Option to disable uid=0 check about snmpsim HOT 9 CLOSED

It will refuse to run inside Docker as root at all with the Must drop privileges error. After I patched out that check, it runs just fine.

I run snmpsim inside a CI environment which always runs its jobs as uid=0 and I tried the --process-user=nobody and --process-group=nogroup arguments but then I ran into tempfiles permission errors (presumably fixed by e9e1d5b but not released), so I gave up and patched out that check.

from snmpsim.

do you meet any issue when running snmpsim in docker?

from snmpsim.

It will refuse to run inside Docker as root at all with the Must drop privileges error. After I patched out that check, it runs just fine.

I run snmpsim inside a CI environment which always runs its jobs as uid=0 and I tried the --process-user=nobody and --process-group=nogroup arguments but then I ran into tempfiles permission errors (presumably fixed by e9e1d5b but not released), so I gave up and patched out that check.

can you try with the master edition?

from snmpsim.

Regardless whether master works or not, I think the uid check needs to go or be disableable.

from snmpsim.

I totally understand what you concern about, but, not fix the issue by talking, I would say each layer has different specs to consider. Make a note about the steps what I did for a workaround:

• requirement.txt for docer

snmpsim @ https://github.com/etingof/snmpsim/zipball/master

• Dockerfile

# Pull base image
FROM python:3.9.0-alpine3.12
MAINTAINER [email protected]

# Set environment variables
ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1

# Update
RUN apk update && apk upgrade
RUN apk add build-base gcc

# set work directory
RUN mkdir /usr/test
# copy project
COPY ./requirements.txt /usr/test/requirements.txt

WORKDIR /usr/test

# install dependencies
RUN pip install --no-cache-dir --upgrade pip
# RUN pip install --no-cache-dir -U -r requirements-git.txt
RUN pip install --no-cache-dir -U -r requirements.txt

# Cleanup
Run rm -rf /var/cache/apk/* /root/.node-gyp /usr/share/man /tmp/*

• build then run the container with

docker run snmpsim /bin/sh -c "snmpsim-command-responder --process-user=nobody --process-group=nogroup --agent-udpv4-endpoint=127.0.0.1:1024"

and

docker run snmpsim /bin/sh -c "snmpsim-command-responder --process-user=root --process-group=root --agent-udpv4-endpoint=127.0.0.1:1024"

SNMPSim can be started

from snmpsim.

I use poetry and have snmpsim as a devDependency like

[tool.poetry.dev-dependencies]
snmpsim = "^0.4.7" 

I guess I can try changing that to point to github master and try the uid/gid workaround, but it's just that, a workaround. I'm of the strong opinion that such uid checks have no place in a module like this.

I'm aware that it's dangerous to run stuff as root, but I accept that risk because my CI environment does not offer any other option and it's not inherently unsafe because it runs in a isolated container.

from snmpsim.

I agree with silverwind, the workaround is completely non-obvious, who would have thought you can provide root to process-user. I've spent a day messing with the permissions until i stumbled upon this issue.

from snmpsim.

https://github.com/lextudio/snmpsim has removed this uid check, so I'll be using that.

from snmpsim.

Seems I mislooked and snmpsim-lextudio still features this stupd uid check, so I'm back to monkey-patching.

Reason I have to do it is I'm running inside a specific CI environment where it's not easy to drop privileges like it would in plain docker. moby/moby#2259 is also a dependency.

from snmpsim.