Docker, why the user and group are different? - linux

I created a Dockerfile in the following
FROM nvidia/cuda:10.1-cudnn7-runtime-ubuntu18.04
ENV CUDA_PATH /usr/local/cuda
ENV CUDA_INCLUDE_PATH /usr/local/cuda/include
ENV CUDA_LIBRARY_PATH /usr/local/cuda/lib64
RUN apt update -yq
RUN apt install -yq curl wget unzip git vim cmake zlib1g-dev g++ gcc sudo build-essential libncurses5-dev libgdbm-dev libnss3-dev libssl-dev libreadline-dev libffi-dev openssh-server
RUN adduser --disabled-password --gecos '' docker && \
adduser docker sudo && \
echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
RUN mkdir -p /.cache/pip
RUN mkdir -p /.local/share
RUN mkdir -p /.local/lib
RUN mkdir -p /.local/bin
RUN chown -R docker:docker /.cache/pip
RUN chown -R docker:docker /.local
RUN chown -R docker:docker /.local/lib
RUN chown -R docker:docker /.local/bin
# Configure SSHD.
# SSH login fix. Otherwise user is kicked off after login
RUN sed 's#session\s*required\s*pam_loginuid.so#session optional pam_loginuid.so#g' -i /etc/pam.d/sshd
RUN mkdir /var/run/sshd
RUN bash -c 'install -m755 <(printf "#!/bin/sh\nexit 0") /usr/sbin/policy-rc.d'
RUN ex +'%s/^#\zeListenAddress/\1/g' -scwq /etc/ssh/sshd_config
RUN ex +'%s/^#\zeHostKey .*ssh_host_.*_key/\1/g' -scwq /etc/ssh/sshd_config
RUN RUNLEVEL=1 dpkg-reconfigure openssh-server
RUN ssh-keygen -A -v
RUN update-rc.d ssh defaults
RUN ln -s /lib/x86_64-linux-gnu/libc.so.6 /lib64/libc.so.6
RUN ln -s /lib/x86_64-linux-gnu/libc.so.6 /lib/libc.so.6
# Configure sudo.
RUN ex +"%s/^%sudo.*$/%sudo ALL=(ALL:ALL) NOPASSWD:ALL/g" -scwq! /etc/sudoers
USER docker
RUN ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
WORKDIR /home/docker/
RUN chmod a+rwx /home/docker/ && \
wget https://repo.anaconda.com/miniconda/Miniconda3-py37_4.10.3-Linux-x86_64.sh && \
bash Miniconda3-py37_4.10.3-Linux-x86_64.sh -b && rm Miniconda3-py37_4.10.3-Linux-x86_64.sh
ENV PATH /home/docker/.local/bin:$PATH
ENV PATH /home/docker/miniconda3/bin:$PATH
ENV which python3.7
RUN mkdir -p /home/docker/.local/
RUN chown -R docker:docker /home/docker/.local/
RUN chmod -R 777 /home/docker/.local/
RUN chmod -R 777 /.local/lib
RUN chmod -R 777 /.local/bin
RUN chmod -R 777 /.cache/pip/
RUN python3.7 -m pip install pip -U
RUN python3.7 -m pip install tensorflow-gpu==2.5.0 ray[rllib] gym[atari] torch==1.7.1 torchvision==0.8.2 scikit_learn==0.23.1 sacred==0.8.1 PyYAML==5.4.1 tensorboard_logger
# ENV PYTHONPATH "${PYTHONPATH}:/home/docker/.local/lib/python3.7/site-packages/"
RUN sudo ln -s $(which python3.7) /usr/bin/python
RUN ls $(python3.7 -c "import site; print(site.getsitepackages()[0])")
RUN python3.7 -m pip list
RUN python3.7 -m pip uninstall -y enum34
USER docker
RUN mkdir -p /home/docker/app
RUN chown -R docker:docker /home/docker/app
WORKDIR /home/docker/app
Then I built an image. After that, I run with this image.
NV_GPU=1 nvidia-docker run -i \
--name $name \
--user docker \
-v `pwd`:/home/docker/app \
-t MyImage:1.0 \
${#:2}
I used the user docker defined in the Dockerfile and mount current files to the workdir. However, it shows the docker user had no permission to create any files
PermissionError: [Errno 13] Permission denied
And the file in /home/docker/app
docker#109c5e6b269a:~/app$ ls -l
total 64
-rw-rw-r-- 1 1002 1003 11342 Oct 13 12:50 LICENSE
-rw-rw-r-- 1 1002 1003 4831 Oct 14 05:49 README.md
drwxrwxr-x 3 1002 1003 4096 Oct 14 08:12 docker
-rwxrw-r-- 1 1002 1003 225 Oct 14 08:36 run_train.sh
drwxrwxr-x 11 1002 1003 4096 Oct 14 03:46 src
drwxrwxr-x 4 1002 1003 4096 Oct 13 12:50 third-party
It shows the user and group are not docker. I tried to change owner to docker but some error occurred in my local file system.
How can I address this PermissionError issue?
Thank you.

You are mapping some directory (pwd) to a volume. The problem is that your local directory belongs to a user with UID=1002, but inside the container the user docker maps to a different UID (probably 1000).
One easy solution is to edit the Dockerfile to specify the UID when creating the user, so it matches your local directory.
If you want your image to be used by others, one good solution is to create an entry point script to modify the user's UID at container creation time, based on environment variable.

Related

Self-Hosted GitHub Runner: Error when running sudo "sudo: effective uid is not 0..."

I am trying to run self-hosted GitHub runners in a K8s cluster using actions-runner-controller. Whenever I run a workflow on the runner and attempt to use sudo, it fails with the following error: sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
I have created the runner user and added it to the sudo group with the following commands in my dockerfile. I have also made sure to set the permissions for the location where sudo is installed.
RUN apt-get update && apt-get install -y sudo \
&& adduser --disabled-password --gid 0 --gecos "" --uid 1001 runner \
&& groupadd docker \
&& usermod -aG sudo runner \
&& usermod -aG docker runner \
&& echo "%sudo ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers \
&& chown root:root /usr/bin/sudo \
&& chmod 4755 /usr/bin/sudo \
&& chmod u+s /usr/bin/sudo
In my runnerdeployment.yaml, I have tried multiple different settings for trying to get the runner to be able to run sudo. Including;
setting RUN_AS_ROOT to both true and false
Setting RUNNER_ALLOW_RUNASROOT to both 1 and 0
Having securityContext.runAsUser set to 1001 (uid of runner user) and not having it set
Nothing has seemed to help, and I have tried everything I've seen from other SA posts about the same error sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
Running mount does not show /usr/bin/sudo or / with the nosuid bit set, here's the output from some commands I have seen on other posts about this error:
> df `which sudo`
Filesystem 1K-blocks Used Available Use% Mounted on
overlay 129886128 26817760 103051984 21% /
> whomami
runner
> groups
root daemon sudo docker
> id
uid=1001(runner) gid=0(root) groups=0(root),1(daemon),27(sudo),1000(docker)
I am unsure what else to try to fix this issue.
Host OS is ubuntu-20.04 focal.
ls -l /usr/bin/sudo shows
-rwsr-xr-x 1 root root 166056 Jan 19 2021 /usr/bin/sudo
A few of the other posts I've looked at:
sudo: effective uid is not 0, is sudo installed setuid root?
https://superuser.com/questions/1580293/sudo-effective-uid-is-not-0-is-usr-bin-sudo-on-a-file-system-with-the-nosuid
https://superuser.com/questions/897284/sudo-effective-uid-is-not-0-is-sudo-installed-setuid-root-for-normal-users
https://askubuntu.com/questions/625540/suddenly-cant-run-sudo
Dockerfile Config:
FROM ubuntu:20.04
COPY --from=installer-env ["/actions-runner", "/actions-runner"]
# Set env vars
ENV RUNNER_WORKDIR "/_work"
ENV GITHUB_TOKEN ""
ENV RUNNER_SCOPE ""
ENV REPO_URL ""
ENV ORG_NAME ""
ENV RUNNER_NAME_PREFIX ""
ENV LABELS ""
ENV DISABLE_AUTOMATIC_DEREGISTRATION ""
ENV RUNNER_OPTIONS ""
ENV RUN_AS_ROOT "true"
ENV RUNNER_ALLOW_RUNASROOT=1
ENV RUNNER_TOOLS_DIRECTORY=/opt/hostedtoolcache
ARG GOSU_VERSION=1.10-1
COPY ./github-runner/user.sh ./github-runner/runnertoken.sh ./github-runner/entrypoint.sh /actions-runner/
COPY ./github-runner/startup_script.sh /usr/local/bin/
WORKDIR /actions-runner
# RUN
RUN apt-get update && apt-get install -y sudo \
&& adduser --disabled-password --gid 0 --gecos "" --uid 1001 runner \
&& groupadd docker \
&& usermod -aG sudo runner \
&& usermod -aG docker runner \
&& echo "%sudo ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers \
&& chown root:root /usr/bin/sudo \
&& chmod 4755 /usr/bin/sudo \
&& chmod u+s /usr/bin/sudo
RUN ./bin/installdependencies.sh \
&& mkdir -p ${RUNNER_WORKDIR} \
&& mkdir -p ${RUNNER_TOOLS_DIRECTORY} \
&& chown -R runner ${RUNNER_WORKDIR} /actions-runner ${RUNNER_TOOLS_DIRECTORY} /usr/local/bin/startup_script.sh \
&& chmod +x /actions-runner/runnertoken.sh /actions-runner/entrypoint.sh /usr/local/bin/startup_script.sh
RUN apt-get update \
&& apt-get install --no-install-recommends -y jq gosu=${GOSU_VERSION} 2>&1 \
# Clean up
&& apt-get autoremove -y \
&& apt-get clean -y \
&& rm -rf /var/lib/apt/lists/*
# Add premissions to runner user
ENTRYPOINT ["/actions-runner/entrypoint.sh"]

Using SSH inside docker with correct file permissions?

There are a few posts on how to use Docker + SSH. There are also posts on how to edit files mounted in a docker container, such that editing them won't cause the permissions to become root.
I'm trying to combine the 2 things, so I can SSH into a docker container and edit files without messing up their permissions.
For, using the correct file permissions, I use:
- /etc/passwd:/etc/passwd:ro
- /etc/group:/etc/group:ro
in my docker-compose.yml and
docker compose -f commands/dev/docker-compose.yml run \
--service-ports \
--user $(id -u) \
develop \
bash
so that when I start the docker container, my user is the same user as my local computer.
However, this breaks up my SSH setup inside the Docker container:
useradd -rm -d /home/ubuntu -s /bin/bash -g root -G sudo ubuntu
echo 'ubuntu:ubuntu' | chpasswd
# passwd -d ubuntu
apt install -y --no-install-recommends openssh-server vim-tiny sudo
# See: https://stackoverflow.com/questions/22886470/start-sshd-automatically-with-docker-container
sed 's#session\s*required\s*pam_loginuid.so#session optional pam_loginuid.so#g' -i /etc/pam.d/sshd
mkdir /var/run/sshd
bash -c 'install -m755 <(printf "#!/bin/sh\nexit 0") /usr/sbin/policy-rc.d'
ex +'%s/^#\zeListenAddress/\1/g' -scwq /etc/ssh/sshd_config
ex +'%s/^#\zeHostKey .*ssh_host_.*_key/\1/g' -scwq /etc/ssh/sshd_config
RUNLEVEL=1 dpkg-reconfigure openssh-server
ssh-keygen -A -v
update-rc.d ssh defaults
# Configure sudo
ex +"%s/^%sudo.*$/%sudo ALL=(ALL:ALL) NOPASSWD:ALL/g" -scwq! /etc/sudoers
Here I'm creating a user called ubuntu with password ubuntu for SSH-ing. This lets me SSH in ubuntu#localhost using the password ubuntu.
The issue is that by mounting the /etc/passwd file into my container, I erase the ubuntu user inside the container. This means when I try to ssh in with ssh -p 9002 ubuntu#localhost, the authentication fails (9002 is what I bind port 22 in the container to on the host).
Does anyone have a solution?
Here's a first pass answer.
I can use:
useradd -rm -d /home/yourusername -s /bin/bash -g root -G sudo yourusername
instead of
useradd -rm -d /home/ubuntu -s /bin/bash -g root -G sudo ubuntu
echo 'ubuntu:ubuntu' | chpasswd
then, I:
Run the ssh server in the container with:
su root
/usr/sbin/sshd -D -o ListenAddress=0.0.0.0 -o PermitRootLogin=yes
I can ssh into the container as root (using the root password "root", which I set with RUN echo 'root:root' | chpasswd in the Dockerfile).
Then, I can do su yourusername, to switch my user.
While this works, it is pretty annoying since I need to bake the user name into the Docker container.

Run Ubuntu Docker container as User with sudo access

I'm trying to write a Dockerfile that creates a user with a home directory who is part of sudoers group and that launches the container as this user.
The problem I'm facing is that, from within the container, every command needs to be prepended sudo, which obviously creates permission issues for every file that's created.
My reasoning behind doing this is that I want a container that mimics a clean linux environment from which I can write install scripts for users.
Here is a copy of my Dockerfile so far:
FROM ubuntu:20.04
# Make user home
RUN mkdir -p /home/nick
# Create a nick user
RUN useradd -r -d /home/nick -m -s /sbin/nologin -c "Docker image user" nick
# Add to sudoers
RUN usermod -a -G sudo nick
# Change ownership of home directory
RUN chown -R nick:nick $HOME
# Set password
RUN echo "nick:******" | chpasswd
# Install sudo
RUN apt-get -y update && apt-get -y install sudo
ENV HOME=/home/nick
WORKDIR $HOME
USER nick
I don't understand why this doesn't work:
FROM continuumio/miniconda3
# FROM --platform=linux/amd64 continuumio/miniconda3
MAINTAINER Brando Miranda "brandojazz#gmail.com"
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
ssh \
git \
m4 \
libgmp-dev \
opam \
wget \
ca-certificates \
rsync \
strace \
gcc \
rlwrap \
sudo
# https://github.com/giampaolo/psutil/pull/2103
RUN useradd -m bot
# format for chpasswd user_name:password
RUN echo "bot:bot" | chpasswd
RUN adduser bot sudo
WORKDIR /home/bot
USER bot
# CMD /bin/bash

EFS mount on ECS Fargate - Read/write permissions denied for non root user

I have an ECS Fargate container running a nodejs application with non-root permissions and is also mounted to EFS on /.user_data inside the container.
I followed this AWS tutorial. My setup is almost similar.
Here is the Docker file:
FROM node:12-buster-slim
RUN apt-get update && \
apt-get install -y build-essential \
wget \
python3 \
make \
gcc \
libc6-dev \
git
# delete old user
RUN userdel -r node
# Run as a non-root user
RUN addgroup "new_user_group" && \
useradd "new_user" --gid "new_user_group" \
--home-dir "/home/new_user"
RUN git clone https://github.com/test-app.git /home/new_user/app
RUN chown -R new_user:new_user_group /home/new_user
RUN mkdir -p /home/new_user/.user_data
RUN chown -R new_user:new_user_group /home/new_user/.user_data
RUN chmod -R 755 /home/new_user/
WORKDIR /home/new_user/app
RUN npm install
RUN npm run build
EXPOSE 1880
USER new_user
CMD [ "npm", "start" ]
When the Node app tries to write inside /.user_data I am getting read-write permission denied error.
If I run the container as root the app is able to read/write data.
I tried adding an access point to EFS with UID and permissions but that didn't help as well.
Please note: The Dockerfile works fine on my local machine.
Update
Read this blog post - Developers guide to using Amazon EFS with Amazon ECS and AWS Fargate – Part 2 > POSIX permissions
Might be related to the IAM Policy that was assigned to the ECS Task's IAM Role.
"...if the AWS policies do not allow the ClientRootAccess action, your user is going to be squashed to a pre-defined UID:GID that is 65534:65534. From this point on, standard POSIX permissions apply: what this user can do is determined by the POSIX file system permissions. For example, a folder owned by any UID:GID other than 65534:65534 that has 666 (rw for owner and rw for everyone) will allow this reserved user to create a file. However, a folder owned by any UID:GID other than 65534:65534 that has 644 (rw for owner and r for everyone) will NOT allow this squashed user to create a file."
Make sure that your root-dir permissions are set to 777. This way any UID can read/write this dir.
To be less permissive, set the root-dir to 755, which is set by default, see the docs. This provides read-write-execute to the root user, read-execute to group and read-execute to all other users.
A user (UID) can't access (read) a sub-directory if there's no read access to its parents (directories).
You can test it easily with Docker, here's a quick example
Create a Dockerfile -
FROM ubuntu:20.04
# Fetch values from ARGs that were declared at the top of this file
ARG APP_NAME
ARG APP_ARTIFACT_DIR
ARG APP_HOME_DIR="/app"
ARG APP_USER_NAME="appuser"
ARG APP_GROUP_ID="appgroup"
# Define workdir
ENV HOME="${APP_HOME_DIR}"
WORKDIR "${HOME}"
RUN apt-get update -y && apt-get install tree
# Define env vars
ENV PATH="${HOME}/.local/bin:${PATH}"
# Run as a non-root user
RUN addgroup "${APP_GROUP_ID}" && \
useradd "${APP_USER_NAME}" --gid "${APP_GROUP_ID}" --home-dir "${HOME}" && \
chown -R ${APP_USER_NAME} .
RUN mkdir -p rootdir && \
mkdir -p rootdir/subdir && \
touch rootdir/root.file rootdir/subdir/sub.file && \
chown -R root:root rootdir && \
chmod 600 rootdir rootdir/root.file && \
chmod -R 775 rootdir/subdir
You should play with chmod 600 and chmod -R 775, try different permissions sets such as 777 and 644, and see if it makes sense.
Build an image, run a container, and test the permissions -
docker build boyfromnorth .
docker run --rm -it boyfromnorth bash
root#e0f043d9884c:~$ su appuser
$ ls -la
total 12
drwxr-xr-x 1 appuser root 4096 Jan 30 12:23 .
drwxr-xr-x 1 root root 4096 Jan 30 12:33 ..
drw------- 3 root root 4096 Jan 30 12:23 rootdir
$ ls rootdir
ls: cannot open directory 'rootdir': Permission denied

using a docker app to make a new directory in an external hard drive

I am using a docker container to execute a python script located at my host machine. The script should make a new directory at a target location.
When the target location is located under $HOME or $HOME/*, everything works. However, when I want to create a directory at /media/my_name/external_drive, the terminal says that PermissionError: [Errno 13] Permission denied: '/media/my_name'
Here is the code I run
sudo docker-compose run --rm --user="$(id -u):$(id -g)" main process_all.py
Here is docker-compose.yml:
version: '2.3'
services:
main:
build: .
volumes:
- .:/app
- /etc/localtime:/etc/localtime:ro
environment:
- PYTHONIOENCODING=utf_8
init: true
network_mode: host
Here is the dockerfile
FROM ubuntu:16.04
# Install some basic utilities
RUN apt-get update && apt-get install -y \
curl \
ca-certificates \
sudo \
git \
bzip2 \
axel \
&& rm -rf /var/lib/apt/lists/*
# Create a working directory
RUN mkdir /app
WORKDIR /app
# Create a non-root user and switch to it
RUN adduser --disabled-password --gecos '' --shell /bin/bash user \
&& chown -R user:user /app
RUN echo "user ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/90-user
USER user
# All users can use /home/user as their home directory
ENV HOME=/home/user
RUN chmod 777 /home/user
# Install Miniconda
RUN curl -so ~/miniconda.sh https://repo.continuum.io/miniconda/Miniconda3-4.4.10-Linux-x86_64.sh \
&& chmod +x ~/miniconda.sh \
&& ~/miniconda.sh -b -p ~/miniconda \
&& rm ~/miniconda.sh
ENV PATH=/home/user/miniconda/bin:$PATH
# Create a Python 3.6 environment
RUN /home/user/miniconda/bin/conda install conda-build \
&& /home/user/miniconda/bin/conda create -y --name py36 python=3.6.4 \
&& /home/user/miniconda/bin/conda clean -ya
ENV CONDA_DEFAULT_ENV=py36
ENV CONDA_PREFIX=/home/user/miniconda/envs/$CONDA_DEFAULT_ENV
ENV PATH=$CONDA_PREFIX/bin:$PATH
# Ensure conda version is at least 4.4.11
# (because of this issue: https://github.com/conda/conda/issues/6811)
ENV CONDA_AUTO_UPDATE_CONDA=false
RUN conda install -y "conda>=4.4.11" && conda clean -ya
# Install FFmpeg
RUN conda install --no-update-deps -y -c conda-forge ffmpeg=3.2.4 \
&& conda clean -ya
# Install NumPy
RUN conda install --no-update-deps -y numpy=1.13.3 \
&& conda clean -ya
# Install build tools
RUN sudo apt-get update \
&& sudo apt-get install -y build-essential gfortran libncurses5-dev \
&& sudo rm -rf /var/lib/apt/lists/*
# Build and install CDF
RUN cd /tmp \
&& curl -O https://spdf.sci.gsfc.nasa.gov/pub/software/cdf/dist/cdf36_4/linux/cdf36_4-dist-all.tar.gz \
&& tar xzf cdf36_4-dist-all.tar.gz \
&& cd cdf36_4-dist \
&& make OS=linux ENV=gnu CURSES=yes FORTRAN=no UCOPTIONS=-O2 SHARED=yes all \
&& sudo make INSTALLDIR=/usr/local/cdf install
# Install other dependencies from pip
COPY requirements.txt .
RUN pip install -r requirements.txt
# Create empty SpacePy config (suppresses an annoying warning message)
RUN mkdir /home/user/.spacepy && echo "[spacepy]" > /home/user/.spacepy/spacepy.rc
# Copy scripts into the image
COPY --chown=user:user . /app
# Set the default command to python3
CMD ["python3"]
Untested, going by memory but I would debug the issue with an interactive version of your container.
Something like:
sudo docker run -t -i --rm --user="$(id -u):$(id -g)" main /bin/bash
You'll get a bash shell. Then you can debug it by
cd /media
ls -l
What I think you'll find is that the drive is probably not mounted. Or, the user doesn't have permission to access it.
With regards to mounts, either pass it through from the host or create a volume mount. I'm a little bit unsure about what you can do there because since I last used docker many changes around mounting and volume drivers were introduced. But the documentation on the docker website is pretty good. So experiment.
This is the cmd line reference for docker: https://docs.docker.com/engine/reference/run/
The key is to use the -t -i parameters to make it interactive.

Resources