I am new to openshift, I have deployed an image using Dockerfile on it, using ubuntu as base image. In Dockerfile, I have assigned an user with root privileges. But after container is formed, my user gets overidden by some random user. Because of which I am facing permission denied error on creating and reading files and directories. How can I stop this random user from overriding the user mentioned in my dockerfile or how can I assign root privileges to the random user. I tried using sudo but got below error:
sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted sudo: no valid sudoers sources found, quitting sudo: setresuid() [0, 0, 0] -> [1005180000, -1, -1]: Operation not permitted sudo: unable to initialize policy plugin
Below is the entry I made in my Dockerfile for user:
RUN apt-get update && apt-get -y install sudo
RUN useradd -ms /bin/bash ubuntu && usermod -aG sudo ubuntu
RUN echo "ubuntu ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
# Set as default user
USER ubuntu
WORKDIR /home/ubuntu
In OpenShift the userid is, by default, taken from the namespace annotation. It looks random, but is deterministic.
In general, you solve this by using GROUP 0 membership on files. The user your container runs as by default has the high uid, and also gid=0.
For a "container native" application you wouldn't expect to make use of sudo. If you really need this, for example a forklift move of a virtual host into a container, then look at the OpenShift SCC and allow something like "anyuid" which in turn will allow a securityContext with runAsUser: 0.
Related
I am building a MySQL image using buildah bud -f .podman/MySQL.conf -t localhost/mysql:mushroom and the following dockerfile (located at .podman/MYSQL.conf)
FROM mysql:8.0
ENV MYSQL_ROOT_PASSWORD='password'
EXPOSE 3306
I start the container using:
podman run --rm -v mysql_data:/var/lib/mysql localhost/mysql:mushroom
After starting the container I podman exe -it [ID] /bin/bash into the container cli.
running mysql -p and entering the correct password returns access denied for user 'root'#'localhost' (using password: YES)
I have confirmed that the env var MYSQL_ROOT_PASSWORD is correctly set.
I have tried entering the password in the podman run command (using -e MYSQL_ROOT_PASSWORD=password) I have confirmed that the volume mysql_data doesn't exist when I start the container.
Any suggestions for other things to try?
All I can say is that it seems to work for me.
I used your example Dockerfile (the only thing I did was to trim all the whitespace it seems to have accidentally gained when you pasted it).
I saved it as Dockerfile and then just used podman build ..
Starting the image in one terminal with podman run 8a0516eaa26e prints a load of log lines showing mysql startup and then ends with
[System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.31' socket: '/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server - GPL.
In another terminal I ran podman exec -it happy_dijkstra /bin/bash (that was the auto-generated container name I got) and tried to login to mysql with "password" and it worked. I have podman v3.4.2 here, but I would expect something as simple as this to have worked since v1. Are you sure there isn't a space or other odd character that has sneaked into the password you set?
Everything worked after a reboot.
My best guess is that the mysql_data volume still existed somehow, and held default login data.
I have a docker container running and it's exposing port 22 to local host port 1312. I am using the following command to run the container:
docker run -it -d -p 127.0.0.1:1312:22 -v
/workspace/project:/root --name
cpp_dep cpp_dep
Now to build the project in CLion, it need to be able to ssh into the container. I entered the container in interactive mode and ran "service ssh restart".
Now when I try to ssh into root#127.0.0.1:1312, it asks for my password. But when I enter my sudo (root) password, it keeps saying permission denied.
Is it an issue with ssh key? Which password should i use? or is there any way to bypass the password?
I am running a MAC OS.
Thanks in advance.
You may enter the container in interactive mode, use whoami to find the current user while use passwd to change the password of current user, then ssh into it using the updated passwd.
More details if you are interested:
User running the container is decided by
USER config in your Dockerfile: https://docs.docker.com/engine/reference/builder/#user
-u option in docker run command: https://docs.docker.com/engine/reference/run/#user
By default it's root (uid = 0), but it depends on your settings.
User password is stored in /etc/passwd file, which is different inside the container and in the host, so the same uid may have different password inside the container. It's a workaround to mannually reset it using passwd in the interactive mode but your may also set it in Dockerfile like
RUN echo 'root:Docker!' | chpasswd // (NOTICE: unsafe!)
It changes the password for root as "Docker!"
EDIT #1
As emphasized by David Maze in comments, it's unsafe to store plain password in the Dockerfile as it's public to anyone who get the source file, and it's not uncommon source files intended to be private mistakenly submitted to open github repository. If the container needs to provide public service, you must use build args (https://docs.docker.com/engine/reference/commandline/build/#set-build-time-variables---build-arg) so password can be secretly specified at build time.
Dockerfile:
ARG PASSWD
RUN echo 'root:${PASSWD}' | chpasswd
build:
docker build --build-arg PASSWD=<secret stored safely>
I put the following commands in user data of an EC2 running RedHat 8 AMI (ami-0fc841be1f929d7d1), when they run, the mkdir tries to create .kube at root which looks to me like $HOME is not set at the time.
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Following are log from /var/log/user-data.log
+ mkdir -p /.kube
+ sudo cp -i /etc/kubernetes/admin.conf /.kube/config
++ id -u
++ id -g
+ sudo chown 0:0 /.kube/config
When I SSH to the instance, the $HOME is set correctly to /home/ec2-user.
Could you advise what I did wrong here?
Thank you
When your EC2 server is provisioned, the user data script runs as user root, so $HOME is empty. What you could do, is to define the HOME env var at the top of your user data script, like this (insert your user's home directory here):
export HOME=/home/ubuntu
I've tried it and it works (I install NVM, SDKMAN, sbt, java, git, docker; all works fine). You might need to do some chown at the end of your user data script to change the owner of some files back to your user. For example, if your user data sets up some files in your home directory:
chown ubuntu ~/.foo/bar.properties
$HOME refers to the home directory of the logged in user. Userdata runs under the root user, and the root user $HOME is /. That is the result you are seeing.
Instead of the variable $HOME, your script should refer to /home as a literal.
See https://superuser.com/questions/271925/where-is-the-home-environment-variable-set
You are running as sudo which is known to change environment variables that are established with your users shell (such as $HOME) as well as shell context based such as ssh-agent.
Generally you can ensure this persists when you run sudo by adding it to the env_keep settings in your sudoers configuration by adding the below line within /etc/sudoers. More information is available here, be careful about modifying this file.
Defaults env_keep=HOME
Otherwise if you don't want to make the above change, ensure you have the permissions to carry this out without running sudo or pass an absolute path value in.
I would generally stay clear of user data for important configuration anyway,
instead build a pre-baked AMI ahead of time with the configuration how you want it, using a configuration tool such as Ansible, Chef, Puppet.
Alternatively as this is within the User Data anyway, it is unlikely you have already configured the sudoers configuration, you should instead just specify the path.
I faced the same issue. Adding this to the User Data script helped resolve it. The sub shells will have the HOME set with this change to profile.
cat > /etc/profile.d/set_home.sh << 'EOF'
export HOME=~
EOF
chmod a+x /etc/profile.d/set_home.sh
Using AWS (Amazon Web Services) I have created an Ubuntu 16.10 instance and I am able to login using a pem file like this:
ssh -i key.pem ubuntu#52.16.73.14.54
After I am logged, I can see that I am able to execute:
sudo su
(with no password), however the file /etc/sudoers does NOT contain any reference to the user current user: ubuntu.
How can I create another user with exactly the same behavior (without touching the sudoers file) from terminal in a NON interactive way?
I tried:
sudo useradd -m -c "adding a test user" -G sudo,adm -s /bin/bash testuser
But after I become "testuser" if I invoke:
sudo su
I have to provide a password. Which is exactly the way I want to avoid.
You can't do this without touching sudo, beacuse the ubuntu user is given passwordless access specifically.
$ for group in `groups ubuntu`; do sudo grep -r ^[[:space:]]*[^#]*$group[[:space:]] /etc/sudoers* ; done
/etc/sudoers.d/90-cloud-init-users:ubuntu ALL=(ALL) NOPASSWD:ALL
/etc/sudoers.d/90-cloud-init-users:ubuntu ALL=(ALL) NOPASSWD:ALL
/etc/sudoers:%sudo ALL=(ALL:ALL) ALL
But what you can do is create a new sudoers file without touching any existing files. sudo is typically configured these days to read all the configurations in a directiory, usually /etc/sudoers.d/, preceisely so that one failing config doesn't effect the rest of sudo.
In your case, you might want to give an admin group sudoless access rather than your user. Then you can add access in the future to other users without changing sudo config.
I'm trying to use pyenv to create a virtual environment to use with Django on Apache (it works great for development outside of Apache). I'm a bit miffed though on what user to set up the environments and run with (attempting to su commands with www-data fails as it's "not currently available")...should I use root (OK because it just would own everything, not run whatever), make another user, etc.
I haven't been able to test, but I'm assuming that I should add the shims path to PATH in /etc/apache2/envvars then let each site set PYENV_VERSION in it's Apache .conf as appropriate.
When you want to run a command as another user use: sudo -u <user> command. In order to use su that user must be configured in /etc/passwd to have a shell. You can always just do sudo -u www-data bash instead.
With respect to your question about pyenv. You should install pyenv somewhere where the apache user has permissions. You will need to create a directory since, www-data is unlikely to have a home directory.