Reference to configuration properties - uid in docker container

Sonatype Nexus Repository
1

Hi,

is there a complete reference for all nexus OSS configuration properties?

How can I change the uid nexus OSS is running as in a container? (like not 200?)

thank you
best regards
Torsten

2

You can find the code that generates the nexus3 docker image at GitHub - sonatype/docker-nexus3: Dockerized version of Nexus Repo Manager 3. Iā€™m not sure how the uid gets set actually, but itā€™s not part of the Nexus Repository itself, but rather a part of how the docker image gets generated. This article seems relevant to your question but Iā€™m not super-familiar with how all this works Understanding how uid and gid work in Docker containers | by Marc Campbell | Medium.

3

Thank you your reply, I had a look into it.
I cloned the master branch of

Here the User used (nexus with uid 200) is not set up by docker and its configs.

The uid of the nexus user is set in the chef-solo cookbook which used to install nexus OSS while building the container.

The chef-solo command used in the Dockerfile of the build fetches a cookbook tarball from github configured as follows:

ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION=ā€œrelease-0.5.20210628-162332.70a6cb6ā€
ARG NEXUS_REPOSITORY_MANAGER_COOKBOOK_URL=ā€œhttps://github.com/sonatype/chef-nexus-repository-manager/releases/download/${NEXUS_REPOSITORY_MANAGER_COOKBOOK_VERSION}/chef-nexus-repository-manager.tar.gzā€

Unpacking this tarball I find a file:

[ā€¦]/cookbooks/nexus_repository_manager/recipes/users.rb

In which the UID 200 is hardcodedā€¦

user ā€˜nexusā€™ do
uid ā€˜200ā€™
[ā€¦]

One may now think letā€™s just change it an feed a custom cookbooks tarball to the chef-solo command in the Dockerfile.

I unpack the /chef-nexus-repository-manager.tar.gz which unpacks to a folder ā€˜cookbooksā€™.
I change the uid in the mentioned file to my liking.

pack it again
tar czvf cookbooks.tar.gz cookbooks

Add to Container
ADD ./cookbooks.tar.gz /cookbooks.tar.gz

run chef-solo
[ā€¦]
&& chef-solo --recipe-url /cookbooks.tar.gz
ā€“json-attributes /var/chef/solo.json
[ā€¦]

this fails with

/opt/chef/embedded/lib/ruby/2.5.0/fileutils.rb:1293:in copy_stream': Is a directory - read (Errno::EISDIR) from /opt/chef/embedded/lib/ruby/2.5.0/fileutils.rb:1293:in block (2 levels) in copy_fileā€™
from /opt/chef/embedded/lib/ruby/2.5.0/fileutils.rb:1292:in open' from /opt/chef/embedded/lib/ruby/2.5.0/fileutils.rb:1292:in block in copy_fileā€™
from /opt/chef/embedded/lib/ruby/2.5.0/fileutils.rb:1291:in open' from /opt/chef/embedded/lib/ruby/2.5.0/fileutils.rb:1291:in copy_fileā€™
from /opt/chef/embedded/lib/ruby/2.5.0/fileutils.rb:432:in copy_file' from /opt/chef/embedded/lib/ruby/2.5.0/fileutils.rb:359:in block in cpā€™
from /opt/chef/embedded/lib/ruby/2.5.0/fileutils.rb:1463:in block in fu_each_src_dest' from /opt/chef/embedded/lib/ruby/2.5.0/fileutils.rb:1479:in fu_each_src_dest0ā€™
from /opt/chef/embedded/lib/ruby/2.5.0/fileutils.rb:1461:in fu_each_src_dest' from /opt/chef/embedded/lib/ruby/2.5.0/fileutils.rb:358:in cpā€™
from /opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.12.9/lib/chef/application/client.rb:547:in fetch_recipe_tarball' from /opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.12.9/lib/chef/application/client.rb:350:in reconfigureā€™
from /opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.12.9/lib/chef/application.rb:64:in run' from /opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.12.9/lib/chef/application/solo.rb:230:in runā€™
from /opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.12.9/bin/chef-solo:24:in <top (required)>' from /usr/bin/chef-solo:75:in loadā€™
from /usr/bin/chef-solo:75:in `ā€™

Well. If somebody is familiar with chef-solo and its whereabouts and has an idea how to solve this, Iā€™d be very thankful for any hints.

4

Registered just to help hereā€¦even if it is 3 years old. I hate when anyone creates a docker with hard coded uid and gid. The typical pattern I utilize to ā€œfixā€ this is to build a modified container w/ compose. Itā€™s modestly annoying because you have to figure out what files in the container need to be chowned but once you know that, itā€™s easy enough.

docker-compose.yml

version: "3.9"
services:
  nexus:
    image: "custom-nexus3:latest"
    build:
      dockerfile: "nexus3.Dockerfile"
    container_name: nexus
    ports:
      - 8081:8081
    restart: always
    volumes:
      - "/opt/data/nexus/:/nexus-data"
volumes:
    nexus-vol:

nexus3.Dockerfile

FROM sonatype/nexus3:latest

USER root
ENV NEXUS_UID 1008
ENV NEXUS_GID 1008

RUN sed -i -re "s/^(nexus:[^:]):[0-9]*:/\1:$NEXUS_GID:/g" /etc/group
RUN sed -i -re "s/^(nexus:[^:]):[0-9]*:[0-9]*:/\1:$NEXUS_UID:$NEXUS_GID:/g" /etc/passwd

RUN chown -R nexus:nexus /opt/sonatype/sonatype-work

USER nexus

Then just ā€œdocker compose buildā€ and and ā€œdocker compose up -dā€

5

Thank you very much, good ole sed to the rescue! I saved this for later use. In the moment I have a block device with uid 200 mounted.

THOU SHALT NOT HARDCODE

6

Yea, I use sed because usermod and groupmod arenā€™t always available. Additionally, you could use find for the chown so you donā€™t need to know what files to chown ahead of time but then you have to figure out what the original idā€™s are first. This is untested but should do the thing.

FROM sonatype/nexus3:latest

USER root
ENV NEXUS_UID 1008
ENV NEXUS_GID 1008

RUN echo "export OLD_NEXUS_UID=`id -u nexus`" >> /envfile
RUN echo "export OLD_NEXUS_GID=`id -g nexus`" >> /envfile

RUN sed -i -re "s/^(nexus:[^:]):[0-9]*:/\1:$NEXUS_GID:/g" /etc/group
RUN sed -i -re "s/^(nexus:[^:]):[0-9]*:[0-9]*:/\1:$NEXUS_UID:$NEXUS_GID:/g" /etc/passwd

RUN . /envfile; find / -user $OLD_NEXUS_UID  -exec chown -h nexus {} \;
RUN . /envfile; find / -group $OLD_NEXUS_GID  -exec chgrp -h nexus {} \;

USER nexus
1 Like