toolbox -u fails with unknown user error looking up user "root"

[jlausuch]

Using toolbox -u fails, but the container is created and the second time it works.

Environment:

localhost:~ # cat /etc/os-release
NAME="openSUSE MicroOS"
# VERSION="20210302"
ID="opensuse-microos"
ID_LIKE="suse opensuse opensuse-tumbleweed"
VERSION_ID="20210302"
PRETTY_NAME="openSUSE MicroOS"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:microos:20210302"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:MicroOS"
LOGO="distributor-logo"

localhost:~ # podman -v
podman version 3.0.1

localhost:~ # su -l test_user

test_user@localhost:~> id
uid=1000(test_user) gid=100(users) groups=100(users)

test_user@localhost:~> podman ps -a
CONTAINER ID  IMAGE   COMMAND  CREATED  STATUS  PORTS   NAMES

test_user@localhost:~> toolbox -u
Spawning a container 'toolbox-test_user-user' with image 'registry.opensuse.org/opensuse/toolbox'
45824c34310f9c6e66446db665b2de8035bdec45504ed3177a5aa03b1e49ea92
toolbox-test_user-user
Setting up user 'test_user' (with 'sudo' access) inside the container...
(NOTE that, if 'sudo' and related packages are not present in the image already,
this may take some time. But this will only happen now that the toolbox is being created)
Error: 2 errors occurred:
	* error determining run uid: user: unknown user error looking up user "root"
	* error copying from host: copier: get: "/home/test_user/.toolbox-test_user-user-user-setup-A3we8K.sh": error copying /home/test_user/.toolbox-test_user-user-user-setup-A3we8K.sh: io: read/write on closed pipe

test_user@localhost:~> echo $?
125

test_user@localhost:~> podman ps -a
CONTAINER ID  IMAGE                                   COMMAND     CREATED        STATUS                      PORTS   NAMES
45824c34310f  registry.opensuse.org/opensuse/toolbox  sleep +Inf  6 seconds ago  Exited (143) 6 seconds ago          toolbox-test_user-user

test_user@localhost:~> toolbox -u
Container 'toolbox-test_user-user' already exists. Trying to start...
(To remove the container and start with a fresh toolbox, run: podman rm 'toolbox-test_user-user')
toolbox-test_user-user
Container started.
Entering container. To exit, type 'exit'.

test_user@toolbox-test_user-user:~> id
uid=1000(test_user) gid=100(users) groups=100(users)
test_user@toolbox-test_user-user:~> exit
exit

test_user@localhost:~> podman ps -a
CONTAINER ID  IMAGE                                   COMMAND     CREATED         STATUS                      PORTS   NAMES
45824c34310f  registry.opensuse.org/opensuse/toolbox  sleep +Inf  19 seconds ago  Exited (143) 3 seconds ago          toolbox-test_user-user

[gorschu]

To chime in on this - while the subsequent launch after creation seems to work, password-less sudo is broken/not setup correctly.
This makes installing packages impossible and cripples the toolbox usage scenarios.

[gorschu]

Commenting out the line doing the copy of the init-script to the podman container fixes the problem for me (for now). The container gets set up correctly without it - sudo is working is just fine.

Looking at the bug reports for Podman 3.x there seems to be some issues revolving doing 'podman cp' as non-root user, maybe the root cause is to be found there.

Side-Note: The temporary files doing the sudo setup created as "${HOME}/.${TOOLBOX_NAME}-user-setup-XXXXXX.sh" are never removed, cluttering $HOME. If they are intended to stay around, wouldn't they be better suited to live in a tmpfs such as /tmp?

[dfaggioli]

To chime in on this - while the subsequent launch after creation seems to work, password-less sudo is broken/not setup correctly.
This makes installing packages impossible and cripples the toolbox usage scenarios.

Mmm... I've just tried, and it is working fine here:

idario@Wayrath:~> id
uid=1000(dario) gid=100(users) groups=100(users)

dario@Wayrath:~> ~/src/toolbox/microos-toolbox.git/toolbox -u
.toolboxrc file detected, overriding defaults...
Spawning a container 'toolbox-dario-user' with image 'registry.opensuse.org/opensuse/toolbox'
221c5dac4733114e0bf2be119bd732618bc8236c527ec0c0f91087587c970bce
toolbox-dario-user
Setting up user 'dario' (with 'sudo' access) inside the container...
(NOTE that, if 'sudo' and related packages are not present in the image already,
this may take some time. But this will only happen now that the toolbox is being created)
Container created.
Entering container. To exit, type 'exit'.
dario@toolbox-dario-user:~> 

And sudo works, once inside:

dario@toolbox-dario-user:~> sudo zypper ref
Retrieving repository 'openSUSE-Tumbleweed-Non-Oss' metadata .............................................................................................................................................[done]

So, what am I missing?

[gorschu]

❯ podman --version
podman version 3.0.1
❯ id
uid=1000(azmo) gid=1000(azmo) groups=1000(azmo),100(users),108(libvirt),495(wheel)
❯ /tmp/microos-toolbox/toolbox -u
Spawning a container 'toolbox-azmo-user' with image 'registry.opensuse.org/opensuse/toolbox'
5ee4d8f0f086cd6b2c0a21634f5c4623f75c35228afc635599b0a4a3fc0c1705
WARN[0000] Path "/etc/SUSEConnect" from "/etc/containers/mounts.conf" doesn't exist, skipping
WARN[0000] Path "/etc/zypp/credentials.d/SCCcredentials" from "/etc/containers/mounts.conf" doesn't exist, skipping
toolbox-azmo-user
Setting up user 'azmo' (with 'sudo' access) inside the container...
(NOTE that, if 'sudo' and related packages are not present in the image already,
this may take some time. But this will only happen now that the toolbox is being created)
Error: 2 errors occurred:
        * error determining run uid: user: unknown user error looking up user "root"
        * error copying from host: copier: get: "/home/azmo/.toolbox-azmo-user-user-setup-6WBqQ2.sh": error copying /home/azmo/.toolbox-azmo-user-user-setup-6WBqQ2.sh: io: read/write on closed pipe

Weird indeed, it's definitely not working here. I don't have a .toolboxrc though and my container image is complaining about the two SUSE specific files missing - yours isn't. Might be something there? If not - I am quite lost to be honest.

[dfaggioli]

Commenting out the line doing the copy of the init-script to the podman container fixes the problem for me (for now). The container gets set up correctly without it - sudo is working is just fine.

Looking at the bug reports for Podman 3.x there seems to be some issues revolving doing 'podman cp' as non-root user, maybe the root cause is to be found there.

Ah, yes, I don't yet have podman 3 on my workstation. I just tried in a VM, and it fails as described. The only difference between the two seems to be the podman version, so maybe it is an issue there? Do you have any link?

Side-Note: The temporary files doing the sudo setup created as "${HOME}/.${TOOLBOX_NAME}-user-setup-XXXXXX.sh" are never removed, cluttering $HOME. If they are intended to stay around, wouldn't they be better suited to live in a tmpfs such as /tmp?

Ah, wow, no, /tmp is not good for security reasons. But they're not meant to stay, it's just an oversight, and one that is easily fixed. thanks for reporting

[gorschu]

Ah, yes, I don't yet have podman 3 on my workstation. I just tried in a VM, and it fails as described. The only difference between the two seems to be the podman version, so maybe it is an issue there? Do you have any link?

Well, I stumpled across this bugreport and there have been quite some commits regarding podman cp and root/ownerships . Whether this issue is linked to the issue above is beyond me, though.

Ah, wow, no, /tmp is not good for security reasons. But they're not meant to stay, it's just an oversight, and one that is easily
fixed. thanks for reporting

Thanks! 👍

[dfaggioli]

Ah, yes, I don't yet have podman 3 on my workstation. I just tried in a VM, and it fails as described. The only difference between the two seems to be the podman version, so maybe it is an issue there? Do you have any link?

Well, I stumpled across this bugreport and there have been quite some commits regarding podman cp and root/ownerships . Whether this issue is linked to the issue above is beyond me, though.

Ok, thinking more about this, I do see now why it works if you don't do the podman cp. And it's actually fine not to do it (actually, I'd say it's wrong to cp it!). In fact, we bind mount $HOME in the toolbox, and the script is in $HOME already, so no need to cp it. It was necessary when it was generated in /tmp, and stayed there by mistake... I'll get rid of it!

However...

Ah, wow, no, /tmp is not good for security reasons. But they're not meant to stay, it's just an oversight, and one that is easily
fixed. thanks for reporting

Thanks!
... I do not understand any longer why it sticks around for you. In fact, for the very same reason explained above, when we do

podman exec --user root "${TOOLBOX_NAME}" rm "${tmp_user_setup}"

it should remove it.

Maybe the ones that you see are those from failed runs, or something like that? I'll see about adding an rm -f in the trap, or something like that...

[gorschu]

Maybe the ones that you see are those from failed runs, or something like that? I'll see about adding an rm -f in the trap, or something like that...

I just tested with the podman cp commented out - the file doesn't stay around. Must indeed have been leftovers from the failed creations. Thanks!

[dfaggioli]

Ok, #26 , which is now merged, should fix all the issues reported here.

[jlausuch]

Ok, #26 , which is now merged, should fix all the issues reported here.

Thank you!