Docker Community Forums

Share and learn in the Docker community.

Copy passwd, group, shadow before authentication (like schroot does)

#1

I have a question regarding user permissions.

Currently, I’m maintaining a defined chroot build environment for ~ 50 users (based on Ubuntu 18.04). The tool we are using is schroot. Host system is 18.04, too.

We are evaluating a switch to docker as build environment.

In my first tests, everything was fine, except the authentication. In schroot, the files “passwd”, “group” and “shadow” are copied to the session (=docker container) before login.
Afterwars, we bindmount /home into the container. So, a developer can start the session, build in a defined environment, but stay in his home environment. Binary artifacts with (his) permissions will stay in his build folders - so we don’t have any problems with different users and different permissions.

Now, with docker, I did a lot of work simulation the same behaviour - but it seems to be impossible. The nearest I achieved, was starting the container with:

docker run --rm -it -w $PWD -e USER=$USER -e HOST_UID=$(id -u) -e HOST_GID=$(id -g) -v /home:/home [image-name]

Inside, there is a profile.d script that does something like:

useradd --uid ${HOST_UID} --gid ${HOST_GID} --no-create-home ${USER}

and a second script:

su ${USER} -c bash

This is working, but I don’t like it, because logging out will need two times CTRL+D (log out user AND root).

This is still a workaround and I wanted to know whether there is an easier way to directly login to the docker container using option “-u” with outside (host’s) user/passwd files.

I already tested mounting the three files passwd, group and shadow - but they are mounted after authentication (-u).
And I tested sssd, but also here, the pipes are mounted after authentication (-u).

Am I thinking in the wrong direction - do I have to throw away our current behaviour completely?

Thanks for any help!