Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sonic-cli fails with user related issue #13317

Open
ghost opened this issue Jan 10, 2023 · 9 comments
Open

sonic-cli fails with user related issue #13317

ghost opened this issue Jan 10, 2023 · 9 comments
Labels
DELL Triaged this issue has been triaged

Comments

@ghost
Copy link

ghost commented Jan 10, 2023

sonic-cli invocation fails with below error -

admin@sonic: sonic-cli
sonic# configure terminal
sonic(config)# interface Ethernet 4
Traceback (most recent call last):
File "/usr/sbin/cli/sonic-cli-if.py", line 167, in
pipestr().write(sys.argv)
File "/usr/sbin/cli/scripts/rpipe_utils.py", line 14, in init
pwrec = pwd.getpwuid(os.getuid())
KeyError: 'getpwuid(): uid not found: 1000'
sonic(config)# exit
sonic# exit
admin@sonic: logout

=============

"admin" user is created by default in SONiC, and the same is used to access sonic-cli utilities in mgmt-framework container. But in mgmt-framework container admin user is missing.
So this error is seen.

I found that earlier users from SONiC were imported to mgmt-framework also.

In https://github.com/sonic-net/sonic-buildimage/pull/6148/files
""
symbolic links will be removed when AAA improvements get merged
RUN ln -sf /host_etc/passwd /etc/passwd
""

Later this was removed in
https://github.com/sonic-net/sonic-buildimage/pull/9375/files

My queries are as below

  1. Does any other pull request handle the user creation in mgmt-framework ?
  2. If we create a new user or update password of existing user in SONiC how it will get propagated to mgmt-framework container ?
@neethajohn neethajohn added DELL Triaged this issue has been triaged labels Jan 18, 2023
@neethajohn
Copy link
Contributor

@venkatmahalingam , can you please help assign?

@venkatmahalingam
Copy link
Collaborator

@jeff-yin Do you know the history behind the changes mentioned in this issue?

@jeff-yin
Copy link
Collaborator

jeff-yin commented Mar 6, 2023

No, unfortunately I'm not familiar with the change mentioned from #9375.
Upon review it looks like this is an unresolved "to do" item from #6148. That was supposed to be resolved by the enhancements to NSS module in #5553 but it never got merged. At this point we should revisit the AAA improvements since Martin is no longer involved in the SONiC project.

In the meantime, @kwangsuk can we pursue an alternative solution?

the debug container is built without /etc being mounted at /host_etc in the container (which does happen at runtime)

Can we do the symlinks at runtime rather than in the dockerfile?

@justindthomas
Copy link
Contributor

justindthomas commented Sep 20, 2023

I'm a new user of SONiC (I first installed it yesterday) and ran into this today on a Dell N3248TE-ON running the latest build. Is the correct fix to install that symbollic link from /etc/passwd in the management container to /host_etc/passwd? That seems like it would overwrite conflicting information in /etc/passwd.

I got around it by just creating a version of my user in the management container with the same UID as in the host container, but that seems really clunky.

I'm surprised this isn't a noisier issue; being able to run sonic-cli is a pretty core part of the platform, isn't it?

@jeff-yin
Copy link
Collaborator

jeff-yin commented Sep 25, 2023 via email

@justindthomas
Copy link
Contributor

justindthomas commented Sep 25, 2023

Thanks for the correction! I've spent quite a bit of time with the system over the last few days. Between the Click commands and editing config_db.json directly, I think I have a better handle on things now.

For user management, I'm planning to experiment with TACACS+ today. That's the last bit that I'm not quite solid on yet.

@fritterhoff
Copy link

Any update on this issue? Will this ever get fixed? ;)

@kwangsuk
Copy link
Contributor

The init of pipestr class builds a unique file spec for each session to render piped output, that currently concatenates the prefixed token with a uid (or pwname) to avoid collision. But, since the render/pipestr has nothing do with client authentication, it would be a sufficient fix by replacing
self.pipestr = "/tmp/pipestr-{}".format(os.getuid())
with
self.pipestr = "/tmp/pipestr-" + str(os.getppid())

@fritterhoff
Copy link

What about mounting the missing file again?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
DELL Triaged this issue has been triaged
Projects
None yet
Development

No branches or pull requests

6 participants