docker exec –user db2inst1, unable to find user db2inst1: no matching entries in passwd file

All we need is an easy explanation of the problem, so here it is.

I’m playing around with docker and db2 but I’m getting into trouble when I try to execute commands as user db2inst1 into a running container. I start the container as (it is 1 line but I split it up for readability):

docker run -itd --name mydb2 --privileged=true -p 50000:50000 
  -e LICENSE=accept 
  -e DB2INST1_PASSWORD=pelle_paltnacke 
  --mount type=volume,dst=${backupdir},volume-driver=local,volume-opt=type=nfs,\"volume-opt=o=nfsvers=4,addr=${addr}\",volume-opt=device=:${device} 
  -v /etc/passwd:/etc/passwd 
  -v /etc/group:/etc/group 
  -v /opt/nya/users/db2inst1:/opt/nya/users/db2inst1 
  -v /home/system/db2fenc1/:/home/system/db2fenc1/ ibmcom/db2

Now, if I try to do:

docker exec --user db2inst1 -ti mydb2 bash -c "cat /etc/passwd | grep db2inst1"
unable to find user db2inst1: no matching entries in passwd file

As root there is no problem:

docker exec -ti mydb2 bash -c "cat /etc/passwd | grep db2inst1"
db2inst1:x:422:422:DB2 Instance Administrator 1:/opt/nya/users/db2inst1:/bin/bash

and also –user root works fine:

docker exec --user root -ti mydb2 bash -c "cat /etc/passwd | grep db2inst1"
db2inst1:x:422:422:DB2 Instance Administrator 1:/opt/nya/users/db2inst1:/bin/bash

So I tried with the uid from the mounted passwd file:

docker exec --user 422 -ti mydb2 bash -c "cat /etc/passwd | grep db2inst1"
db2inst1:x:422:422:DB2 Instance Administrator 1:/opt/nya/users/db2inst1:/bin/bash

/etc/passwd is readable for everyone. Anyhow, using the uid does not get me far:

docker exec --user 422 -ti mydb2 bash -c "db2licm -l"
bash: db2licm: command not found

so I try with:

docker exec --user 422 -ti mydb2 bash -c "whoami; . ~db2inst1/sqllib/db2profile; 
db2licm -l"
db2inst1
bash: /opt/nya/users/db2inst1/sqllib/adm/db2licm: Permission denied

This is just a couples of commands I ran to demonstrate the problem. Does anyone have an explanation as to why the –user db2inst1 is not able to execute them?

FWIW, I tried without the nfs-mount but I get the same behaviour.

The container itself seems to be working alright. If I spin up the container as above and:

#> docker exec -ti mydb2 bash
[[email protected] /]# mkdir -p /data/db/db2
[[email protected] /]# chown db2inst1:db2iadm1 /data/db/db2/
[[email protected] /]# su - db2inst1
[[email protected] ~]$ cd /data/backup/db2/wb11/MD000I11/
[[email protected] MD000I11]$ db2 "restore db MD000I11 incremental auto taken at 20220307141244 to /data/db/db2 into WD000I11"
DB20000I  The RESTORE DATABASE command completed successfully.

EDIT: An interesting observation is:

docker exec --user 422 -ti mydb2 bash -c "id"
uid=422(db2inst1) gid=0(root) groups=0(root)

docker exec --user 422:422 -ti mydb2 bash -c "id"
uid=422(db2inst1) gid=422(db2iadm1) groups=422(db2iadm1)


docker exec --user 422:422 -ti mydb2 bash -c "whoami; . 
~db2inst1/sqllib/db2profile; db2licm -l"

db2inst1
Product name:                     "DB2 Community Edition"
License type:                     "Community"
...

Unfortunate:

docker exec --user db2inst1:db2iadm1 -ti mydb2 bash -c "id"
unable to find user db2inst1: no matching entries in passwd file

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

The problem seems to be unrelated to the Db2 container. I created a Dockerfile with:

FROM registry.access.redhat.com/ubi8/ubi:8.5

as it’s only content and could repeat the phenomena. I even removed all things but the mount of /etc/passwd and /etc/groups, but –user still fails.

It looks as if –user X becomes uid 1000 in the container, regardless of what username X is, what uid X has in /etc/passwd does not seem to be taken into consideration.

The two options I tried to get around this problem is:

Create a "dummy" user in the Dockerfile:

FROM ibmcom/db2

RUN groupadd --gid 422 db2iadm1
RUN useradd -u 422 -g db2iadm1 db2inst1
...

Or use the uid as an argument to –user:

docker exec --user 422:422 -ti mydb2 bash --login -c "db2licm -l"

Here I used –login to set up the correct environment.

Using podman should remove much of the hassle I guess

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply