starting container process caused: setup user: unable to find <user>: bufio.Scanner: token too long: unknown.

[erict-square]

Problem

I'm running into the following problem when I run docker run --network=host --hostname=<hostname> --user <user> -v /etc/group:/etc/group:ro <image>.

docker: Error response from daemon: OCI runtime create failed: container_linux.go:367: starting container process caused: setup user: unable to find groups for spec <user>: bufio.Scanner: token too long: unknown.

My current finding shows me that this error is only thrown if a line in /etc/group exceeds 65536 characters.

Diagnosis

I'm not familiar with runc code or golang, but i tried my best to find what's going on. I was able to find where this error message is thrown unable to find groups for spec in

runc/libcontainer/user/user.go

Line 359 in 48d76ad

return nil, fmt.Errorf("unable to find groups for spec %v: %v", matchedUserName, err)

And from there, I find that the error likely came from running ParseGroupFilter function in

runc/libcontainer/user/user.go

Line 339 in 48d76ad

groups, err := ParseGroupFilter(group, func(g Group) bool {

Reading ParseGroupFilter function,

runc/libcontainer/user/user.go

Lines 178 to 211 in 48d76ad

	func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) {
	if r == nil {
	return nil, fmt.Errorf("nil source for group-formatted data")
	}
	var (
	s = bufio.NewScanner(r)
	out = []Group{}
	)
	for s.Scan() {
	text := s.Text()
	if text == "" {
	continue
	}
	// see: man 5 group
	// group_name:password:GID:user_list
	// Name:Pass:Gid:List
	// root:x:0:root
	// adm:x:4:root,adm,daemon
	p := Group{}
	parseLine(text, &p.Name, &p.Pass, &p.Gid, &p.List)
	if filter == nil || filter(p) {
	out = append(out, p)
	}
	}
	if err := s.Err(); err != nil {
	return nil, err
	}
	return out, nil
	}

, I suspect that we're hitting a token limit in bufio.NewScanner (which happens to be 65536 according to https://golang.org/pkg/bufio/#pkg-constants). This is likely given that another project sirupsen/logrus#564 has hit a similar issue as well.

1.0 backport: #3079

[kolyshkin]

There was a same bug in golang stdlib os/user (golang/go#43636), which was fixed by golang/go#43636.

I was looking at this bug and ended up implementing GroupIds for non-cgo/osusergo case in upstream (see https://go-review.googlesource.com/c/go/+/330753). Unfortunately it's a feature freeze for golang now, but once my changes will be merged, my plan is to

• use stdlib as much as possible;
• for GroupIds, copy the implementation, conditionally using it, depending on the go version, so that eventually we can get rid of the copy;
• maybe eventually we can remove our user package entirely.

I will start working on it next week. It's a big job though.

Before that, though, let me try to cook a short fix that we can backport.

[erict-square]

@kolyshkin Thanks for the update and taking on this work! I'm really thrilled!

[kolyshkin]

Here's a quick and dirty fix: #3062