Can't run OPA container without --uid 0

[anderseknert]

I'm not sure whether this is an issue or expected behavior, so I'm raising it here first. Trying to run an OPA container fails unless --uid 0 is passed. The Dockerfile of that project sets the default uid/gid to 1000:1000. Running this with Docker or Podman works without issues, while container run doesn't handle this:

> run openpolicyagent/opa:1.8.0-static version
Error: internalError: "failed to start container" (cause: "internalError: "failed to start process (cause: "internal error (13): create managed process: internalError: "Cannot find User '1000' in passwd file."")"")

Only running with --uid 0 has the container run successfully.

I have tried and failed to find any documentation on whether this is expected or not. In case this is by design, it would be great if there were some docs explaining this, and whether there is a way to run containers with uid > 0.

(and apologies if there are docs on this that I just couldn't find)

[dcantah]

It's a logical bug on our end. We treat the uid not existing in /etc/passwd as an error.

[anderseknert]

Thanks @dcantah 👍 I can create an issue of this if you want, or if the option to convert this discussion to one is available, feel free to do so.

[jglogan]

@dcantah related to #478?

[dcantah]

Possibly. I made apple/containerization#278. Will look tomorrow

[dcantah]

This hopefully should do the trick apple/containerization#279