Categories
DevOps

How to deal with high user id in a dockerfile

Solve the issue related to the high user id in a dockerfile.

At first, create a simple docker image with a custom user.

FROM debian:bullseye

RUN groupadd --gid 1000 milosz \
    && useradd --uid 1000 --gid 1000 --shell /bin/bash --create-home milosz

USER milosz
WORKDIR /home/milosz

It will build successfully as expected.

Sending build context to Docker daemon  3.072kB
Step 1/4 : FROM debian:bullseye
bullseye: Pulling from library/debian
d28ba3bddf26: Pull complete 
Digest: sha256:f5d8b0737991a13284b86adb3e6605f41794fcdfd5d0f0b36939f7e30b323358
Status: Downloaded newer image for debian:bullseye
 ---> bcce5f35cfb5
Step 2/4 : RUN groupadd --gid 1000 milosz     && useradd --uid 1000 --gid 1000 --shell /bin/bash --create-home milosz
 ---> Running in 25e6e6be2f18
Removing intermediate container 25e6e6be2f18
 ---> 77a6f2c59278
Step 3/4 : USER milosz
 ---> Running in 22edbac993e7
Removing intermediate container 22edbac993e7
 ---> c841b8d274f4
Step 4/4 : WORKDIR /home/milosz
 ---> Running in 1321fefc7d9d
Removing intermediate container 1321fefc7d9d
 ---> 8d484dd5d8f9
Successfully built 8d484dd5d8f9

But, if for whatever reason you use a high user id… (like an external identity and authentication solution)

FROM debian:bullseye

RUN groupadd --gid 1000100011 milosz \
    && useradd --uid 1000100011 --gid 1000100011 --shell /bin/bash --create-home milosz

USER milosz
WORKDIR /home/milosz

The build process will wait indefinitely till it uses all available disk space.

Sending build context to Docker daemon  3.072kB
Step 1/4 : FROM debian:bullseye
 ---> bcce5f35cfb5
Step 2/4 : RUN groupadd --gid 1000100011 milosz     && useradd --uid 1000100011 --gid 1000100011 --shell /bin/bash --create-home milosz
 ---> Running in bcfc58461a3f
^C

Inspecting the overlayfs filesystem will point to the lastlog and faillog files.

drwxr-xr-x 2 root root 4,0K Jun 10 10:53 apt
-rw-rw---- 1 root utmp    0 Jun 21 02:00 btmp
-rw-r--r-- 1 root root  30G Jul  1 23:38 faillog
-rw-rw-r-- 1 root utmp 272G Jul  1 23:38 lastlog
-rw-rw-r-- 1 root utmp    0 Jun 21 02:00 wtmp

The solution is to append --no-log-init parameter to the useradd command.

-l, --no-log-init
    Do not add the user to the lastlog and faillog databases.

    By default, the user's entries in the lastlog and faillog databases are reset to avoid reusing
    the entry from a previously deleted user.

    For the compatibility with previous Debian's useradd, the -O option is also supported.

Append the --no-log-init parameter to get around this problem.

FROM debian:bullseye

RUN groupadd --gid 1000100011 milosz \
    && useradd --no-log-init --uid 1000100011 --gid 1000100011 --shell /bin/bash --create-home milosz

USER milosz
WORKDIR /home/milosz

Now it will build successfully.

Sending build context to Docker daemon  3.072kB
Step 1/4 : FROM debian:bullseye
 ---> bcce5f35cfb5
Step 2/4 : RUN groupadd --gid 1000100011 milosz     && useradd --no-log-init --uid 1000100011 --gid 1000100011 --shell /bin/bash --create-home milosz
 ---> Running in 3814a266a1fa
Removing intermediate container 3814a266a1fa
 ---> 3dc5a861239c
Step 3/4 : USER milosz
 ---> Running in 9d36dff5f92b
Removing intermediate container 9d36dff5f92b
 ---> 51fef83393b5
Step 4/4 : WORKDIR /home/milosz
 ---> Running in 474d7463c17a
Removing intermediate container 474d7463c17a
 ---> b0cf612fc40d
Successfully built b0cf612fc40d

Additional notes

Please read Bug 1244300 – docker: sparse file handling causes out-of-space issues (CLOSED WONTFIX) for more information.

Docker version used in this example.

$ docker --version
Docker version 20.10.7, build f0df350