Dockerfile: don't create gluon user (fixes support for UID != 1000) #2870
Conversation
AiyionPrime
added
the
2. status: waiting-on-review
|
@mweinelt, are you the author of |
|
The build should simply not run as root, not even in a container. Instead https://docs.podman.io/en/latest/markdown/options/userns.container.html#userns-mode should be used with podman. |
|
@mweinelt, that was my first solution (#2862), but it requires a very recent podman, so does not work with Debian stable for example. With the patch here, docker and podman behave differently: in the docker container the user has UID 0 and GID 0 (= root), but in the podman container the user gets UID and GID from the outside user which is the desired behaviour. |
|
Let me check a few things, I also have a branch for improving this, but I still need to verify that my approach works in both Docker and Podman. Also note that I don't think the commit message of this PR is correct. The Docker image should already work fine for UIDs != 1000. The created passwd entry will be wrong, but that shouldn't matter? |
Did you test that? In my test on a Debian host it does not. |
For podman it does not run as root. And docker can be called with |
The new user `gluon` gets UID 1000 and GID 1000 and cannot write to the mounted gluon directory unless the calling user has the same UID. On Linux only the first non admin user gets UID 1000, so docker and podman fail for all other users. On macOS there is typically no user with UID 1000, so docker and podman fail for all users. When no `gluon` user is created, a default user with the same UID and GID as the calling user is used and everything works fine. Signed-off-by: Stefan Weil <[email protected]>
|
@mweinelt, I added a commit which changes the UID and GID in docker. It no longer runs as root. |
Signed-off-by: Stefan Weil <[email protected]>
scripts/container.sh
Outdated
| @@ -16,7 +16,7 @@ then | |||
| elif [ "$(command -v docker)" ] | |||
| then | |||
| docker build -t "${TAG}" contrib/docker | |||
| docker run -it --rm --volume="$(pwd):/gluon" "${TAG}" | |||
| docker run -it --rm --user $(id -u):$(id -g) --volume="$(pwd):/gluon" "${TAG}" | |||
There was a problem hiding this comment.
| docker run -it --rm --user $(id -u):$(id -g) --volume="$(pwd):/gluon" "${TAG}" | |
| docker run -it --rm --user "$(id -u)":"$(id -g)" --volume="$(pwd):/gluon" "${TAG}" |
At least shellcheck throws a warning in this part. (Quote this to prevent word splitting)
|
I suggest to add |
|
@AiyionPrime, I noticed that you cancelled some CI checks for this PR. That's good, because they cost a lot of computing resources and also waste energy. Maybe it would be good to run them only on demand (triggered by a team member) or for changes in selected files. Even then a smaller subset of checks would typically be sufficient. |
Ah, I meant with Podman, not with Docker - With Docker, the |
|
Podman does not work with the current code and UID != 1000. I noticed that on macOS, and that was my initial motivation to look for a fix. The default bash prompt with "I have no name" when using docker is ugly. But changing the bash prompt to something which looks nice is very simple. So if that is the only remaining problem, I'd suggest to merge my PR, then discuss which prompt is desired and implement that in one more commit. |
Ah, I wasn't aware of this interaction between Removing the |
|
Keeping I don't know other use cases, so cannot comment on them. |
|
Fixed by #2975 |
The new user
gluongets UID 1000 and GID 1000 and cannot write to the mounted gluon directory unless the calling user has the same UID.On Linux only the first non admin user gets UID 1000, so docker and podman fail for all other users.
On macOS there is typically no user with UID 1000, so docker and podman fail for all users.
When no
gluonuser is created, a default user with the same UID and GID as the calling user is used and everything works fine.