repo2docker icon indicating copy to clipboard operation
repo2docker copied to clipboard
verified publisher icon jupyterhub

Ubuntu 24.04 comes with existing non-root user

Open yuvipanda opened this issue 1 year ago • 6 comments

Ubuntu 24.04 already comes with a non-root user at 1000:

ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash

Ubuntu 22.04 does not have this, so we have been able to create our own with uid 1000. So repo2docker I think will currently fail if we try to use an ubuntu 24.04 base image.

yuvipanda avatar May 20 '24 20:05 yuvipanda

The Ubuntu 24.04 container image default user is root.

$ docker run -it ubuntu:24.04 /bin/sh
# whoami
root
# cat /etc/passwd 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash

So repo2docker I think will currently fail if we try to use an ubuntu 24.04 base image.

It will fail with

useradd: UID 1000 is not unique

at https://github.com/jupyterhub/repo2docker/blob/d0ddd2e3c47776c11eaa006c0b3bb2e2d372f89b/repo2docker/buildpacks/base.py#L49-L56

rgaiacs avatar Apr 08 '25 07:04 rgaiacs

Could we make the useradd conditional, and run usermod --home "/home/${NB_USER}" --login "${NB_USER}" ubuntu if the user exists?

manics avatar Oct 21 '25 12:10 manics

That will still cause any potential stuff that relies on jovyan as username to fail. Can we rip out the default user and add ours? Or find a base image without a root non user?

yuvipanda avatar Oct 21 '25 16:10 yuvipanda

We're using this code snippet on pangeo-docker-images (from commit https://github.com/pangeo-data/pangeo-docker-images/pull/617/commits/3a197d4185569801cf6e7ddc91a18ac923436bef), might be useful for reference on how to rename the existing ubuntu user to jovyan (or any other name)

RUN echo "Creating ${NB_USER} user..." \
-    # Create a group for the user to be part of, with gid same as uid
-    && groupadd --gid ${NB_UID} ${NB_USER}  \
-    # Create non-root user, with given gid, uid and create $HOME
-    && useradd --create-home --gid ${NB_UID} --no-log-init --uid ${NB_UID} ${NB_USER} \
+    # Change user name from ubuntu to jovyan
+    && usermod --login ${NB_USER} ubuntu \
+    # Change group name from ubuntu to jovyan
+    && groupmod --new-name ${NB_USER} ubuntu \
+    # Set home directory of jovyan user
+    && usermod --home /home/${NB_USER} --move-home ${NB_USER} \
     # Make sure that /srv is owned by non-root user, so we can install things there
     && chown -R ${NB_USER}:${NB_USER} /srv

weiji14 avatar Oct 21 '25 17:10 weiji14

i just ran in to this, and decided to delete the user/group and create jovyan from scratch:

RUN echo "Deleting user/group ubuntu (UID/GID 1000)..." && \
    (userdel -f ubuntu || true) && \
    (groupdel ubuntu || true)  && \
    echo "Creating ${NB_USER} user with UID/GID 1000..." && \
    adduser --disabled-password --gecos "Default Jupyter user" --uid ${NB_UID} ${NB_USER} && \
    # Set home directory of jovyan user
    usermod --home /home/${NB_USER} --move-home ${NB_USER} && \
    # Make sure that /srv is owned by non-root user, so we can install things there
    chown -R ${NB_USER}:${NB_USER} /srv

seems to work as advertised!

shaneknapp avatar Oct 26 '25 00:10 shaneknapp

i just ran in to this, and decided to delete the user/group and create jovyan from scratch:

RUN echo "Deleting user/group ubuntu (UID/GID 1000)..." && \
    (userdel -f ubuntu || true) && \
    (groupdel ubuntu || true)  && \
    echo "Creating ${NB_USER} user with UID/GID 1000..." && \
    adduser --disabled-password --gecos "Default Jupyter user" --uid ${NB_UID} ${NB_USER} && \
    # Set home directory of jovyan user
    usermod --home /home/${NB_USER} --move-home ${NB_USER} && \
    # Make sure that /srv is owned by non-root user, so we can install things there
    chown -R ${NB_USER}:${NB_USER} /srv

seems to work as advertised!

the reason why i chose this route over running usermod is that the latter method left the jovyan user in a bunch of extraneous groups, including sudo:

$ id
uid=1000(jovyan) gid=1000(jovyan) groups=1000(jovyan),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev)

shaneknapp avatar Oct 27 '25 15:10 shaneknapp