New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permission problem with application user set in docker-compose.yml (webdevops/php-nginx-dev) #226
Comments
Maybe it's related to #213 |
I tryed the described behaviour and found it reproducible. After looking into the issue and the 2 referenced tickets I am not quite sure how this works to be honest. I know that gosu is there to prevent permission elevation after the entry point. However it seems to interfere with this usecase. However adding the suid would defeat the point as far as I have understood it. I need someone more familar with this topic here. |
This error is already reproducible with the base image: $ docker run --name bug226 --user 1000 webdevops/base
-> Executing /opt/docker/provision/entrypoint.d/05-permissions.sh
-> Executing /opt/docker/bin/service.d/supervisor.d//10-init.sh
2018-07-28 22:41:18,249 CRIT Set uid to user 0
2018-07-28 22:41:18,249 WARN Included extra file "/opt/docker/etc/supervisor.d/cron.conf" during parsing
2018-07-28 22:41:18,249 WARN Included extra file "/opt/docker/etc/supervisor.d/dnsmasq.conf" during parsing
2018-07-28 22:41:18,249 WARN Included extra file "/opt/docker/etc/supervisor.d/postfix.conf" during parsing
2018-07-28 22:41:18,249 WARN Included extra file "/opt/docker/etc/supervisor.d/ssh.conf" during parsing
2018-07-28 22:41:18,249 WARN Included extra file "/opt/docker/etc/supervisor.d/syslog.conf" during parsing
2018-07-28 22:41:18,254 INFO RPC interface 'supervisor' initialized
2018-07-28 22:41:18,254 INFO supervisord started with pid 1
^C2018-07-28 22:41:55,868 WARN received SIGINT indicating exit request
$ docker start bug226
bug226
$ docker logs bug226
...
error: failed switching to "root": operation not permitted
$ docker rm bug226
bug226 |
I'm not sure why the line Btw. testing with |
Removing suid bit from gosu was implemented in #155 and the comment #155 (comment) describes WHY. With this solution it's IMO not possible to use Setting |
$ git clone git@gist.github.com:fba81b955ed4a3a3cb1f38710c3eb8af.git .
$ docker run --rm -d -e WEB_DOCUMENT_ROOT=/app -v $(pwd):/app -w /app -p 81:80 webdevops/php-nginx-dev
$ docker build -t webdevops/php-nginx-dev:gosu-with-suid .
$ docker run --rm -d -e WEB_DOCUMENT_ROOT=/app -v $(pwd):/app -w /app -p 82:80 webdevops/php-nginx-dev:gosu-with-suid gosu without suid (webdevops/php-nginx-dev)gosu with remaining suid (webdevops/php-nginx-dev:gosu-with-suid) |
OK, so basically we need to find a way to make privilege escalation only possible once during the entrypoint but on every start. I currently have no idea how to achieve that, but I will investigate. |
One solution which worked for me was setting
In my case 33 maps to
and also logging:
Furthermore it allows to restart the container without any issues. |
So... We can not use this image and configure another user than root? This is not very convenient in development because i mount my project root into the container and use composer and so on via docker. So every file, that is generated inside the container will be owned by root on my local machine. That makes a lot of tasks harder... |
for development you can simply comment out the line https://github.com/webdevops/Dockerfile/blob/master/docker/base/debian-9/conf/bin/entrypoint.sh#L18 imo it would be nice this were the default behaviour for all |
Feel free to create a ticket or a PR and I'll take a look (probably in January) |
Sorry, i am still new to docker. That means i need to clone the repo, make the change, build it and host it in my own docker hub? All i do at the moment is: FROM webdevops/php-nginx-dev:7.3
COPY ./ /app
ENV LANG de_AT.UTF-8
ENV LC_ALL de_AT.UTF-8
COPY docker/app/etc/php/php.Development.ini /opt/docker/etc/php/php.ini
COPY docker/app/etc/nginx/main.Development.conf /opt/docker/etc/nginx/conf.f/99-main.conf
COPY docker/app/etc/nginx/vhost.Development.conf /opt/docker/etc/nginx/vhost.conf
WORKDIR /app/
EXPOSE 80 I know this is not the right place but that information could help some people besides myself to solve the issue. |
i wouldn't clone this repo for this purpose. just copy your version of e.g.
i do it this way: |
Thank you, that worked out for me! For others having the same issue: |
make provision
make provision
make provision
make provision
@hhoechtl
with a teardown phase there is no need to make a special handling for |
Should be resolved with #333 |
* restore gosu suid bit when container stops related to: * [webdevops#226] * [webdevops#366]
Hi,
I'm using the image
webdevops/php-nginx-dev:7.1
and I've set the user in my docker compose file toapplication
. When building it for the first time, it's OK, but when I stop the container, and start it again, it exits with the following error:error: failed switching to "root": operation not permitted
Here is my config:
The issue is similar to #219.
Do you have any suggestions? (Removing the user from the compose file, and supplying
-u
parameter toexec
is not an option.)Thank you.
The text was updated successfully, but these errors were encountered: