Why does `sudo` fail in a simple container on Fedora 32?

Question

I am scratching my head trying to figure this one out.

Under a freshly installed Fedora 32, the following minimal container does not execute properly:

FROM centos:7

RUN yum install -y sudo && yum clean all -y
RUN useradd -m test
RUN sudo -u test true

To test this, execute:

podman build .

The result is:

STEP 4: RUN sudo -u test true
sudo: PAM account management error: Authentication service cannot retrieve authentication info
Error: error building at STEP "RUN sudo -u test true": error while running runtime: exit status 1

Now I am wondering, what makes fedora 32 special? I am pretty sure this used to work under 31. Since the version of sudo being involved and its environment is unchanged, the only difference could be podman. But what does podman have to do with the invocation of sudo inside the container (or PAM in general)?

(this question was tagged with "docker" because I cannot create the tag "podman")

Answer 1

Ok, so here is what I figured out after many painful hours of debugging.

1. I had migrated to a new laptop before trying this. I did this by copying /home from the old to the new laptop.
2. The image cache on my new home directory contained some kind of fault. podman did not complain or try to re-download the image, but I could see (by comparison to another machine) that the hash was different. Inside the image the /etc/shadow was missing - I have no clue why or how that could have happened, though.
3. After completely wiping any podman cache and re-downloading, I got the correct images and everything worked again.

So this must have been a very specific error when copying podman images from Fedora 31 to 32. The image was somewhat intact. I could run it. But it completely missed at least one crucial file. Quite bizarre.