search

nestybox / sysbox

An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.
Apache License 2.0
2.78k stars 152 forks source link

lsof showing lots of `lsof: no pwd entry for UID 165536` messages when a sysbox-runc container is running #260

Closed nudgegoonies closed 3 years ago

nudgegoonies commented 3 years ago 
lsof: no pwd entry for UID 165536

As far as i understood this only means that there is no passwd/group entry for this user id. This is wanted to prevent mapping to users/groups on the host, right?

ctalledo commented 3 years ago

Hi @nudgegoonies , can you provide a bit more context please? E.g., how do you create the container, what lsof command you are running, and whether you are running the lsof on the host or inside the container.

ctalledo commented 3 years ago

As far as i understood this only means that there is no passwd/group entry for this user id.

Looks like it.

This is wanted to prevent mapping to users/groups on the host, right?

Sysbox maps the root use in the container to an unprivileged host user-iD (e.g.,165536), via the Linux user-namespace.

User 165536 will not have an entry in the host's password file, so the lsof error may be related to this.

nudgegoonies commented 3 years ago

Thank you very much for your answers. I am running a docker:dind container:

docker run --name docker-dind --restart=always -v docker-dind:/var/lib/docker -d docker:dind

The lsof runs on the host. No other container is running. I was searching for something completely different while i found this. There are lots of these messages in the output of lsof:

lsof 2>&1 | grep 'no pwd entry for' | wc -l
2558

Maybe it is worth a mentioning in the documentation to inform users that this is expected. I don't think many users stumble on it.

ctalledo commented 3 years ago

Got it, thanks; I'll see if I can fit this within the docs, though it's not so much a Sysbox-specific thing but rather a more general behavior of lsof interacting with user-IDs associated with Linux user-namespace mappings.

ctalledo commented 3 years ago

Did not find a good place to put it in our docs; best course of action is to document it via this issue in case future users have the same query.

Closing the issue since the is no action time pending.

ctalledo commented 3 years ago

FYI, we can use lsof -l in the host to inhibit the conversion of user IDs to names in the lsof output, thus preventing the ":no pwd entry for" message.