inject user information into container

[o-smirnov]

CASA won't run inside a container without user information:

# /casa-release-5.8.0-109.el7/lib/python2.7/getpass.pyc in getuser()                                                                                                                     
#     156     # If this fails, the exception will "explain" why                                                                                                           
#     157     import pwd                                                                                                                                                     
# --> 158     return pwd.getpwuid(os.getuid())[0]                      
#     159                                                                                                                                                                                
#     160 # Bind the name getpass to the appropriate function                                                                                                             
#                                                                                                                                                                                                                
# KeyError: 'getpwuid(): uid not found: 1000'                                                                                                                                                           

Under singularity this is no problem as it exposes the host's /etc/passwd and /etc/group. Under k8s, the container is "userless". Need to inject this info somehow. Here's a ChatGPT suggestion:

---

How to make pwd.getpwuid() work inside container without root access

---

If you need to use pwd.getpwuid() inside a container without root access and without altering system-wide configurations, you have a couple of alternatives:

1. Provide Necessary User Data:

   Instead of altering /etc/passwd (which would require root access), you can provide a mock or substitute passwd file with the required user data and then leverage environment variables to make Python tools refer to this file.

   First, create your custom passwd file, say custom_passwd, with the necessary user data.

   myuser:x:1001:1001:My User:/home/myuser:/bin/bash
   

   In your container, set the NSS_WRAPPER_PASSWD and NSS_WRAPPER_GROUP environment variables to point to this custom file and use nss_wrapper to make pwd.getpwuid() use this file:

   FROM python:3.9-slim
   
   # Install nss_wrapper and necessary dependencies
   RUN apt-get update && apt-get install -y libnss-wrapper gettext-base && rm -rf /var/lib/apt/lists/*
   
   COPY custom_passwd /app/custom_passwd
   COPY my_script.py /app/my_script.py
   
   ENV NSS_WRAPPER_PASSWD=/app/custom_passwd
   ENV NSS_WRAPPER_GROUP=/etc/group
   ENV LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libnss_wrapper.so
   
   CMD ["python", "/app/my_script.py"]

   nss_wrapper provides a way for your application to load /etc/passwd and /etc/group from a different location than the system defaults.

2. Reconsider the Need:

   Check if you can refactor or adjust your code logic to avoid the need to call pwd.getpwuid(). Sometimes, the reason for needing user information can be rethought in the context of containerized applications.

3. Dynamic User Mapping:

   Some container platforms, like OpenShift, often use random UIDs for containers for security reasons. They also provide mechanisms like the nss_wrapper mentioned above to help applications run without expecting specific UIDs. Ensure your application is resilient to running under different UIDs and can fetch or derive necessary user data without relying on system-wide user databases.

Remember to ensure your solutions adhere to best security practices, especially when working in environments that prioritize non-root container execution for safety reasons.

[o-smirnov]

Confirming that option 1 makes CASA happy. Since this is pretty generic and infrastructural, I'll add it to the kube runner as a top-level option.

[o-smirnov]

As it turns out, libnss_wrapper is not even necessary. Just setting USER and HOME variables inside the container, and mounting an ephemeral home directory, looks sufficient to stop it from whining.