Easiest way for container to use host user? And how to fix gdb crashing container issue?

General
1

Newbie here! I started off with this command which allows me to build Alpine versions of software using musl. It all works as expected except that the container written files annoyingly show up as root files on the host:

$ docker run -it --privileged --rm -v `pwd`:/extern alpine:3.11.0 sh

So I came up with this command line which automates installing all the Alpine packages as well as ‘borrowing’ the users and passwords from the Ubuntu host, and allowing the container to build the software as my regular non-root user, which also means that the container files written show up as regular user files on the host:

$ docker run -it --privileged --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --rm -v `pwd`:/extern -v /etc/passwd:/etc/passwd:ro -v /etc/shadow:/etc/shadow:ro -v /etc/sudoers:/etc/sudoers:ro alpine:3.11.0 sh -c "apk update ; apk add sudo bash shadow ; mkdir /home/$USER ; groupadd sudo ; apk add gdb gcc libc-dev coreutils make perl automake autoconf libtool pkgconfig zlib-static zlib-dev expat-static openssl-libs-static openssl-dev ; su - $USER"

Question #1: Is there a downside to ‘borrowing’ like this? And is there an easier / better way to achieve the same results?

The only issue I have noticed is that gdb fails to work and upon running will silently crash and exit the container:

$ gdb --silent --args ls
Reading symbols from ls...
(No debugging symbols found in ls)
(gdb) run
Starting program: /bin/ls 
simon@ubuntu:~/$ # <-- silently exited container here!

Same thing happens using sudo:

$ sudo gdb --silent --args ls
...
[sudo] password for simon: 
Reading symbols from ls...
(No debugging symbols found in ls)
(gdb) run
Starting program: /bin/ls 
simon@ubuntu:~/$ # <-- silently exited container here!

Note: If I run gdb as root using the top docker command and not ‘borrowing’ host users then gdb works as expected:

/ # gdb --silent --args ls
Reading symbols from ls...
(No debugging symbols found in ls)
(gdb) run
Starting program: /bin/ls 
bin     dev     etc     extern  home    lib     media   mnt     opt     proc    root    run     sbin    srv     sys     tmp     usr     var
[Inferior 1 (process 12) exited normally]
(gdb) quit
/ #

Question #2: Why is gdb apparently crashing docker like this, and can how can I get it to work?

Environment:

$ lsb_release -a 2>&1 | egrep Description
Description: Ubuntu 19.10

$ docker -v
Docker version 19.03.2, build 6a30dfca03

2

This seems like a better way to do things:

  • Build cached changes locally on-the-fly with docker build.
  • Tell docker run which user to use.
  • Setup container so that $USER can sudo without a password.
$ perl -e 'chomp($user=`cat /etc/passwd | egrep $ENV{USER}`); printf qq[FROM alpine:3.11.0\nRUN apk update\nRUN apk add sudo bash shadow gdb gcc libc-dev coreutils make perl automake autoconf libtool pkgconfig zlib-static zlib-dev expat-static openssl-libs-static openssl-dev\nRUN echo "$user" >> /etc/passwd ; echo "$ENV{USER} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers];' | /usr/bin/time docker build -t my-alpine-image:dev - && /usr/bin/time docker run -it --privileged --user $(id -u):$(id -g) --rm -v `pwd`:/extern my-alpine-image:dev sh -c 'whoami ; cd extern ; touch foo.txt ; ls -alh foo.txt ; sudo apk update'
Sending build context to Docker daemon  2.048kB
Step 1/4 : FROM alpine:3.11.0
 ---> c85b8f829d1f
Step 2/4 : RUN apk update
 ---> Using cache
 ---> 4ccf37b4b528
Step 3/4 : RUN apk add sudo bash shadow gdb gcc libc-dev coreutils make perl automake autoconf libtool pkgconfig zlib-static zlib-dev expat-static openssl-libs-static openssl-dev
 ---> Using cache
 ---> 0a381cd69cd3
Step 4/4 : RUN echo "simon:x:1000:1000:simon,,,:/home/simon:/bin/bash" >> /etc/passwd ; echo "simon ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
 ---> Using cache
 ---> 61cd06c298c8
Successfully built 61cd06c298c8
Successfully tagged my-alpine-image:dev
0.02user 0.04system 0:00.11elapsed 58%CPU (0avgtext+0avgdata 64608maxresident)k
0inputs+8outputs (0major+7946minor)pagefaults 0swaps
simon
-rw-r--r-- 1 simon 1000 0 Jan 28 23:59 foo.txt
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz
v3.11.3-19-gb3a750a9f7 [http://dl-cdn.alpinelinux.org/alpine/v3.11/main]
v3.11.3-22-gaf29099ec3 [http://dl-cdn.alpinelinux.org/alpine/v3.11/community]
OK: 11260 distinct packages available
0.02user 0.04system 0:01.01elapsed 7%CPU (0avgtext+0avgdata 64580maxresident)k
0inputs+0outputs (0major+7982minor)pagefaults 0swaps

$ ls -al foo.txt 
-rw-r--r-- 1 simon simon 0 Jan 28 15:59 foo.txt