Why would a process not be associated with a port when using gosu?

tianon / gosu

Simple Go-based setuid+setgid+setgroups+exec

Apache License 2.0

4.69k stars 312 forks source link

Normal behavior (not using gosu)

I have a container that calls an entrypoint script that uses the gosu utility to run a specified command as a particular user if an env var is set, or else to run as root:

entrypoint.sh

if [ -n "$RUNAS_USER" ]; then
    exec /usr/local/bin/gosu $RUNAS_USER "$@"
else
    exec "$@"
fi

When the RUNAS_USER env var is not provided (i.e. exec "$@" is executed and container is run as root), when I log into the container and run ss -nltp, I can see that processes are correctly associated with a port (look at last column):

6e9b3af868c3:/ # ss -nltp
State                                    Recv-Q                                   Send-Q                                                                     Local Address:Port                                                                       Peer Address:Port
LISTEN                                   0                                        50                                                                               0.0.0.0:39995                                                                           0.0.0.0:*                                       users:(("java",pid=7,fd=187))
LISTEN                                   0                                        128                                                                              0.0.0.0:8076                                                                            0.0.0.0:*                                       users:(("java",pid=7,fd=205))
LISTEN                                   0                                        128                                                                              0.0.0.0:8080                                                                            0.0.0.0:*                                       users:(("java",pid=7,fd=204))
LISTEN                                   0                                        50                                                                               0.0.0.0:9010                                                                            0.0.0.0:*                                       users:(("java",pid=7,fd=186))

Unexpected behavior (using gosu)

When the RUNAS_USER env var is provided (i.e. exec /usr/local/bin/gosu $RUNAS_USER "$@" is executed and container is run as as a specific user), when I log into the container and run ss -nltp, the ports are no longer associated with any process (i.e. there are no users:(("java",pid=7,fd=187)) etc entries in the output from ss -nltp):


b13a253cd5bf:/ # ss -nltp
State                                             Recv-Q                                            Send-Q                                                                                        Local Address:Port                                                                                          Peer Address:Port
LISTEN                                            0                                                 128                                                                                                 0.0.0.0:8076                                                                                               0.0.0.0:*
LISTEN                                            0                                                 128                                                                                                 0.0.0.0:8080                                                                                               0.0.0.0:*
LISTEN                                            0                                                 50                                                                                                  0.0.0.0:9010                                                                                               0.0.0.0:*
LISTEN                                            0                                                 50                                                                                                  0.0.0.0:46613

Problem

When a container succeeds to associate a port with an underlying process the port is visible externally on the network. However, the above problem when using gosu means that my K8s deployment didn't setup ports externally routable to the pods of my nodeport service.

$ docker run -it --rm tianon/network-toolbox root@bc058746626a:/# apt update ... root@bc058746626a:/# apt install gosu ... root@bc058746626a:/# nc -l 4444 [... check ss in another terminal] ^C root@bc058746626a:/# gosu nobody nc -l 4444 .... $ docker exec -it admiring_keller bash $ # both running as root root@bc058746626a:/# ss -nltp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 1 0.0.0.0:4444 0.0.0.0:* users:(("nc",pid=325,fd=3)) $ # process running as nobody, ss as root root@bc058746626a:/# ss -nltp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 1 0.0.0.0:4444 0.0.0.0:* $ # process still as nobody , ss as nobody root@bc058746626a:/# gosu nobody ss -nltp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 1 0.0.0.0:4444 0.0.0.0:* users:(("nc",pid=343,fd=3)) root@bc058746626a:/# exit $ # process still as nobody , ss as nobody $ docker exec -it --user nobody admiring_keller bash nobody@bc058746626a:/$ ss -nltp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 1 0.0.0.0:4444 0.0.0.0:* users:(("nc",pid=343,fd=3)) nobody@bc058746626a:/$ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 4764 4124 pts/0 SNs 16:42 0:00 bash --login -i nobody 343 0.0 0.0 3204 864 pts/0 SN+ 16:45 0:00 nc -l 4444 nobody 369 0.0 0.0 3872 3152 pts/1 SNs 16:50 0:00 bash nobody 377 0.0 0.0 7644 2708 pts/1 RN+ 16:54 0:00 ps aux

tianon / gosu

Why would a process not be associated with a port when using gosu? #86