From 747e95726362dc5d57c35a9bdcd806d3ab1d7d32 Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Mon, 11 Nov 2019 16:37:35 +1100 Subject: [PATCH] Dockerfile: add user to shadow file too Without an entry in the shadow file, this user can't use sudo with the following error: account validation failure, is your account locked (which I include here for future googling because it's pretty obscure, you have to have this odd situation, or a pretty broken PAM to see it). The "nodepool" user (10001) is in the root group, which is why the uid_entrypoint script can update the /etc/passwd file. We need to change the ownership of the /etc/shadow file for this to work. It feels a bit weird, but there's no password to actually guess anyway. Change-Id: I8846757edffe31f96df58999d05727910c9fca43 --- Dockerfile | 8 +++++++- tools/uid_entrypoint.sh | 3 ++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 35ecd4f20..2b00c2281 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,7 +24,13 @@ COPY --from=builder /output/ /output RUN /output/install-from-bindep ### Containers should NOT run as root as a good practice -RUN chmod g=u /etc/passwd + +# although this feels odd ... by default has group "shadow", meaning +# uid_entrypoint can't update it. This is necessary for things like +# sudo to work. +RUN chown root:root /etc/shadow + +RUN chmod g=u /etc/passwd /etc/shadow ENV APP_ROOT=/var/lib/nodepool ENV HOME=${APP_ROOT} ENV USER_NAME=nodepool diff --git a/tools/uid_entrypoint.sh b/tools/uid_entrypoint.sh index 3c8d78cf8..b1b21aaf4 100755 --- a/tools/uid_entrypoint.sh +++ b/tools/uid_entrypoint.sh @@ -16,7 +16,8 @@ if ! whoami 2>&1 >/dev/null; then if [ -w /etc/passwd ]; then - echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd + echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd + echo "${USER_NAME:-default}:!:18211:0:99999:7:::" >> /etc/shadow fi fi exec dumb-init "$@"