search
2022-01-30 - missing user in docker image
most of the time i don't run docker images as root… for obvious reasons. ;) however there are some tools, that will complain if current UID does not seem to have corresponding /etc/passwd entry. for example calling ssh-keygen -f mykey -N “” -t “ed25519” inside a container, started as –user 1234:1234 will end up with error No user 1234. :/
while i'm far from seeing logic in ssh-keygen needing to have /etc/passwd entry for a current user, that's how things seem to be working atm.
many ppl on the internet suggest to just add your user to the image, or simply assume that UID:GID is 1000:1000. these are no-go for me. adding user to image makes it impossible to change later on, thus everyone is stuck with your hardcoded user… that might not even match their setup! while it's true that 1000:1000 is the most common on workstations, since usually installation has just one user account, but this fails spectacularly on shared hosts (eg. build machines on CI agents), where typically multiple users have access to it. CI agent is also a typical setup where might share a volume between host and container, so that build artifacts “survive” after container is done with building them.
so a workaround for situation this is needed. my current best take is via a proxy shell script, like this:
#!/bin/bash set -eu -o pipefail # workaround for missing user account in /etc/passwd - some tools can't handle it... read R_UID R_GID <<< "$(echo "$REAL_USER" | tr ':' ' ')" groupadd -g "$R_GID" "user" useradd -g "$R_GID" -u "$R_UID" -s "/bin/bash" "user" if [ $# -eq 0 ] then exec setpriv --reuid "user" --regid "user" --init-groups "bash" fi exec setpriv --reuid "user" --regid "user" --init-groups "$@"
it can then be added to Dockerfile:
FROM four_favorite_distro:version COPY shell_proxy /usr/local/bin/ ENTRYPOINT ["shell_proxy"] ...
and run container like this:
docker run \ -it \ --rm \ -e REAL_USER="$(id -u):$(id -g)" \ container \ command arg1 arg2 ...
so docker will now start container as root, with REAL_USER pointing to UID and GID of user that it should really be running. in the entrypoint script user named user is created with appropriate UID and GID and then setpriv is used to execute provided command or start interactive bash shell, if no command is given.
