Che: I have no name! instead of user name in terminal running custom devfile

Created on 15 Apr 2020 · 6Comments · Source: eclipse/che

After creating a custom minimal devfile:

metadata:
  name: MyDevfile
components:
  - mountSources: true
    args:
      - sleep
      - infinity
    memoryLimit: 512Mi
    type: dockerimage
    alias: ubuntu
    image: picoded/ubuntu-openjdk-8-jdk
apiVersion: 1.0.0

Opening the terminal and executing /bin/bash the user has no name:
I have no name!@workspace1grh40aawaiokuav:/workspace$

Also any command requiring root privileges is unauthorized.

I'm trying using multiple standard docker images, but found the same problem.
I need a vanilla system where i can try to install some tools, so having a basic user, sudo and root privileges is mandatory.

kinquestion lifecyclstale

Source

ultrafab

Most helpful comment

@sleshchenko @amisevsk first of all thank you for your support, i'll try to generate a docker with the arbitrary user patch and try.

Also thanks for the insight about the security issues, i fully understand the rationale behind the Openshift choices.

Just to try to explain my use case and why i'm looking for this kind of solutions: sometimes i would like to be able to test some tools or libraries inside a sandbox running on our company servers, behind a firewall. Sometimes the sandbox is a full VM (kvm) or recently an LXD container. The problem is having an IDE able to reach the sandbox, without the needing of mapping SMB/NFS folders, etc. Eclipse CHE seems the perfect solution, cause if i'm at home (during this lockdown) i can just open my laptop (win/ubuntu or whatever) spinup a container where i've a terminal, a working sudo user and an IDE. Of course, for any other needs, during a standard dev process, we have standard and "locked" docker images were all the tools are already installed and under control.

ultrafab on 22 Apr 2020

👍2

All 6 comments

@ultrafab Could you elaborate more about your installation? Is it Che deployed with Helm/Operator on K8s/OS? Is root privileges are allowed there?

here are some tips:

OpenShift generated user uid for container dynamically depending on the namespace, you should init user after container start up, here you can find how we do it: https://github.com/eclipse/che-dockerfiles/blob/master/recipes/stack-base/ubuntu/entrypoint.sh
in case of K8s infra, Che provision user id and it's not root (0) by default https://github.com/eclipse/che/blob/master/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties#L405
https://github.com/eclipse/che/blob/master/deploy/kubernetes/helm/che/values.yaml#L89
https://github.com/eclipse/che-operator/blob/master/deploy/crds/org_v1_che_crd.yaml#L235

sleshchenko on 17 Apr 2020

Hi @sleshchenko, che is deployed on Openshift 3.11, operator, multiuser.

Using your first tip, compiling a Docker image with the Ubuntu Dockerfile standard (just upgraded from 16.04 to 18.04), and starting a new terminal in Che, now there's a correct prompt:
user@workspace1grh40aawaiokuav:/projects$

Trying to use a sudo command:

user@workspace1grh40aawaiokuav:/projects$ sudo apt update
sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
sudo: no valid sudoers sources found, quitting
sudo: setresuid() [0, 0, 0] -> [1000130000, -1, -1]: Operation not permitted
sudo: unable to initialize policy plugin

The same image, launched from terminal outside Che, works as expected.

ultrafab on 17 Apr 2020

@ultrafab Do I understand correctly that you asked to help configure your OpenShift installation to allows sudo rights and then start a workpsace with them?
Note it's not typical to run sudo container on the OpenShift, but you can find some info here https://dodgydudes.se/allow-containers-to-run-as-root-on-openshift-3-10/

sleshchenko on 21 Apr 2020

@ultrafab OpenShift generally does not allow containers to run as root (or a defined user at all). For the devfiles in the default registry, we build patched images to support the OpenShift use-case, as many images do not take it into account. You could do the same for your image using the dockerfile in the devfile registry (https://github.com/eclipse/che-devfile-registry/blob/master/arbitrary-users-patch/)

cd che-devfile-registry/arbitrary-users-patch
docker build -t picoded/ubuntu-openjdk-8-jdk-che \ 
    --no-cache \
    --build-arg FROM_IMAGE=picoded/ubuntu-openjdk-8-jdk \
    .

this would build an image picoded/ubuntu-openjdk-8-jdk-che that won't face the error when running on OpenShift.

For background info, for security reasons OpenShift requires containers to run using an arbitrarily assigned non-root user ID. The best practices for running containers on OpenShift are

Any file that needs to be readable/writable has to belong to group 0 and have read/write permissions
If username/home directory/etc. are required, an entry to /etc/passwd should be added for the current userID in the entrypoint. We need to do this since we open terminals in the container.

If you intend to do apt-get update in the container, this should be done when building the image -- otherwise you would have to execute the command on every startup of the container.