2

I have docker image with custom user (for example tod). I want to find out information about this user without creating a container.

Base image: centos8

UPD: A little about context. I run an unprivileged container in k8s and get the following error: container has runAsNonRoot and image has non-numeric user (tod), cannot verify user is non-root

I read this answer and cannot understand why it is not possible to get the user id from my container.

David Maze
  • 130,717
  • 29
  • 175
  • 215
jesmart
  • 87
  • 2
  • 10
  • Why the specific "without creating a container" constraint? `docker run --rm imagename id` will frequently work but technically violates this requirement. – David Maze Feb 24 '21 at 11:20
  • This image is checked by k8s and it cannot find the user id. but if you go to the container, the user has an id. Magic) – jesmart Feb 24 '21 at 11:58
  • Can you add some more details to the question about what specifically you're trying to check for, in which context? (Every process will have _some_ user ID; you can override the container's uid in both `docker run` and a Kubernetes Pod spec; it's common to configure Kubernetes to disallow processes to run as root; it's uncommon but possible for a container to start as root but then switch to an unprivileged user.) – David Maze Feb 24 '21 at 12:28
  • I added context – jesmart Feb 24 '21 at 12:53
  • Here is the PR that explains this: https://github.com/kubernetes/kubernetes/pull/56503 Does this answer your question? – Matt Feb 25 '21 at 10:46
  • @Matt I have a kubernetes 1.17.9 in a Rancher. This version is builded on `2020-07-15T16: 10: 45Z`. However, the error does not occur with the minikube on the same version of Kubernetes. This pull request seems to be valid on these k8s version. – jesmart Feb 25 '21 at 12:15

1 Answers1

2

Lets try to analyze the following code:

github code reference link

case uid == nil && len(username) > 0:
    return fmt.Errorf("container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root (pod: %q, container: %s)", username, format.Pod(pod), container.Name)

This is the code that print the error you see. You see the error because uid == nil and at the same time username != "".

But why username has value and uid does not? Why couldn't they both have value?

It turns out that they couldn't because UID and the username are mutually exclusive. Have a look at the description of these parameters:

github code reference link:

// UID that will run the command(s). This is used as a default if no user is
// specified when creating the container. UID and the following user name
// are mutually exclusive.
Uid *Int64Value `protobuf:"bytes,5,opt,name=uid,proto3" json:"uid,omitempty"`
// User name that will run the command(s). This is used if UID is not set
// and no user is specified when creating container.
Username string `protobuf:"bytes,6,opt,name=username,proto3" json:"username,omitempty"`

So turns out it's not a bug. It's just how the container runtime interface standard got designed, and you can't do much about it.

What you could do is change the way you use USER instruction in Dockerfile.

Instead of using username with USER instruction, create a user with a known uid and use this uid instead, like in example below:

RUN useradd -r -u 1001 appuser
USER 1001
Matt
  • 7,419
  • 1
  • 11
  • 22