Skip to content
This repository has been archived by the owner on Aug 29, 2018. It is now read-only.

Create group before creating container user. #203

Closed
wants to merge 1 commit into from
Closed

Create group before creating container user. #203

wants to merge 1 commit into from

Conversation

mrunalp
Copy link
Member

@mrunalp mrunalp commented Jun 17, 2014

This is a bit tricky as creating a group before creating a user doesn't work on busybox, but potentially breaks other images e.g. pmorie/sti-html-app. The fix solves the non-busybox case #202

@mrunalp
Copy link
Member Author

mrunalp commented Jun 17, 2014

[test]

@openshift-bot
Copy link

Origin Test Results: ABORTED (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_geard/133/)

@mrunalp
Copy link
Member Author

mrunalp commented Jun 17, 2014

[test]

@mfojtik
Copy link
Contributor

mfojtik commented Jun 17, 2014

@mrunalp can we just 2>/dev/null groupadd ? So if running on busybox, it will just silently fail.

@mrunalp
Copy link
Member Author

mrunalp commented Jun 17, 2014

@mfojtik I don't see the point of adding a command that we know is going to fail. I think we are going too far to make busybox work.

@smarterclayton
Copy link
Contributor

@mrunalp remember, we have to make every Docker image work with isolate, not just the ones we create.

@mrunalp
Copy link
Member Author

mrunalp commented Jun 18, 2014

@smarterclayton Agreed, see -- https://gist.github.com/mrunalp/f9fec89b4ff29097d3b5
addgroup followed by adduser fails on busybox and so I am not adding it.

@smarterclayton
Copy link
Contributor

@mrunalp but that means busy box is broken with isolation, as will others who don't have groupadd created. I think the point of my statement was that we have to make isolate tolerate the "no groupadd/useradd" functionality, or isolate itself is broken.

@mrunalp
Copy link
Member Author

mrunalp commented Jun 18, 2014

@smarterclayton adduser -u {{.Uid}} -g {{.Gid}} {{.ContainerUser}} works on busybox. Beyond that we need what other permutations are possible or use a lower level API. (Last time I poked in useradd code, it manipulates the concerned files directly and doesn't seem to expose an API but I can look again).

@mfojtik
Copy link
Contributor

mfojtik commented Jun 19, 2014

[test]

@openshift-bot
Copy link

Evaluated for origin up to 4940810

@mrunalp
Copy link
Member Author

mrunalp commented Jun 19, 2014

@smarterclayton I looked into this a bit more. busybox case is more complicated when there is a docker user defined in an image based off busybox. There are no usermod/groupmod commands available in busybox. The workaround is to implement these commands in portable sh. Even with that we have to make assumptions that certain utilities are available like for e.g. grep or sed. The problem is that we are relying on the contents of an image and there is no guarantee what will be available. This means that we cannot support all images but we can do our best and try to capture the common cases.

One alternative is to forgo the whole useradd/usergroup manipulation as we only care about uid/gids. The downside is not handling the Dockerfile USER case well.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mrunalp @openshift-bot @mfojtik @smarterclayton