mssql-docker icon indicating copy to clipboard operation
mssql-docker copied to clipboard
verified publisher icon microsoft

Unable to reset 'sa' password using mssql-conf in SQL server 2019 container for RHEL

Open ravilk opened this issue 2 years ago • 2 comments

Hi,

Docker image - 2019-CU18-rhel-8.5 Kubernetes version - 1.23

We are working on 'master' database restoration process on the new POD. After restoration I want to reset 'sa' password, since restored master database stores 'sa' password from the old SQL installation.

Currently, we are able to restore master database on the new POD, but I'm receiving errors while executing mssql-conf to reset 'sa' password:

/opt/mssql/bin/mssql-conf set-sa-password
Warning: could not create log file for mssql-conf at /var/opt/mssql/log/mssql-conf/mssql-conf.log.
This program must be run as superuser or as a user with membership in the mssql
group.

We don't have sudo installed:

bash-4.4$ sudo su
bash: sudo: command not found

mssql user details:

bash-4.4$ id
uid=10001(mssql) gid=30021 groups=30021

I found that mssql-conf folder is missing in log folder:

bash-4.4$
bash-4.4$ ls -la /var/opt/mssql/log/mssql-conf
ls: cannot access '/var/opt/mssql/log/mssql-conf': No such file or directory

Here is permissions for the SQL server data and log folders:

bash-4.4$ ls -la /var/opt/mssql/
total 8
drwxrwsr-x. 6 root  30021   77 Mar 30 09:02 .
drwxr-xr-x. 1 root  root    19 Sep 13  2022 ..
drwxr-sr-x. 5 mssql 30021   74 Mar 30 09:02 .system
drwxr-sr-x. 2 mssql 30021 4096 Mar 30 09:02 data
drwxr-sr-x. 2 mssql 30021  178 Mar 30 09:02 log
-rw-r--r--. 1 mssql 30021 1482 Mar 30 09:02 mssql.conf
drwxr-sr-x. 2 mssql 30021   25 Mar 30 09:02 secrets
bash-4.4$
bash-4.4$ ls -la /var/opt/mssql/log/
total 292
drwxr-sr-x. 2 mssql 30021    178 Mar 30 09:02 .
drwxrwsr-x. 6 root  30021     77 Mar 30 09:02 ..
-rw-r-----. 1 mssql 30021  77824 Mar 30 09:02 HkEngineEventFile_0_133246405524970000.xel
-rw-r-----. 1 mssql 30021  14573 Mar 30 09:19 errorlog
-rw-r-----. 1 mssql 30021      0 Mar 30 09:02 errorlog.1
-rw-r-----. 1 mssql 30021   8192 Mar 30 09:05 log.trc
-rw-r-----. 1 mssql 30021    156 Mar 30 09:02 sqlagentstartup.log
-rw-r-----. 1 mssql 30021 192512 Mar 30 09:18 system_health_0_133246405542000000.xel
bash-4.4$

Here is the SQL server process status:

ps -ef | grep mssql
mssql        1     0  0 09:02 ?        00:00:03 /opt/mssql/bin/sqlservr
mssql       35     1  2 09:02 ?        00:00:28 /opt/mssql/bin/sqlservr

ravilk avatar Mar 30 '23 09:03 ravilk

This program must be run as superuser or as a user with membership in the mssql group.

Encountered the same problem. I looked into the code of mssql-conf and found this part:

def checkSudo():
    """Check if we're running as root

    Returns:
        True if running as root, False otherwise
    """

    if (os.geteuid() == 0):
        return True

    return False

def checkSudoOrMssql():
    """Check if we're running as root or the user is in the mssql group.

    Returns:
        True if running as root or in mssql group, False otherwise
    """

    if(checkSudo() == True):
        return True

    user = getpass.getuser()
    groups = [g.gr_name for g in grp.getgrall() if user in g.gr_mem]
    gid = pwd.getpwnam(user).pw_gid
    groups.append(grp.getgrgid(gid).gr_name)

    if('mssql' in groups):
        return True

    return False

In the 2019 docker container, the user has these properties: uid=10001(mssql) gid=0(root) groups=0(root)

The check above should be extended so checkSudo() also returns true if os.getegid() == 0. Alternatively, the checkSudoOrMssql() function should also return true if the user is named mssql or is part of the group called root.

Also confirmed the same bug in 2022-latest.

bergerst avatar Dec 14 '23 18:12 bergerst