The question:
I’m playing around with docker and db2 but I’m getting into trouble when I try to execute commands as user db2inst1 into a running container. I start the container as (it is 1 line but I split it up for readability):
docker run -itd --name mydb2 --privileged=true -p 50000:50000
-e LICENSE=accept
-e DB2INST1_PASSWORD=pelle_paltnacke
--mount type=volume,dst=${backupdir},volume-driver=local,volume-opt=type=nfs,"volume-opt=o=nfsvers=4,addr=${addr}",volume-opt=device=:${device}
-v /etc/passwd:/etc/passwd
-v /etc/group:/etc/group
-v /opt/nya/users/db2inst1:/opt/nya/users/db2inst1
-v /home/system/db2fenc1/:/home/system/db2fenc1/ ibmcom/db2
Now, if I try to do:
docker exec --user db2inst1 -ti mydb2 bash -c "cat /etc/passwd | grep db2inst1"
unable to find user db2inst1: no matching entries in passwd file
As root there is no problem:
docker exec -ti mydb2 bash -c "cat /etc/passwd | grep db2inst1"
db2inst1:x:422:422:DB2 Instance Administrator 1:/opt/nya/users/db2inst1:/bin/bash
and also –user root works fine:
docker exec --user root -ti mydb2 bash -c "cat /etc/passwd | grep db2inst1"
db2inst1:x:422:422:DB2 Instance Administrator 1:/opt/nya/users/db2inst1:/bin/bash
So I tried with the uid from the mounted passwd file:
docker exec --user 422 -ti mydb2 bash -c "cat /etc/passwd | grep db2inst1"
db2inst1:x:422:422:DB2 Instance Administrator 1:/opt/nya/users/db2inst1:/bin/bash
/etc/passwd is readable for everyone. Anyhow, using the uid does not get me far:
docker exec --user 422 -ti mydb2 bash -c "db2licm -l"
bash: db2licm: command not found
so I try with:
docker exec --user 422 -ti mydb2 bash -c "whoami; . ~db2inst1/sqllib/db2profile;
db2licm -l"
db2inst1
bash: /opt/nya/users/db2inst1/sqllib/adm/db2licm: Permission denied
This is just a couples of commands I ran to demonstrate the problem. Does anyone have an explanation as to why the –user db2inst1 is not able to execute them?
FWIW, I tried without the nfs-mount but I get the same behaviour.
The container itself seems to be working alright. If I spin up the container as above and:
#> docker exec -ti mydb2 bash
[[email protected] /]# mkdir -p /data/db/db2
[[email protected] /]# chown db2inst1:db2iadm1 /data/db/db2/
[[email protected] /]# su - db2inst1
[[email protected] ~]$ cd /data/backup/db2/wb11/MD000I11/
[[email protected] MD000I11]$ db2 "restore db MD000I11 incremental auto taken at 20220307141244 to /data/db/db2 into WD000I11"
DB20000I The RESTORE DATABASE command completed successfully.
EDIT: An interesting observation is:
docker exec --user 422 -ti mydb2 bash -c "id"
uid=422(db2inst1) gid=0(root) groups=0(root)
docker exec --user 422:422 -ti mydb2 bash -c "id"
uid=422(db2inst1) gid=422(db2iadm1) groups=422(db2iadm1)
docker exec --user 422:422 -ti mydb2 bash -c "whoami; .
~db2inst1/sqllib/db2profile; db2licm -l"
db2inst1
Product name: "DB2 Community Edition"
License type: "Community"
...
Unfortunate:
docker exec --user db2inst1:db2iadm1 -ti mydb2 bash -c "id"
unable to find user db2inst1: no matching entries in passwd file
The Solutions:
Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.
Method 1
The problem seems to be unrelated to the Db2 container. I created a Dockerfile with:
FROM registry.access.redhat.com/ubi8/ubi:8.5
as it’s only content and could repeat the phenomena. I even removed all things but the mount of /etc/passwd and /etc/groups, but –user still fails.
It looks as if –user X becomes uid 1000 in the container, regardless of what username X is, what uid X has in /etc/passwd does not seem to be taken into consideration.
The two options I tried to get around this problem is:
Create a “dummy” user in the Dockerfile:
FROM ibmcom/db2
RUN groupadd --gid 422 db2iadm1
RUN useradd -u 422 -g db2iadm1 db2inst1
...
Or use the uid as an argument to –user:
docker exec --user 422:422 -ti mydb2 bash --login -c "db2licm -l"
Here I used –login to set up the correct environment.
Using podman should remove much of the hassle I guess
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0