snmpsim icon indicating copy to clipboard operation
snmpsim copied to clipboard
verified publisher icon etingof

Option to disable uid=0 check

Open silverwind opened this issue 5 years ago • 7 comments

Inside Docker containers it's often unavoidable/necessary to run processes as uid 0 but this module stubbornly refuses to run as uid 0.

I've monkey-patched the module to remove that check and everything seems to work fine so far so I'd suggest having an option like --allow-root or better yet, remove this opinionated check.

silverwind avatar Oct 13 '20 10:10 silverwind

do you meet any issue when running snmpsim in docker?

gainskills avatar Oct 17 '20 09:10 gainskills

It will refuse to run inside Docker as root at all with the Must drop privileges error. After I patched out that check, it runs just fine.

I run snmpsim inside a CI environment which always runs its jobs as uid=0 and I tried the --process-user=nobody and --process-group=nogroup arguments but then I ran into tempfiles permission errors (presumably fixed by https://github.com/etingof/snmpsim/commit/e9e1d5b8103cbe93f474de6e4a952dac7d06f41d but not released), so I gave up and patched out that check.

silverwind avatar Oct 17 '20 12:10 silverwind

It will refuse to run inside Docker as root at all with the Must drop privileges error. After I patched out that check, it runs just fine.

I run snmpsim inside a CI environment which always runs its jobs as uid=0 and I tried the --process-user=nobody and --process-group=nogroup arguments but then I ran into tempfiles permission errors (presumably fixed by e9e1d5b but not released), so I gave up and patched out that check.

can you try with the master edition?

gainskills avatar Oct 21 '20 22:10 gainskills

Regardless whether master works or not, I think the uid check needs to go or be disableable.

silverwind avatar Oct 22 '20 04:10 silverwind

I totally understand what you concern about, but, not fix the issue by talking, I would say each layer has different specs to consider. Make a note about the steps what I did for a workaround:

  • requirement.txt for docer
snmpsim @ https://github.com/etingof/snmpsim/zipball/master
  • Dockerfile
# Pull base image
FROM python:3.9.0-alpine3.12
MAINTAINER [email protected]

# Set environment variables
ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1

# Update
RUN apk update && apk upgrade
RUN apk add build-base gcc

# set work directory
RUN mkdir /usr/test
# copy project
COPY ./requirements.txt /usr/test/requirements.txt

WORKDIR /usr/test

# install dependencies
RUN pip install --no-cache-dir --upgrade pip
# RUN pip install --no-cache-dir -U -r requirements-git.txt
RUN pip install --no-cache-dir -U -r requirements.txt

# Cleanup
Run rm -rf /var/cache/apk/* /root/.node-gyp /usr/share/man /tmp/*
  • build then run the container with
docker run snmpsim /bin/sh -c "snmpsim-command-responder --process-user=nobody --process-group=nogroup --agent-udpv4-endpoint=127.0.0.1:1024"

and

docker run snmpsim /bin/sh -c "snmpsim-command-responder --process-user=root --process-group=root --agent-udpv4-endpoint=127.0.0.1:1024"

SNMPSim can be started image

gainskills avatar Oct 23 '20 01:10 gainskills

I use poetry and have snmpsim as a devDependency like

[tool.poetry.dev-dependencies]
snmpsim = "^0.4.7"

I guess I can try changing that to point to github master and try the uid/gid workaround, but it's just that, a workaround. I'm of the strong opinion that such uid checks have no place in a module like this.

I'm aware that it's dangerous to run stuff as root, but I accept that risk because my CI environment does not offer any other option and it's not inherently unsafe because it runs in a isolated container.

silverwind avatar Oct 23 '20 11:10 silverwind

I agree with silverwind, the workaround is completely non-obvious, who would have thought you can provide root to process-user. I've spent a day messing with the permissions until i stumbled upon this issue.

frogmaster avatar Nov 21 '20 15:11 frogmaster