Container exiting when extending image with packages which modify /etc/group

[doerofthedo]

It seems that there is a bug in build script, which creates duplicate entries for group user, e.g.:

users:x:100:         <--------
nogroup:x:65534:
messagebus:x:101:
i2psvc:x:102:
users:x:1000:       <--------

Whenever package is installed within extended image like i2p or software-properties-common which modifies /etc/group file by adding specific groups, /etc/group file is corrected and the duplicate users:x:1000: entry is removed (only gid 100 remains which is not correct) in turn causing container to exit upon entrypoint script (permission denied as everything is owned by root).

Workaround for now is in extending Dockerfile add the following lines after installing above mentioned packages.

RUN echo 'users:x:1000:' >> /etc/group
RUN chown -R 1000:1000 ~
RUN chown -R 1000:1000 /dockerstartup

[accetto]

Hello @doerofthedo,

thank you very much for you feedback.

However, now we're in the realm of classical philosophy: A bug or a feature? :-)

It's unfortunately the consequence of the fact, that the user container configuration is not finalized until the first container start. I went with this solution because I wanted to allow also user group overriding. You would not have the problem, if you would install the package software-properties-common in the running container.

Anyhow, you've nicely spotted this weakness and I'm really gratful to you. I'll definitely try to improve it.

Unfortunatelly it'll be not so quick, because I have to think about it first and then also to test it carefully. Even more, currently I'm quite busy with the first User Guide release.

You can use the following solution to fix the issue:

FROM accetto/ubuntu-vnc-xfce-g3:latest

USER 0

RUN \
    DEBIAN_FRONTEND=noninteractive apt-get update \
    && apt-get install -y --no-install-recommends \
        software-properties-common \
    && apt-get -y autoremove \
    && rm -rf /var/lib/apt/lists/*

### FIX
RUN chmod 666 /etc/passwd /etc/group

USER "${HEADLESS_USER_ID}"

You can build the test image and container using the following Compose file:

# docker compose -f issue51.yml -p issue51 up -d
# docker compose -f issue51.yml -p issue51 down --rmi all

services:
  ubuntu:
    build:
      context: .
      dockerfile: issue51.Dockerfile
    image: issue51:ubuntu
    container_name: issue51-ubuntu
    hostname: issue51-ubuntu
    environment:
      - VNC_PW=
      - VNC_RESOLUTION=1024x768
    ports:
      - "45901:5901"
      - "46901:6901"

Note that the startup script will set the "proper" permissions of /etc/passwd and /etc/group on the first container start.

You can test it in the container by executing $HOME/tests/test-01.sh. It should look like this:

+ id
uid=1000(headless) gid=1000(headless) groups=1000(headless)
+ ls -l /etc/passwd /etc/group
-rw-r--r-- 1 root root  550 Jun 22 14:48 /etc/group
-rw-r--r-- 1 root root 1193 Jun 22 13:26 /etc/passwd
+ tail -n2 /etc/passwd
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+ tail -n2 /etc/group
systemd-resolve:x:104:
headless:x:1000:
+ ls -ld /dockerstartup /home /home/headless
drwxr-xr-x 1 headless headless 4096 Jun 22 14:48 /dockerstartup
drwxr-xr-x 1 root     root     4096 Apr 24 08:52 /home
drwxr-xr-x 1 headless headless 4096 Jun 22 14:48 /home/headless
+ ls -l /dockerstartup
total 56
-rw-r--r-- 1 headless headless 3090 Mar 18  2021 help.rc
-rw-r--r-- 1 headless headless  449 Jun 22 14:48 novnc.log
-rw-r--r-- 1 headless headless 6721 Oct  4  2022 parser.rc
-rwxr--r-- 1 headless headless  872 Feb 16 17:43 set_user_permissions.sh
-rwxr-xr-x 1 headless headless 4778 Mar 24 09:42 startup.sh
-rw-r--r-- 1 headless headless 4010 Mar 24 09:42 user_generator.rc
-rwxr--r-- 1 headless headless 5216 Feb 17 18:16 version_of.sh
-rwxr--r-- 1 headless headless 3336 Mar  7 17:19 version_sticker.sh
-rw-r--r-- 1 headless headless 1255 Jun 22 14:48 vnc.log
-rw-r--r-- 1 headless headless 4958 Mar 19 14:10 vnc_startup.rc
+ mkdir -p /home/headless/new-dir
+ touch /home/headless/new-file
+ ls -l /home/headless
total 56
drwxr-xr-x 1 headless headless 4096 Apr 24 09:08 Desktop
drwxr-xr-x 2 headless headless 4096 Jun 22 14:48 Documents
drwxr-xr-x 2 headless headless 4096 Jun 22 14:48 Downloads
drwxr-xr-x 2 headless headless 4096 Jun 22 14:48 Music
drwxr-xr-x 2 headless headless 4096 Jun 22 14:48 Pictures
drwxr-xr-x 2 headless headless 4096 Jun 22 14:48 Public
drwxr-xr-x 2 headless headless 4096 Jun 22 14:48 Templates
drwxr-xr-x 2 headless headless 4096 Jun 22 14:48 Videos
drwxr-xr-x 2 headless headless 4096 Jun 22 14:48 new-dir
-rw-r--r-- 1 headless headless    0 Jun 22 14:49 new-file
-rw-r--r-- 1 headless headless  185 Mar 18  2021 readme.md
-rw-r--r-- 1 headless headless 1426 Jun 22 14:49 test-01.log
drwxr-xr-x 1 headless headless 4096 Apr 24 09:08 tests

Hopefully it'll help also with the other software you're trying. Please let me know.

Regards, accetto

[doerofthedo]

Thank you, @accetto for all the hard work you do to maintain this repo! Now when the workaround is clear, there is no urgent problem anymore. Just to let you know that we use this repo for teaching purposes, adding Apache Guacamole as a front-end and extending image with various tools to be taught.

[accetto]

Thank you @doerofthedo, I'm glad to be helpful.