Option to disable uid=0 check
silverwind opened this issue · comments
Inside Docker containers it's often unavoidable/necessary to run processes as uid 0 but this module stubbornly refuses to run as uid 0.
I've monkey-patched the module to remove that check and everything seems to work fine so far so I'd suggest having an option like --allow-root
or better yet, remove this opinionated check.
do you meet any issue when running snmpsim in docker?
It will refuse to run inside Docker as root at all with the Must drop privileges
error. After I patched out that check, it runs just fine.
I run snmpsim inside a CI environment which always runs its jobs as uid=0 and I tried the --process-user=nobody
and --process-group=nogroup
arguments but then I ran into tempfiles permission errors (presumably fixed by e9e1d5b but not released), so I gave up and patched out that check.
It will refuse to run inside Docker as root at all with the
Must drop privileges
error. After I patched out that check, it runs just fine.I run snmpsim inside a CI environment which always runs its jobs as uid=0 and I tried the
--process-user=nobody
and--process-group=nogroup
arguments but then I ran into tempfiles permission errors (presumably fixed by e9e1d5b but not released), so I gave up and patched out that check.
can you try with the master edition?
Regardless whether master works or not, I think the uid check needs to go or be disableable.
I totally understand what you concern about, but, not fix the issue by talking, I would say each layer has different specs to consider. Make a note about the steps what I did for a workaround:
- requirement.txt for docer
snmpsim @ https://github.com/etingof/snmpsim/zipball/master
- Dockerfile
# Pull base image
FROM python:3.9.0-alpine3.12
MAINTAINER authoer@gmail.com
# Set environment variables
ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1
# Update
RUN apk update && apk upgrade
RUN apk add build-base gcc
# set work directory
RUN mkdir /usr/test
# copy project
COPY ./requirements.txt /usr/test/requirements.txt
WORKDIR /usr/test
# install dependencies
RUN pip install --no-cache-dir --upgrade pip
# RUN pip install --no-cache-dir -U -r requirements-git.txt
RUN pip install --no-cache-dir -U -r requirements.txt
# Cleanup
Run rm -rf /var/cache/apk/* /root/.node-gyp /usr/share/man /tmp/*
- build then run the container with
docker run snmpsim /bin/sh -c "snmpsim-command-responder --process-user=nobody --process-group=nogroup --agent-udpv4-endpoint=127.0.0.1:1024"
and
docker run snmpsim /bin/sh -c "snmpsim-command-responder --process-user=root --process-group=root --agent-udpv4-endpoint=127.0.0.1:1024"
I use poetry and have snmpsim as a devDependency like
[tool.poetry.dev-dependencies]
snmpsim = "^0.4.7"
I guess I can try changing that to point to github master and try the uid/gid workaround, but it's just that, a workaround. I'm of the strong opinion that such uid checks have no place in a module like this.
I'm aware that it's dangerous to run stuff as root, but I accept that risk because my CI environment does not offer any other option and it's not inherently unsafe because it runs in a isolated container.
I agree with silverwind, the workaround is completely non-obvious, who would have thought you can provide root to process-user. I've spent a day messing with the permissions until i stumbled upon this issue.
https://github.com/lextudio/snmpsim has removed this uid check, so I'll be using that.
Seems I mislooked and snmpsim-lextudio
still features this stupd uid check, so I'm back to monkey-patching.
Reason I have to do it is I'm running inside a specific CI environment where it's not easy to drop privileges like it would in plain docker. moby/moby#2259 is also a dependency.