Dockerfile should ensure directories are writable by root group (gid=0) #2632

tbieste · 2021-07-22T15:49:30Z

Describe the bug
The docker files for ibm-fhir-server and ibm-fhir-schema-tool should ensure any directories that need to be written to are writable by root group (gid=0), to allow the container to be run as any UID that has a GID=0.

Environment
IBM FHIR Server 4.8.3

To Reproduce
Steps to reproduce the behavior:

Run container as UID that is not root or UID 1001, but does have GID=0.
Current error from schema-tool container:
/opt/schematool/run.sh: line 104: /opt/schematool/workarea/persistence.json: Permission denied
Current error from fhir-server container:
cp: cannot create regular file '/config/configDropins/overrides/myfile.xml': Permission denied

Expected behavior
Should not get permission denied errors.

#2632 Signed-off-by: Paul Bastide <pbastide@us.ibm.com>

Dockerfile should ensure directories are writable by root group (gid=0) #2632

tbieste · 2021-07-28T15:49:07Z

During QA, tried this out and now get a different permission denied error:

run.sh - [INFO]: 2021-07-28_15:45:55 - creating the schema

/opt/java/openjdk/bin/java -jar /opt/schematool/fhir-persistence-schema-4.9.0-SNAPSHOT-cli.jar ...

tee out.log
tee: out.log: Permission denied
Jul 28, 2021 3:45:57 PM com.ibm.fhir.schema.app.Main main
SEVERE: schema tool failed
java.lang.IllegalStateException: Error while initializing log output file.
at com.ibm.fhir.database.utils.common.LogFormatter.init(LogFormatter.java:92)
at com.ibm.fhir.schema.app.util.CommonUtil.configureLogger(CommonUtil.java:185)
at com.ibm.fhir.schema.app.util.CommonUtil.configureLogger(CommonUtil.java:157)
at com.ibm.fhir.schema.app.Main.main(Main.java:2193)
Caused by: java.nio.file.AccessDeniedException: ./fhirschema.log.lck
at java.base/sun.nio.fs.UnixException.translateToIOException(Unknown Source)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(Unknown Source)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(Unknown Source)
at java.base/sun.nio.fs.UnixFileSystemProvider.newFileChannel(Unknown Source)
at java.base/java.nio.channels.FileChannel.open(Unknown Source)
at java.base/java.nio.channels.FileChannel.open(Unknown Source)
at java.logging/java.util.logging.FileHandler.openFiles(Unknown Source)
at java.logging/java.util.logging.FileHandler.(Unknown Source)
at com.ibm.fhir.database.utils.common.LogFormatter.init(LogFormatter.java:88)
... 3 more

Jul 28, 2021 3:45:57 PM com.ibm.fhir.schema.app.Main logStatusMessage
SEVERE: SCHEMA CHANGE: RUNTIME ERROR

tbieste · 2021-07-29T14:09:50Z

I tried this out again with the updated PR, and did not get the errors. Marking as closed.

tbieste added bug Something isn't working cp P1 Priority 1 - Must Have labels Jul 22, 2021

tbieste added this to the Sprint 2021-10 milestone Jul 22, 2021

prb112 self-assigned this Jul 22, 2021

prb112 added a commit that referenced this issue Jul 27, 2021

Dockerfile should ensure directories are writable by root group (gid=0)

f962de9

#2632 Signed-off-by: Paul Bastide <pbastide@us.ibm.com>

prb112 added a commit that referenced this issue Jul 27, 2021

Merge pull request #2643 from IBM/vacuum-settings

8d1b682

Dockerfile should ensure directories are writable by root group (gid=0) #2632

tbieste closed this as completed Jul 29, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dockerfile should ensure directories are writable by root group (gid=0) #2632

Dockerfile should ensure directories are writable by root group (gid=0) #2632

tbieste commented Jul 22, 2021 •

edited

Loading

tbieste commented Jul 28, 2021

tbieste commented Jul 29, 2021

Dockerfile should ensure directories are writable by root group (gid=0) #2632

Dockerfile should ensure directories are writable by root group (gid=0) #2632

Comments

tbieste commented Jul 22, 2021 • edited Loading

tbieste commented Jul 28, 2021

tbieste commented Jul 29, 2021

tbieste commented Jul 22, 2021 •

edited

Loading