The -a parameter is missing from the software rust version

[vndroid]

Such as libev version, can be used -a nobody to run the main program. Easier debugging in container environments. wish to implement this feature.

[zonyitoo]

Why is that useful in container? It is just for switching user when starting process as a daemon.
https://github.com/shadowsocks/shadowsocks-libev/blob/89b5f987d6a5329de9713704615581d363f0cfed/src/utils.c#L111

[vndroid]

Why is that useful in container? It is just for switching user when starting process as a daemon. https://github.com/shadowsocks/shadowsocks-libev/blob/89b5f987d6a5329de9713704615581d363f0cfed/src/utils.c#L111

If the -a parameter is supported, you can use the startup script exec to run the daemon, and then use docker exec to replace the CMD parameter to enter the container when running the container. The current container cannot enter the container normally

[zonyitoo]

docker run has a --user parameter to specify which user to run the command. Further more, why docker exec cannot enter the container has anything related to the program running with a specific user?

[vndroid]

I know the docker --user parameter, but it will cause a problem, the nobody user used after starting the container is a low-privileged user and cannot perform common operations such as install debug tools and debugging.

On the contrary, if the program supports the use of a specific user, it can be pulled up with root privileges when running the container, and the user can operate normally after entering the container.

[vndroid]

When you execute the docker container run/exec -it xxx:xxx /bin/sh command, the last part /bin/sh will be spliced into the Dockerfile CMD command as a parameter, which means that the current official container cannot replace the main program, which leads to Unable to enter the container for debugging.

Such as:

• ss-rust

$ docker container run --rm -it shadowsocks/ssserver-rust:latest /bin/sh
error: Found argument '/bin/sh' which wasn't expected, or isn't valid in this context

USAGE:
    ssserver [OPTIONS]

For more information try --help

• nginx

$ docker container run --rm -it nginx:alpine /bin/sh
Unable to find image 'nginx:alpine' locally
alpine: Pulling from library/nginx
2408cc74d12b: Already exists
dd61fcc63eac: Pull complete
f9686e628075: Pull complete
ceb5504faee7: Pull complete
ce5d272a5b4f: Pull complete
136e07b65aca: Pull complete
Digest: sha256:8e38930f0390cbd79b2d1528405fb17edcda5f4a30875ecf338ebaa598dc994e
Status: Downloaded newer image for nginx:alpine
/ # 

[zonyitoo]

Maybe because it sets USER nobody in Dockerfile?

shadowsocks-rust/Dockerfile

Line 52 in a4955a1

USER nobody

[vndroid]

Maybe because it sets USER nobody in Dockerfile?

shadowsocks-rust/Dockerfile

Line 52 in a4955a1

USER nobody

Yes, but it is not directly related. Because the program does not support custom users, there is no way to use the script to pull up the main program.

such as https://github.com/nginxinc/docker-nginx/blob/d4a47bc6602d3a1412dad48a8513b83805605ef3/mainline/alpine-perl/docker-entrypoint.sh

#!/bin/sh
# vim:sw=4:ts=4:et

set -e

if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
    exec 3>&1
else
    exec 3>/dev/null
fi

if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then
    if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
        echo >&3 "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"

        echo >&3 "$0: Looking for shell scripts in /docker-entrypoint.d/"
        find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
            case "$f" in
                *.sh)
                    if [ -x "$f" ]; then
                        echo >&3 "$0: Launching $f";
                        "$f"
                    else
                        # warn on shell scripts without exec bit
                        echo >&3 "$0: Ignoring $f, not executable";
                    fi
                    ;;
                *) echo >&3 "$0: Ignoring $f";;
            esac
        done

        echo >&3 "$0: Configuration complete; ready for start up"
    else
        echo >&3 "$0: No files found in /docker-entrypoint.d/, skipping configuration"
    fi
fi

exec "$@"

Use command exec to start the daemon and let the program define the user to use.

in Dockerfile

...
...
ENTRYPOINT ["/docker-entrypoint.sh"]

EXPOSE 80

STOPSIGNAL SIGQUIT

CMD ["nginx", "-g", "daemon off;"]

It can be understood that when the container is started, the Dockerfile CMD parameter will be spliced after the ENTRYPOINT (eg: docker-entrypoint.sh nginx -g daemon off;), and when the user executes docker container run/exec -it nginx:alpine-perl /bin/sh, the user's command last part /bin/sh will replace the ENTRYPOINT parameter(docker-entrypoint.sh /bin/sh).

It should be easier for you to understand this.

[vndroid]

In short, if you want to make a docker image that can be entered and can be launched by a low-privileged user, you need to implement a -a parameter similar to the shadowsocks-libev version.