17

Problem:

I'm trying to run a git clone myuser@server:repo.git from within a docker container. Inside the container (due to policy) I am the same user as on the docker host system (non-root) and have my home mounted.

Sadly when cloning from or trying to ssh into server i get an error message like this:

No user exists for uid 1337

MVCE:

To reproduce the problem you can run the following docker container: 

docker run --rm -it -v /home/$USER:/home/$USER -e HOME=/home/$USER -w /home/$USER -u $UID:100 --cap-drop=ALL kiesel/debian-ssh-client

and inside the container either of the following commands:

git clone myuser@server:repo.git
ssh -vT myuser@server

Workaround:

Adding a faked /etc/passwd with a line for my uid seems to fix the problem (e.g., getent passwd $USER > /tmp/mypasswd, then add a -v /tmp/mypasswd:/etc/passwd:ro to the docker run cmd).

Sadly this requires shadowing/modifying the container's /etc/passwd, which i can imagine will lead to trouble at some point.

Questions:

  • Why is ssh (client) looking at the local (container's) /etc/passwd?
  • Is there a simple way to deactivate that (with user permissions)?
Jörn Hees
  • 271
  • 1
  • 2
  • 5
  • 4
    Presumably to determine the user's home directory – muru Jun 11 '19 at 18:37
  • 2
    This question was asked (& answered) in a very similar form on Stackoverflow: https://stackoverflow.com/a/57531352/1296709 – derabbink Aug 16 '19 at 21:32
  • The related code might be [this line](https://github.com/openssh/openssh-portable/blob/master/ssh.c#L633). The code further references fields from a `struct` (I don't pretend to know, but) named "dir" and "name". So SSH likes to determine the username and home, like muru guessed. – try-catch-finally Jan 14 '20 at 07:56
  • You are injecting a user ID that doesn't exist in the docker container. `docker run --rm -it -v /home/$USER:/home/$USER -e HOME=/home/$USER -w /home/$USER kiesel/debian-ssh-client` worked find for me. But the folder created from docker git is owned by root. – dedunu May 29 '20 at 09:50

1 Answers1

3

Using this bash function:

function docker--run() {
    if [[ -z $1 ]]; then
        echo 'docker--run [-v $PWD:/src] IMAGE'
        return 1
    fi
    # useradd for ubuntu (which has adduser as well)
    # adduser for alpine, others not tested
    docker run -it --rm --entrypoint sh "$@" -c "
          [ -x /usr/sbin/useradd ] && useradd -m -u $(id -u) u1 -s /bin/sh || adduser -D -u $(id -u) u1 -s /bin/sh;
          exec su - u1"
}

You can run it as

docker--run -v /home/$USER:/home/u1 kiesel/debian-ssh-client

It will create a user u1 with your userid in the docker container and then switch to that user.

laktak
  • 5,616
  • 20
  • 38