-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running as app user causes permission error loading /etc/container_environment #250
Comments
Ah! I think the reason it needs to run as root may be nginx. https://stackoverflow.com/questions/42329261/running-nginx-as-non-root-user Or rather, the fact that it needs to start on port 80.
|
Can you try changing the permissions on |
The port thing can be handled by changing the nginx config to listen on another port, and then setting a port redirection in docker itself. |
Unfortunately this doesn't work for the Ruby application because of this annoying line in the Rack URLMap code: https://github.com/rack/rack/blob/master/lib/rack/urlmap.rb#L57 Because simply mapping the port from the outside world to the inside world doesn't actually rewrite the request, the rack code thinks that the port doesn't match because the port it's addressed to doesn't match the port it's come in on (as far as I can remember from my last investigation when I attempted to do this myself). |
Having said that, I've failed to reproduce the issue in my demo app bethesque/passenger-run-as-app@9448ca0 , so I'll see if I can reproduce it in the full application |
Looking into the issue, as to why we can't run as a non-root user. It appears to be with phusion-baseimage that passenger-docker is built upon, and the /sbin/my_init script that is called. phusion/baseimage-docker#264 (comment) The mention two things to get this to work
Change perms on /etc/container_environment
A working example taken from @bethesque's example app, replicating the issue. Running as a non-root user means you lose cron / syslog / logrotate here is another issue with running as non root on the heroku platform |
Closing issue. We ended up going with puma on an alpine ruby base image for a couple of reasons. 1. the size of the image and 2. running the application without root permissions is required for a lot of managed docker deployment tools, and this was easier with puma. The fact that the docker cluster management tools are responsible for maintaining the HA environment means that it's not as important to us to have processes inside the container to reboot processes when they go down. Thanks again for your work on this however. |
Thank you everyone for your work on the passenger docker image for Ruby apps.
We are having problems running the docker image as the app user as per the instructions here: https://github.com/phusion/passenger-docker#the-app-user
Steps to replicate:
Expected behaviour:
The docker container should start up and run
the_app
on port 80.Actual behaviour:
The container does not start up and the following error is shown:
The container starts correctly if the
USER app
line is removed. Unfortunately, there are some organizations where the security policy does not allow docker images to run as root, so we are very interested in finding a solution to this. I have some vague memory of seeing an issue indicating that the issue was with passenger itself, and needing root permissions to manage certain processes, but I cannot find it now.Related issue: DiUS/pact_broker-docker#81
The text was updated successfully, but these errors were encountered: