The user "nobody" missing in /etc/passwd #1197
Comments
|
It's in |
|
Hi @bgilbert - I created an issue on nomad GH and got this reply:
I am not familiar with |
|
You mentioned a chroot; is Nomad querying password entries inside the chroot or outside? If inside, how is the chroot created? |
I do not know. Nomad itself is running as |
|
Not really a solution but as a workaround, manually copying the nobody entry from |
|
@bgilbert I got this answer:
|
|
Okay, then I'd expect everything to work properly. Sounds like this will need some debugging. |
|
I hit this snag randomly today while testing Nomad 1.4.0-rc1. Nomad now seems to care if the Nobody user is missing from and manually adding the entries:
allows for jobs to start but when trying to add the nobody user in via Butane results in more failures because Results in failure because the Nobody user is already half present.
Can we just ensure that Nobody has the correct entries in |
I suspect the problem is that this is statically linked Go code, and hence it's not using NSS so it's not picking up altfiles: The fix here should be on the Hashicorp side; no one should be using |
|
Please file a bug with them. |
|
@cgwalters I am not using the exec task driver. I am using the podman driver. If FCOS has users present on the system, it should have entries in the standard files otherwise things can break. I don't have an issue filing an issue on their end but I will have to work around this until a fix is present because the nobody user is half present in FCOS. IMO that is a bug with FCOS not specifically just Nomad. What is the technical reason for not having these common users present in |
It's because |
|
Thanks for taking the time to explain it Colin. Makes sense. I opened an issue to see if I can get Hashicorp to address the problem in their up-and-coming new version. I will work around it in the meantime. |
|
👋 Nomad developer here! For clarity, the problem @jdoss hit with Even with that fix the original problem reported here by @ahjohannessen is still open in Nomad as hashicorp/nomad#13047 and we're still puzzled by this. The user lookup is happening in the Nomad agent as it sets up a directory for the task (which get bind-mounted to the runc container; there's no chroot here just the usual pivot_root of runc unless the user has specifically opted-in to legacy behavior). But as far as I can tell there's nothing unexpected going on on the Fedora-CoreOS side. |
|
@tgross if you just take the code from Nomad that does the user lookup (i.e. should be able to distill it down to a few line golang file) and compile and run that on an FCOS node does it give you the correct or incorrect result? |
|
Yup, that works as we'd expect, which is why it's still a head scratcher! Our equivalent code in Nomad is fs_unix.go#L42, and this is all happening in the agent running as root. But here's a minimal repro that works just fine: package main
import (
"fmt"
"os"
"os/user"
)
func main() {
user, err := user.Lookup("nobody")
if err != nil {
fmt.Printf("failed: %v", err)
os.Exit(1)
}
if user == nil {
fmt.Printf("failed: no such user")
os.Exit(1)
}
fmt.Printf("uid=%s\n", user.Uid)
}Running on the most recently-published Fedora CoreOS stable container image: But as far as we're concerned, this is definitely a Nomad issue and not a Fedora CoreOS one. |
|
Anybody have handy the error message that a user sees? Is what @jdoss posted in #1197 (comment) right or was that just the issue that got fixed in |
I am using Hashicorp Nomad with its exec task driver and it uses chroot and expects a nobody user in /etc/passwd as it by default uses that user. I can see that nobody is somewhere on my system:
However, the exec driver fails as it cannot find the nobody user in /etc/passwd.
Is there a way I can via ignition or otherwise make the nobody a part of /etc/passwd?
Creating the user via useradd does not work as it fails with the user already exists.
The text was updated successfully, but these errors were encountered: