No RStudio User

[Tianmaru]

When I start a Rstudio Server Docker container via docker run --rm -ti -p 8787:8787 rocker/rstudio, it apparently deletes the rstudio user. Although the website instructs to login as user rstudio with the generated password, the login is only possible as root:

$ docker run --rm -p 8787:8787 rocker/rstudio
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01_set_env: executing... 
skipping /var/run/s6/container_environment/HOME
skipping /var/run/s6/container_environment/RSTUDIO_VERSION
[cont-init.d] 01_set_env: exited 0.
[cont-init.d] 02_userconf: executing... 
Assuming the container runs under rootless mode
Under rootless mode,
 - You will log in using 'root' as user
 - You will have root privileges within the container (e.g. apt)
 - The files you create as root on mounted volumes will appear at the host as owned by the user who started the container
 - You can't modify host files you don't have permission to
 - You should NOT run in RUNROOTLESS=true if you are using the container with privileges (e.g. sudo docker run... or sudo podman run...)

tput: No value for $TERM and no -T specified
The password is set to iwaechaihie3otoG
If you want to set your own password, set the PASSWORD environment variable. e.g. run with:
docker run -e PASSWORD=<YOUR_PASS> -p 8787:8787 rocker/rstudio
tput: No value for $TERM and no -T specified

setting minimum authorised user to 0 (RUNROOTLESS=true)
deleting the default user (rstudio) since it is not needed.
No sudoers changes needed when running rootless
[cont-init.d] 02_userconf: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

When running the container in interactive mode, an error message about the missing user rstudio is shown when attempting to login:

2024-08-13T15:11:17.566786Z [rserver] ERROR system error 2 (No such file or directory) [description: User not found., user-value: rstudio, description: Error converting userIdentifier to username]; OCCURRED AT rstudio::core::Error rstudio::core::system::User::Impl::populateUser(rstudio::core::system::User::Impl::GetPasswdFunc<T>&, T) [with T = const char*  rstudio::core::system::User::Impl::GetPasswdFunc<T> = std::function<int(const char*, passwd*, char*, long unsigned int, passwd**)>] src/cpp/shared_core/system/User.cpp:94; LOGGED FROM: std::string rstudio::server::auth::common::userIdentifierToLocalUsername(const string&) src/cpp/server/auth/ServerAuthCommon.cpp:473
rserver-pam[365]: pam_unix(rstudio:auth): check pass; user unknown
rserver-pam[365]: pam_unix(rstudio:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 

I had to add -e RUNROOTLESS=false for being able to login with rstudio. I think this should be mentioned on the website.

[benz0li]

IMHO this means that either

• the Docker daemon is configured to isolate containers with a user namespace[^1]

or

• the Docker daemon is run as a non-root user (Rootless mode) (very similar)

[^1]: "userns-remap": "default" set in /etc/docker/daemon.json

@Tianmaru What you describe is the expected behaviour – for both cases.

[benz0li]

If one does not set RUNROOTLESS to either true or false, 'Rootless mode'/'userns-remap mode' is auto-detected: https://github.com/rocker-org/rocker-versioned2/blob/1cda649c277a11f3989e74670706b290a3226e30/scripts/init_userconf.sh#L13-L17

This is all by design (thanks to @zeehio) and works as intended.

[zeehio]

Hi @Tianmaru,

Docker by default is installed in root mode, meaning that you must have root permissions to run containers.

You can set up docker in rootless mode to be able to run containers as a regular user in a safe way. Apparently you did that, (great!). It would be nice to know if you are aware of that setup.

When you run docker in rootless mode, your containers appear to run under the root user, that it is mapped to your actual user at the docker host. That's why in that scenario you should login as root and not as rstudio.

The rocker image detects it is running in rootless mode, and reports to you that you should be using the root user:

Under rootless mode,
 - You will log in using 'root' as user

My proposal would be to clarify the paragraph in the website:

Current:

The non-root default user rstudio is set up as RStudio Server user, so please enter the username rstudio and a randomly generated password which is displayed in the console to the RStudio login form.

Proposed:

The non-root default user rstudio is set up as RStudio Server user, so please enter the username rstudio and a randomly generated password which is displayed in the console to the RStudio login form. If your container system runs rootless, you will have to use the root user to login. In this case the privileges of the root user in the container are already bounded by your regular user permissions in the host system.

@Tianmaru, do you think this change would address your issue?

Thanks!

[Tianmaru]

Sorry, it seems like I wasted your time due to my lack of experience with docker - yes, docker is indeed running in rootless mode, so everything is working as expected. However, I think the proposed change of the website helps to clarify the login situation nonetheless. Thank you!

[zeehio]

Sorry, it seems like I wasted your time due to my lack of experience with docker - yes, docker is indeed running in rootless mode, so everything is working as expected. However, I think the proposed change of the website helps to clarify the login situation nonetheless. Thank you!

I liked your issue because (1) it helps clarify the documentation and (2) it shows rootless docker works quite well with rocker images. Thanks for reporting this!