sonic-cli fails with user related issue

[ghost]

sonic-cli invocation fails with below error -

admin@sonic: sonic-cli
sonic# configure terminal
sonic(config)# interface Ethernet 4
Traceback (most recent call last):
File "/usr/sbin/cli/sonic-cli-if.py", line 167, in
pipestr().write(sys.argv)
File "/usr/sbin/cli/scripts/rpipe_utils.py", line 14, in init
pwrec = pwd.getpwuid(os.getuid())
KeyError: 'getpwuid(): uid not found: 1000'
sonic(config)# exit
sonic# exit
admin@sonic: logout

=============

"admin" user is created by default in SONiC, and the same is used to access sonic-cli utilities in mgmt-framework container. But in mgmt-framework container admin user is missing.
So this error is seen.

I found that earlier users from SONiC were imported to mgmt-framework also.

In https://github.com/sonic-net/sonic-buildimage/pull/6148/files
""
symbolic links will be removed when AAA improvements get merged
RUN ln -sf /host_etc/passwd /etc/passwd
""

Later this was removed in
https://github.com/sonic-net/sonic-buildimage/pull/9375/files

My queries are as below

1. Does any other pull request handle the user creation in mgmt-framework ?
2. If we create a new user or update password of existing user in SONiC how it will get propagated to mgmt-framework container ?

[neethajohn]

@venkatmahalingam , can you please help assign?

[venkatmahalingam]

@jeff-yin Do you know the history behind the changes mentioned in this issue?

[jeff-yin]

No, unfortunately I'm not familiar with the change mentioned from #9375.
Upon review it looks like this is an unresolved "to do" item from #6148. That was supposed to be resolved by the enhancements to NSS module in #5553 but it never got merged. At this point we should revisit the AAA improvements since Martin is no longer involved in the SONiC project.

In the meantime, @kwangsuk can we pursue an alternative solution?

the debug container is built without /etc being mounted at /host_etc in the container (which does happen at runtime)

Can we do the symlinks at runtime rather than in the dockerfile?

[justindthomas]

I'm a new user of SONiC (I first installed it yesterday) and ran into this today on a Dell N3248TE-ON running the latest build. Is the correct fix to install that symbollic link from /etc/passwd in the management container to /host_etc/passwd? That seems like it would overwrite conflicting information in /etc/passwd.

I got around it by just creating a version of my user in the management container with the same UID as in the host container, but that seems really clunky.

I'm surprised this isn't a noisier issue; being able to run sonic-cli is a pretty core part of the platform, isn't it?

[jeff-yin]

Hi Justin, Actually the sonic-cli isn’t widely employed today by SONiC users; most (all?) users are still using the Python-based “Click” CLI which runs on the host (i.e., not in a container). With that said, the management container is providing a REST interface using the OpenConfig data model. IIRC there was a symbolic link from /etc/passwd into /host_etc/passwd. Thanks, Jeff Internal Use - Confidential From: Justin Thomas ***@***.***> Sent: Wednesday, September 20, 2023 3:54 PM To: sonic-net/sonic-buildimage ***@***.***> Cc: Yin, Jeff ***@***.***>; Mention ***@***.***> Subject: Re: [sonic-net/sonic-buildimage] sonic-cli fails with user related issue (Issue #13317) [EXTERNAL EMAIL] I'm a new user of SONiC (I first installed it yesterday) and ran into this today on a Dell N3248TE-ON running the latest build. Is the correct fix to install that symbollic link from /etc/passwd in the management container to /host_etc/passwd? That seems like it would overwrite conflicting information in /etc/passwd. I got around it by just creating a version of my user in the management container with the same UID as in the host container, but that seems really clunky. I surprised this isn't a noisier issue; being able to run sonic-cli is a pretty core part of the platform, isn't it? — Reply to this email directly, view it on GitHub [github.com]<https://urldefense.com/v3/__https:/github.com/sonic-net/sonic-buildimage/issues/13317*issuecomment-1728525922__;Iw!!LpKI!nuc_hrsKmWI7GEhNOKtpPdA7mFV9Er_uu3fUtWhEYfOVrjYlC6t8dNcCAptshId4clXSeyRPHhM4iWjvPTFhPSoU$>, or unsubscribe [github.com]<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AG7IXBPRIS6PFEYQFEB3AG3X3NXXBANCNFSM6AAAAAATWHSI3Q__;!!LpKI!nuc_hrsKmWI7GEhNOKtpPdA7mFV9Er_uu3fUtWhEYfOVrjYlC6t8dNcCAptshId4clXSeyRPHhM4iWjvPX4vjfWM$>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[justindthomas]

Thanks for the correction! I've spent quite a bit of time with the system over the last few days. Between the Click commands and editing config_db.json directly, I think I have a better handle on things now.

For user management, I'm planning to experiment with TACACS+ today. That's the last bit that I'm not quite solid on yet.

[fritterhoff]

Any update on this issue? Will this ever get fixed? ;)

[kwangsuk]

The init of pipestr class builds a unique file spec for each session to render piped output, that currently concatenates the prefixed token with a uid (or pwname) to avoid collision. But, since the render/pipestr has nothing do with client authentication, it would be a sufficient fix by replacing
self.pipestr = "/tmp/pipestr-{}".format(os.getuid())
with
self.pipestr = "/tmp/pipestr-" + str(os.getppid())

[fritterhoff]

What about mounting the missing file again?