Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The -a parameter is missing from the software rust version #876

Closed
vndroid opened this issue Jun 28, 2022 · 8 comments
Closed

The -a parameter is missing from the software rust version #876

vndroid opened this issue Jun 28, 2022 · 8 comments
Assignees

Comments

@vndroid
Copy link
Contributor

vndroid commented Jun 28, 2022

Such as libev version, can be used -a nobody to run the main program. Easier debugging in container environments. wish to implement this feature.

@zonyitoo
Copy link
Collaborator

zonyitoo commented Jun 28, 2022

Why is that useful in container? It is just for switching user when starting process as a daemon.
https://github.com/shadowsocks/shadowsocks-libev/blob/89b5f987d6a5329de9713704615581d363f0cfed/src/utils.c#L111

@vndroid
Copy link
Contributor Author

vndroid commented Jun 28, 2022

Why is that useful in container? It is just for switching user when starting process as a daemon. https://github.com/shadowsocks/shadowsocks-libev/blob/89b5f987d6a5329de9713704615581d363f0cfed/src/utils.c#L111

If the -a parameter is supported, you can use the startup script exec to run the daemon, and then use docker exec to replace the CMD parameter to enter the container when running the container. The current container cannot enter the container normally

@zonyitoo
Copy link
Collaborator

docker run has a --user parameter to specify which user to run the command. Further more, why docker exec cannot enter the container has anything related to the program running with a specific user?

@vndroid
Copy link
Contributor Author

vndroid commented Jun 28, 2022

I know the docker --user parameter, but it will cause a problem, the nobody user used after starting the container is a low-privileged user and cannot perform common operations such as install debug tools and debugging.

On the contrary, if the program supports the use of a specific user, it can be pulled up with root privileges when running the container, and the user can operate normally after entering the container.

@vndroid
Copy link
Contributor Author

vndroid commented Jun 28, 2022

When you execute the docker container run/exec -it xxx:xxx /bin/sh command, the last part /bin/sh will be spliced into the Dockerfile CMD command as a parameter, which means that the current official container cannot replace the main program, which leads to Unable to enter the container for debugging.

Such as:

  • ss-rust
$ docker container run --rm -it shadowsocks/ssserver-rust:latest /bin/sh
error: Found argument '/bin/sh' which wasn't expected, or isn't valid in this context

USAGE:
    ssserver [OPTIONS]

For more information try --help
  • nginx
$ docker container run --rm -it nginx:alpine /bin/sh
Unable to find image 'nginx:alpine' locally
alpine: Pulling from library/nginx
2408cc74d12b: Already exists
dd61fcc63eac: Pull complete
f9686e628075: Pull complete
ceb5504faee7: Pull complete
ce5d272a5b4f: Pull complete
136e07b65aca: Pull complete
Digest: sha256:8e38930f0390cbd79b2d1528405fb17edcda5f4a30875ecf338ebaa598dc994e
Status: Downloaded newer image for nginx:alpine
/ # 

@zonyitoo
Copy link
Collaborator

Maybe because it sets USER nobody in Dockerfile?

USER nobody

@vndroid
Copy link
Contributor Author

vndroid commented Jun 28, 2022

Maybe because it sets USER nobody in Dockerfile?

USER nobody

Yes, but it is not directly related. Because the program does not support custom users, there is no way to use the script to pull up the main program.

such as https://github.com/nginxinc/docker-nginx/blob/d4a47bc6602d3a1412dad48a8513b83805605ef3/mainline/alpine-perl/docker-entrypoint.sh

#!/bin/sh
# vim:sw=4:ts=4:et

set -e

if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
    exec 3>&1
else
    exec 3>/dev/null
fi

if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then
    if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
        echo >&3 "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"

        echo >&3 "$0: Looking for shell scripts in /docker-entrypoint.d/"
        find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
            case "$f" in
                *.sh)
                    if [ -x "$f" ]; then
                        echo >&3 "$0: Launching $f";
                        "$f"
                    else
                        # warn on shell scripts without exec bit
                        echo >&3 "$0: Ignoring $f, not executable";
                    fi
                    ;;
                *) echo >&3 "$0: Ignoring $f";;
            esac
        done

        echo >&3 "$0: Configuration complete; ready for start up"
    else
        echo >&3 "$0: No files found in /docker-entrypoint.d/, skipping configuration"
    fi
fi

exec "$@"

Use command exec to start the daemon and let the program define the user to use.

in Dockerfile

...
...
ENTRYPOINT ["/docker-entrypoint.sh"]

EXPOSE 80

STOPSIGNAL SIGQUIT

CMD ["nginx", "-g", "daemon off;"]

It can be understood that when the container is started, the Dockerfile CMD parameter will be spliced after the ENTRYPOINT (eg: docker-entrypoint.sh nginx -g daemon off;), and when the user executes docker container run/exec -it nginx:alpine-perl /bin/sh, the user's command last part /bin/sh will replace the ENTRYPOINT parameter(docker-entrypoint.sh /bin/sh).

It should be easier for you to understand this.

@vndroid
Copy link
Contributor Author

vndroid commented Jun 28, 2022

In short, if you want to make a docker image that can be entered and can be launched by a low-privileged user, you need to implement a -a parameter similar to the shadowsocks-libev version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants