Allow non-root user to run sqlservr in a container

[tchughesiv]

I'd like to eventually support running the centos/rhel (and ubuntu for that matter) images w/ an arbitrary uid... something openshift does by default for added security.

For mssql, this would amount to allowing for non-root execution of sqlservr. Maybe logic could be added to limit non-root runtime only to containers... if, for example, msft wanted to ensure the root user was used when running outside of a container?

Today, however, it appears sqlservr may be checking for uid 0 at runtime? e.g.

# docker run -u 1000014406 -e ACCEPT_EULA=Y -e SA_PASSWORD=yourStrong@Password -p 1433:1433 -d microsoft/mssql-server-linux

$ id
uid=1000014406(root) gid=0(root) groups=0(root)

$ sqlservr 
Aborted

[mikenel]

If you're running as low privileged user, we don't have permission to create /var/opt/mssql (let alone set the right permissions). It would probably work if you extended the image and pre-created that directory with the right permissions.

[tchughesiv]

@mikenel that's exactly what we'd do... and in openshift, for example, if a persistent volume were used for that dir... the perms would be set appropriately for the user.

[tchughesiv]

we build non-root images for DB's quite often and they work really well

[ChrisKofler]

@tchughesiv : do you say that mssql can actually run without a root user?

[ChrisKofler]

This is also a must-have requirement to run mssql in our cloud providers OpenShift environment. No way they're granting a container root privileges.

[Montecito]

The problem is that openshift generates a random uid that is not present in the passwd file nor in the group file.

A solution for this problem would be to use nsswrapper, plz try the following:
Dockerfile:
FROM microsoft/mssql-server-linux
ENV RUN_USER 500
ENV RUN_GROUP 0
ENV ACCEPT_EULA Y
ENV SA_PASSWORD YOURPWDHERE
RUN mkdir /var/opt/mssql &&
chown -R ${RUN_USER}:${RUN_GROUP} /var/opt/mssql &&
chmod -R 770 /var/opt/mssql
ADD scripts /scripts # This adds the new entrypoint, listed below
RUN dpkg -i /scripts/libnss-wrapper_1.1.2-1_amd64.deb
USER ${RUN_USER}:${RUN_GROUP}
ENTRYPOINT ["/scripts/entrypoint"]

And as entrypoint:
#!Spaces are added at : x : because github ui produces ❌
#!Plz remove them when you try to run it ;-)
#!/bin/bash
cat /etc/passwd > /tmp/passwd
echo "$(id -u): x :$(id -u):$(id -g):dynamic uid:/tmp:/bin/false" >>
/tmp/passwd
cat /etc/group > /tmp/group
echo "$(id -u): x :$(id -u):" >> /tmp/group
export NSS_WRAPPER_PASSWD=/tmp/passwd
export NSS_WRAPPER_GROUP=/tmp/group
export LD_PRELOAD=libnss_wrapper.so
exec /opt/mssql/bin/sqlservr.sh

Hope this works for you.

[ChrisKofler]

I'll give it a try and let you know - thanks a lot!

[tchughesiv]

resolved w/ #216