Mssql-docker: Docker image 'mcr.microsoft.com/mssql-tools' doesnt work when run with random uid

Hi,

What message returned when you try to run the container with uid? And you would like to refer to Random user IDs when running Docker containers.

This is the error returned:
"Driver's SQLAllocHandle on SQL_HANDLE_HENV failed."

I am gonna read up on the link you sent regarding running docker containers as random users.

@oddbeck thanks for reporting this, I'll share this with the team. This is an issue with sqlcmd trying to authenticate an unnamed user.

Can you try adding the following lines to your dockerfile, right before CMD?

RUN useradd -r -u 1002 appuser
USER appuser 

this should unblock you for now.

I am having this issue, too. Any progress on fixing?

The use of

RUN useradd -r -u 1002 appuser
USER appuser

isn't considered a standard practice. Especially in systems where the userid is specified from the outside of the container for security reasons.

Another work-around is to specify a UID of an existing user that has a home directory. For instance, nobody with UID 65534 in some images. Check /etc/passwd to see what userids are available.

Examples:

docker run --user nobody ...

docker run --user 65534 ...

One last thought. Using Dockerfile commands like:

RUN useradd -r -u 1002 appuser
USER appuser

is problematic in platforms like OpenShift.

Reason: OpenShift overrides the UID on deployment for security reasons.

Reference: https://cookbook.openshift.org/users-and-role-based-access-control/why-do-my-applications-run-as-a-random-user-id.html

So for mssql-docker to be useful in larger systems in a standard manner, this GitHub issue needs to be fixed.

@docktermj Any workaround for Openshift

@appi147 I haven't tried this on OpenShift. (I've only done Helm Charts on OpenShift with non-root containers having no actual username.)

There does seem to be a glimmer of hope for manually specifying a UID for containers on OpenShift. Reference: https://cookbook.openshift.org/users-and-role-based-access-control/how-can-i-enable-an-image-to-run-as-a-set-user-id.html So maybe forcing OpenShift to use a specific UID might work.

Caveat: Just a thought; Haven't tried it.

Might be worth starting SQL with a shell script if it isn't already, and have that will do the useradd command if it isn't already present? At least as a near term way to address this?

Has anyone managed to get it working on Openshift?

If you have access to pod terminal, try:

export $(id)
echo "default:x:$uid:0:user:/tmp:/bin/bash" >> /etc/passwd

Its a temporary workaround I found on Internet

That workaround only works if you're root @appi147
I ended up here from a pyodbc issue

The cookbook solution does work, but you need to have an OpenShift admin create a special security group for the user you'll be running as, which you won't have if you move to a cloud provider.

The suggestion does not work.

RUN useradd -r -u 1002 appuser
USER appuser

Error Message

useradd: Permission denied.
useradd: cannot lock /etc/passwd; try again later.

Has anyone found a way to do this? I'm blocked and questioning how I can include startup scripts during the deployment?

Hi everyone,

I managed to get it working by using the setup used in this[1] and building my own mssql-tools image (it may require copying some bits and modifying it here and there, but he solved the crux of the issue).

I hope this is helpful.

[1] https://github.com/VeerMuchandi/mssql-openshift-tools/tree/master/mssql-client

Hi everyone,

I managed to get it working by using the setup used in this[1] and building my own mssql-tools image (it may require copying some bits and modifying it here and there, but he solved the crux of the issue).

I hope this is helpful.

[1] https://github.com/VeerMuchandi/mssql-openshift-tools/tree/master/mssql-client

Hello there!

I did something similar but using Alpine. I ended up with a 17 MB's image 😃
If you want to take a look, here you have the GitHub repository:
https://github.com/dbamaster/mssql-tools-alpine

Cheers,