akamai/shell Docker image throws segfault error when run as a non-existent uid

[joshjohnson]

When running in a Jenkins Pipeline, the akamai/shell image results in a segfault error. I was able to replicate for a simple command of akamai help.

Jenkins provides a -u option of a user that does not exist when executing the docker command.

I believe that the issue is related to https://issues.jenkins-ci.org/browse/JENKINS-38438

A minimal Jenkins pipeline file to replicate the issue is

pipeline {
  agent {
    docker { image 'akamai/shell' }
  }
  stages {
    stage('Debug') {
      steps {
        sh 'akamai help'
      }
    }
  }
}

The behavior can be replicated outside of Jenkins with the command:

docker run -it --rm --name test1 -u 1875:1875 akamai/shell akamai help
                ___    __                         _
               /   |  / /______ _____ ___  ____ _(_)
              / /| | / //_/ __ `/ __ `__ \/ __ `/ /
             / ___ |/ ,< / /_/ / / / / / / /_/ / /
            /_/  |_/_/|_|\__,_/_/ /_/ /_/\__,_/_/
===============================================================
=  Welcome to the Akamai Docker Image                         =
===============================================================
=  Project page:                                              =
=  https://github.com/akamai/akamai-docker                    =
===============================================================
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x158 pc=0x90682e]

goroutine 1 [running]:
main.saveConfig(0xa25cf5, 0x3)
    /go/src/github.com/akamai/cli/config.go:82 +0xee
main.getAkamaiCliCachePath(0xa2bef8, 0x12, 0xa26414, 0x5)
    /go/src/github.com/akamai/cli/util.go:77 +0x16a
main.main()
    /go/src/github.com/akamai/cli/akamai.go:37 +0x85

[ynohat]

Proposing the following :

• include an entrypoint script in the cli image, that
• checks if current uid/gid combo is not root
• if not, creates the user/group, with home set to /root
• uses a simple setuid root script to chown -R the /root dir and the $AKAMAI_CLI_HOME dir to the current uid/gid
• finally, executes the requested command or bash, as is done currently by the images

This should gracefully handle the jenkins case. There is oddity in using the /root dir as the user's home, but if it works it will avoid a breaking change. It will break if the entrypoint is overridden; it seems fair to assume that it is the caller's responsibility in that case.

@lukaszczerpak @joshjohnson any thoughts about this approach?

[lukaszczerpak]

I am not sure what would be the best approach here, but am gonna experiment with it next week.

[lukaszczerpak]

Root cause of the ugly error is that CLI wants to add missing cache-dir option to the config file but has no permissions to do it. As a result it throws an exception. When the option is present, then akamai help works fine even when executed as non-root user. This is currently fixed in dev (https://github.com/akamai/akamai-docker/compare/fix/missing-cachedir-in-config) and updated images should be available very soon.

Long term, we should better support non-root scenario as the above might not be enough. Here is what I think we need to properly handle such scenario:

• create a new VOLUME /workdir and use it as WORKDIR (base image)
• chmod 0777 /cli/.akamai-cli/cache (cli image)