udocker icon indicating copy to clipboard operation
udocker copied to clipboard
verified publisher icon indigo-dc

inconsistencies in between Px and S1 mode: default user, groups

Open katakombi opened this issue 6 years ago • 2 comments

I've noticed two inconsistencies in between Px and S1 exec mode in devel:

  1. When no --user= flag is given it defaults to root in Px whereas in S1 it defaults to $USER
  2. When I run as --user=root I obtain all groups of $USER in Px whereas I just get group 0 in S1. While the behavior of Px is quite convenient because I need at least group membership adm to accomplish anything useful in my container I am not sure if this is intended. In S1 I cannot do anything useful unless I add root to at least adm.

I wonder whats the intended behaviour, it doesn't strike me as obvious but maybe it can be more consistent. I did not check the other run modes, but I can do this if desirable.

Maybe it would be even sensible to have an option to pass custom /etc/group /etc/passwd files.

katakombi avatar Dec 16 '19 20:12 katakombi

Hi, The default behavior of udocker is starting Pn as root and Sn as normal user. We don't want to change that, as this is what the users expect as default behavior. Defaults will likely change for udocker3.

For simple modes that do not require much setup changes (P1, P2, F1, S1, S2, R1, R2, R3) the default mode is modifiable using UDOCKER_DEFAULT_EXECUTION_MODE=S2 this is available in the devel branch, also you can use -v /somefile:/etc/group and -v /someotherfile:/etc/passwd.

The groups behavior across modes suffers from the limitations of the upstream tools that support these modes. In singularity the faked root mode seems to ignore group membership. The same also happens with runC with all the limitations of groups under user namespaces.

jorge-lip avatar Dec 19 '19 13:12 jorge-lip

Hi,

once again thanks a lot for the explanations. The fake root behaviour in singularity is indeed interesting - try it for yourself:

 UDOCKER_DEFAULT_EXECUTION_MODE=S1 ./udocker.py run --user=root alpine sh
Warning: non-existing user will be created
 
 ////////////////////////////////////////////////////////////////////////////// 
 /                                                                            / 
 /               STARTING 28a0635e-b6b8-355a-8fc4-f60069b4282c                / 
 /                                                                            / 
 ////////////////////////////////////////////////////////////////////////////// 
 executing: sh
28a0635e# id
uid=0(root) gid=0(root) groups=0(root)
28a0635e# su -c id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),4(adm),6(disk),6(disk),10(wheel),11(floppy),20(dialout),20(dialout),24(G24),26(tape),27(video),27(video),30(readproc),44(G44),46(G46),115(G115),128(G128),129(G129),132(G132),136(G136),1000(G1000)

katakombi avatar Dec 19 '19 16:12 katakombi