regression: Docker v1.5.0 ISO has new docker uid

[gfdusc]

Hello,
the image minikube-v1.5.0.iso contains the docker user with different id/group numbers compared with the previous versions.

This cause issues for people relying on the default (home) shared volume because now it is owned by a different user.

With minikube versions 1.2.0, 1.3.0, 1.4.0:

$ minikube ssh "cat /etc/passwd"
[...]
docker:x:1000:1000:-:/home/docker:/bin/bash
[...]

But with minikube version 1.5.0:

$ minikube ssh "cat /etc/passwd"
[...]
docker:x:1009:1017:-:/home/docker:/bin/bash
[...]

This causes permission issues for people using the default (home) shared folder and relying on minikube default user id.

The exact command to reproduce the issue:

The full output of the command that failed:

The output of the minikube logs command:

The operating system version:

[afbjorklund]

Thank you for noticing this! There's a bunch of new system users added by the new OS.
Most likely, these should have gotten lower numbers (1000 is usually for regular users)

Users:

dbus:x:1000:1000:DBus messagebus user:/var/run/dbus:/bin/false
sshd:x:1001:1001:SSH drop priv user:/var/empty:/bin/false
systemd-bus-proxy:x:1002:1006:Proxy D-Bus messages to/from a bus:/:/bin/false
systemd-journal-gateway:x:1003:1007:Journal Gateway:/var/log/journal:/bin/false
systemd-journal-remote:x:1004:1008:Journal Remote:/var/log/journal/remote:/bin/false
systemd-journal-upload:x:1005:1009:Journal Upload:/:/bin/false
systemd-network:x:1006:1010:Network Manager:/:/bin/false
systemd-resolve:x:1007:1011:Network Name Resolution Manager:/:/bin/false
systemd-timesync:x:1008:1012:Network Time Synchronization:/:/bin/false

Groups:

sshd:x:1001:
input:x:1002:
systemd-journal:x:1003:
render:x:1004:
kvm:x:1005:
systemd-bus-proxy:x:1006:
systemd-journal-gateway:x:1007:
systemd-journal-remote:x:1008:
systemd-journal-upload:x:1009:
systemd-network:x:1010:
systemd-resolve:x:1011:
systemd-timesync:x:1012:
containerd-admin:x:1013:
containerd:x:1014:
crio-admin:x:1015:
crio:x:1016:
dbus:x:1000:dbus

[afbjorklund]

Will try to compare the buildroot versions, and see where this changed...

-BUILDROOT_BRANCH ?= 2018.05.3
+BUILDROOT_BRANCH ?= 2019.02.6

https://buildroot.org/

[afbjorklund]

This is due to the introduction of BR2_PACKAGE_SYSTEMD_SYSUSERS for the system users.

ifeq ($(BR2_PACKAGE_SYSTEMD_SYSUSERS),y)
define OPENSSH_INSTALL_SYSTEMD_SYSUSERS
	$(INSTALL) -m 0644 -D package/openssh/sshd-sysusers.conf \
		$(TARGET_DIR)/usr/lib/sysusers.d/sshd.conf
endef
else
define OPENSSH_USERS
	sshd -1 sshd -1 * /var/empty - - SSH drop priv user
endef
endif

Apparently there is some bug in systemd-sysusers, that causes it to allocate real users/groups...

[afbjorklund]

We actually did this earlier for dbus (only), but then it ended up in the right order:

docker:x:1000:1000:-:/home/docker:/bin/bash
dbus:x:1001:1001:DBus messagebus user:/var/run/dbus:/bin/false
sshd:x:1002:1002:SSH drop priv user:/:/bin/false
systemd-bus-proxy:x:1003:1007:Proxy D-Bus messages to/from a bus:/:/bin/false
systemd-journal-gateway:x:1004:1008:Journal Gateway:/var/log/journal:/bin/false
systemd-journal-remote:x:1005:1009:Journal Remote:/var/log/journal/remote:/bin/false
systemd-journal-upload:x:1006:1010:Journal Upload:/:/bin/false
systemd-network:x:1007:1011:Network Manager:/:/bin/false
systemd-resolve:x:1008:1012:Network Name Resolution Manager:/:/bin/false
systemd-timesync:x:1009:1013:Network Time Synchronization:/:/bin/false

$ more /usr/lib/sysusers.d/dbus.conf      
# sysusers.d snippet for creating the D-Bus system user automatically
# at boot on systemd-based systems that ship with an unpopulated
# /etc. See sysusers.d(5) for details.

u dbus - "System Message Bus"

But now the package users are created before the BR2_ROOTFS_USERS_TABLES :

+       $(call PRINTF,$(PACKAGES_USERS)) >> $(ROOTFS_FULL_USERS_TABLE)
 ifneq ($(ROOTFS_USERS_TABLES),)
-       cat $(ROOTFS_USERS_TABLES) >> $(USERS_TABLE)
+       cat $(ROOTFS_USERS_TABLES) >> $(ROOTFS_FULL_USERS_TABLE)
 endif
-       $(call PRINTF,$(PACKAGES_USERS)) >> $(USERS_TABLE)

And there doesn't seem to be a buildroot config to change this behaviour back, either.

buildroot/buildroot@c3edec0

---

So we will probably have to hard-code the UID/GID for the user to be 1000/1000 ?

deploy/iso/minikube-iso/board/coreos/minikube/users

"Sometimes it is needed to add specific users in the target system. To cover this requirement, Buildroot provides support for so-called users tables. To use this feature, set config option BR2_ROOTFS_USERS_TABLES to a space-separated list of users tables, regular text files following the makeusers syntax."

https://buildroot.org/downloads/manual/manual.html#makeuser-syntax