Permission problem with application user set in docker-compose.yml (webdevops/php-nginx-dev)

[akos-vomo]

Hi,

I'm using the image webdevops/php-nginx-dev:7.1 and I've set the user in my docker compose file to application. When building it for the first time, it's OK, but when I stop the container, and start it again, it exits with the following error:

error: failed switching to "root": operation not permitted

Here is my config:

version: '2'
services:
  php:
    image: webdevops/php-nginx-dev:7.1
    user: "application"
    volumes:
      - .:/app
    working_dir: /app
    environment:
      - WEB_DOCUMENT_ROOT=/app/public
      - XDEBUG_REMOTE_AUTOSTART=On
      - XDEBUG_PROFILER_ENABLE=On
      - XDEBUG_REMOTE_HOST=192.168.0.145
      - XDEBUG_REMOTE_PORT=9001
      - PHP_DEBUGGER=xdebug
    ports:
      - "80:80"
      - "443:443"
      - "9000:9000"
# ...

The issue is similar to #219.

Do you have any suggestions? (Removing the user from the compose file, and supplying -u parameter to exec is not an option.)

Thank you.

[coding46]

Maybe it's related to #213

[PanadeEdu]

I tryed the described behaviour and found it reproducible.
I tested it with a wide variety of php and other images. Always the same outcome.

After looking into the issue and the 2 referenced tickets I am not quite sure how this works to be honest. I know that gosu is there to prevent permission elevation after the entry point. However it seems to interfere with this usecase. However adding the suid would defeat the point as far as I have understood it.

I need someone more familar with this topic here.
cc @mblaschke

[kaluzki]

This error is already reproducible with the base image:

$ docker run --name bug226 --user 1000 webdevops/base
-> Executing /opt/docker/provision/entrypoint.d/05-permissions.sh
-> Executing /opt/docker/bin/service.d/supervisor.d//10-init.sh
2018-07-28 22:41:18,249 CRIT Set uid to user 0
2018-07-28 22:41:18,249 WARN Included extra file "/opt/docker/etc/supervisor.d/cron.conf" during parsing
2018-07-28 22:41:18,249 WARN Included extra file "/opt/docker/etc/supervisor.d/dnsmasq.conf" during parsing
2018-07-28 22:41:18,249 WARN Included extra file "/opt/docker/etc/supervisor.d/postfix.conf" during parsing
2018-07-28 22:41:18,249 WARN Included extra file "/opt/docker/etc/supervisor.d/ssh.conf" during parsing
2018-07-28 22:41:18,249 WARN Included extra file "/opt/docker/etc/supervisor.d/syslog.conf" during parsing
2018-07-28 22:41:18,254 INFO RPC interface 'supervisor' initialized
2018-07-28 22:41:18,254 INFO supervisord started with pid 1
^C2018-07-28 22:41:55,868 WARN received SIGINT indicating exit request

$ docker start bug226
bug226
$ docker logs bug226

...

error: failed switching to "root": operation not permitted

$ docker rm bug226
bug226

[htuscher]

I'm not sure why the line chmod -s /sbin/gosu exists, but removing it seems to fix the issue.

Btw. testing with webdevops/base doesn't make much sense, as the uid 1000 is only present in webdevops/base-app or higher.

[kaluzki]

Removing suid bit from gosu was implemented in #155 and the comment #155 (comment) describes WHY.

With this solution it's IMO not possible to use docker run --user flag, at least not for those containers, you want to restart later.

Setting docker run -e CONTAINER_UID=1000 looks like a workaround, which seems to be used only by php-fpm and hhvm images.

[kaluzki]

$ git clone git@gist.github.com:fba81b955ed4a3a3cb1f38710c3eb8af.git .
$ docker run --rm -d -e WEB_DOCUMENT_ROOT=/app -v $(pwd):/app -w /app -p 81:80 webdevops/php-nginx-dev
$ docker build -t webdevops/php-nginx-dev:gosu-with-suid .
$ docker run --rm -d -e WEB_DOCUMENT_ROOT=/app -v $(pwd):/app -w /app -p 82:80 webdevops/php-nginx-dev:gosu-with-suid

gosu without suid (webdevops/php-nginx-dev)

gosu with remaining suid (webdevops/php-nginx-dev:gosu-with-suid)

[htuscher]

OK, so basically we need to find a way to make privilege escalation only possible once during the entrypoint but on every start.

I currently have no idea how to achieve that, but I will investigate.

[pgab]

One solution which worked for me was setting

    environment:
      CONTAINER_UID: 33

In my case 33 maps to www-data.
This produces the following output:

array(5) { 
    ["getmyuid"]=> int(0)
    ["getmygid"]=> int(0)
    ["getmypid"]=> int(271)
    ["shell_exec('cat /etc/shadow')"]=> NULL
    ["shell_exec('gosu root cat /etc/shadow')"]=> NULL 
}

and also logging:

php-fpm_1   | [30-Apr-2019 09:31:25] WARNING: [pool www] child 271 said into stderr: "cat: /etc/shadow"
php-fpm_1   | [30-Apr-2019 09:31:25] WARNING: [pool www] child 271 said into stderr: ": Permission denied"
php-fpm_1   | [30-Apr-2019 09:31:25] WARNING: [pool www] child 271 said into stderr: "error: failed switching to "root": operation not permitted"

Furthermore it allows to restart the container without any issues.

[MajPay]

So... We can not use this image and configure another user than root? This is not very convenient in development because i mount my project root into the container and use composer and so on via docker. So every file, that is generated inside the container will be owned by root on my local machine. That makes a lot of tasks harder...

[kaluzki]

So... We can not use this image and configure another user than root? This is not very convenient in development because i mount my project root into the container and use composer and so on via docker. So every file, that is generated inside the container will be owned by root on my local machine. That makes a lot of tasks harder...

for development you can simply comment out the line https://github.com/webdevops/Dockerfile/blob/master/docker/base/debian-9/conf/bin/entrypoint.sh#L18

imo it would be nice this were the default behaviour for all webdevops/*-dev images

[htuscher]

Feel free to create a ticket or a PR and I'll take a look (probably in January)

[MajPay]

So... We can not use this image and configure another user than root? This is not very convenient in development because i mount my project root into the container and use composer and so on via docker. So every file, that is generated inside the container will be owned by root on my local machine. That makes a lot of tasks harder...

for development you can simply comment out the line https://github.com/webdevops/Dockerfile/blob/master/docker/base/debian-9/conf/bin/entrypoint.sh#L18

imo it would be nice this were the default behaviour for all webdevops/*-dev images

Sorry, i am still new to docker. That means i need to clone the repo, make the change, build it and host it in my own docker hub?

All i do at the moment is:

FROM webdevops/php-nginx-dev:7.3
COPY ./ /app
ENV LANG de_AT.UTF-8
ENV LC_ALL de_AT.UTF-8
COPY docker/app/etc/php/php.Development.ini /opt/docker/etc/php/php.ini
COPY docker/app/etc/nginx/main.Development.conf /opt/docker/etc/nginx/conf.f/99-main.conf
COPY docker/app/etc/nginx/vhost.Development.conf /opt/docker/etc/nginx/vhost.conf
WORKDIR /app/
EXPOSE 80

I know this is not the right place but that information could help some people besides myself to solve the issue.

[kaluzki]

@MajPay:

i wouldn't clone this repo for this purpose. just copy your version of entrypoint.sh to /opt/docker/bin

e.g.

COPY docker/bin/entrypoint.sh /opt/docker/bin/entrypoint.sh

i do it this way:
https://github.com/kaluzki/docker-xampp/tree/master/src

[MajPay]

@MajPay:

i wouldn't clone this repo for this purpose. just copy your version of entrypoint.sh to /opt/docker/bin

e.g.

COPY docker/bin/entrypoint.sh /opt/docker/bin/entrypoint.sh

i do it this way:
https://github.com/kaluzki/docker-xampp/tree/master/src

Thank you, that worked out for me!

For others having the same issue:
dont forget to set the bitmask of your patched entrypoint.sh correctly. Just do a chmod +x on the file and everything will work as it should.

[kaluzki]

@hhoechtl

Feel free to create a ticket or a PR and I'll take a look (probably in January)

#333

with a teardown phase there is no need to make a special handling for webdevops/*-dev images anymore

[htuscher]

Should be resolved with #333