
   sbuild-adduser
   sbuild-apt
   sbuild-checkpackages
   sbuild-clean
   sbuild-createchroot
   sbuild-destroychroot
   sbuild-distupgrade
   sbuild-hold
   sbuild-shell
   sbuild-unhold
   sbuild-update
   sbuild-upgrade
   scide
   signal-desktop
   slack
   slirp4netns
   steam
   stress-ng
   surfshark
   systemd-coredump
   thunderbird
   toybox
   trinity
   tup
   tuxedo-control-center
   userbindmount
   uwsgi-core
   vdens
   virtiofsd
   vivaldi-bin
   vpnns
   vscode
   wike
   wpcom
1 processes have profiles defined.
1 processes are in enforce mode.
   /usr/sbin/rsyslogd (890) rsyslogd
0 processes are in complain mode.
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.

In Ubuntu 24.04, there's many more profiles loaded, and I see unix-chkpwd in there. Checking what it contains, that looks indeed one that could block access;

cat /etc/apparmor.d/unix-chkpwd
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

# The apparmor.d project comes with several variables and abstractions
# that are not part of upstream AppArmor yet. Therefore this profile was
# adopted to use abstractions and variables that are available.
# Copyright (C) Christian Boltz 2024

abi <abi/4.0>,

include <tunables/global>

profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
  include <abstractions/base>
  include <abstractions/nameservice>

  # To write records to the kernel auditing log.
  capability audit_write,

  network netlink raw,

  /{,usr/}{,s}bin/unix_chkpwd mr,

  /etc/shadow r,

  # systemd userdb, used in nspawn
  /run/host/userdb/*.user r,
  /run/host/userdb/*.user-privileged r,

  # file_inherit
  owner /dev/tty[0-9]* rw,

  include if exists <local/unix-chkpwd>
}