no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


blog:2022:01:30:2022-01-30_-_missing_user_in_docker_image [2022/01/30 20:40] (current) – created basz
Line 1: Line 1:
 +====== 2022-01-30 - missing user in docker image ======
  
 +most of the time i don't run docker images as ''root''... for obvious reasons. ;) however there are some tools, that will complain if current UID does not seem to have corresponding ''/etc/passwd'' entry. for example calling ''ssh-keygen -f mykey -N "" -t "ed25519"'' inside a container, started as ''--user 1234:1234'' will end up with error ''No user 1234''. :/
 +
 +while i'm far from seeing logic in ''ssh-keygen'' needing to have ''/etc/passwd'' entry for a current user, that's how things seem to be working atm.
 +
 +many ppl on the internet suggest to just add your user to the image, or simply assume that UID:GID is 1000:1000. these are no-go for me. adding user to image makes it impossible to change later on, thus everyone is stuck with your hardcoded user... that might not even match their setup! while it's true that 1000:1000 is the most common on workstations, since usually installation has just one user account, but this fails spectacularly on shared hosts (eg. build machines on CI agents), where typically multiple users have access to it. CI agent is also a typical setup where might share a volume between host and container, so that build artifacts "survive" after container is done with building them.
 +
 +so a workaround for situation this is needed. my current best take is via a proxy shell script, like this:
 +<code bash>
 +#!/bin/bash
 +set -eu -o pipefail
 +
 +# workaround for missing user account in /etc/passwd - some tools can't handle it...
 +read R_UID R_GID <<< "$(echo "$REAL_USER" | tr ':' ' ')"
 +groupadd -g "$R_GID" "user"
 +useradd -g "$R_GID" -u "$R_UID" -s "/bin/bash" "user"
 +
 +if [ $# -eq 0 ]
 +then
 +  exec setpriv --reuid "user" --regid "user" --init-groups "bash"
 +fi
 +exec setpriv --reuid "user" --regid "user" --init-groups "$@"
 +</code>
 +
 +it can then be added to ''Dockerfile'':
 +<code dockerfile>
 +FROM four_favorite_distro:version
 +COPY shell_proxy /usr/local/bin/
 +ENTRYPOINT ["shell_proxy"]
 +...
 +</code>
 +
 +and run container like this:
 +<code bash>
 +docker run \
 +  -it \
 +  --rm \
 +  -e REAL_USER="$(id -u):$(id -g)" \
 +  container \
 +    command arg1 arg2 ...
 +</code>
 +
 +so ''docker'' will now start container as ''root'', with ''REAL_USER'' pointing to UID and GID of user that it should really be running. in the entrypoint script user named ''user'' is created with appropriate UID and GID and then ''setpriv'' is used to execute provided command or start interactive ''bash'' shell, if no command is given.
blog/2022/01/30/2022-01-30_-_missing_user_in_docker_image.txt · Last modified: 2022/01/30 20:40 by basz
Back to top
Valid CSS Driven by DokuWiki Recent changes RSS feed Valid XHTML 1.0