Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade from 7.0.3 to 7.0.4+ deno Permission denied (os error 13) #34982

Open
reetp opened this issue Jan 21, 2025 · 3 comments
Open

Upgrade from 7.0.3 to 7.0.4+ deno Permission denied (os error 13) #34982

reetp opened this issue Jan 21, 2025 · 3 comments
Labels
Tasked Added to the internal issue tracking

Comments

@reetp
Copy link

reetp commented Jan 21, 2025
edited
Loading

On trying to upgrade 2 separate 7.0.3 docker based instances from 7.0.3 to 7.0.4 I get errors as per the attached logs.

I have tried 7.1.x and 7.2.x with similar results. As a result I am now stuck at 7.0.3

I did wonder if this was somehow related with the permissions.

#34162

My docker runs as

[root@host configs]# grep docker /etc/group
docker:x:390:

[root@host configs]# grep docker /etc/passwd
docker:x:392:390:Docker User:/var/lib/docker:/sbin/nologin

Log errors - this instance ONLY has the Jitsi app.

Subprocess stderr Download https://jsr.io/@std/cli/1.0.9_meta.json

Subprocess stderr error: Permission denied (os error 13) (for '/app/bundle/programs/server/npm/node_modules/@rocket.chat/apps-engine/.deno-cache/deps/https/jsr.io/c29b640a904c999165944cb8fa91773b04e6aababb971a93737582c5ecdb16a3')
    at file:///app/bundle/programs/server/npm/node_modules/@rocket.chat/apps-engine/deno-runtime/lib/parseArgs.ts:1:41

Error while compiling the App "Jitsi (3b387ba9-f57c-44c6-9810-8c0256abd64c)":
Error: [3b387ba9-f57c-44c6-9810-8c0256abd64c] Timeout: app process not ready
    at Timeout._onTimeout (/app/bundle/programs/server/npm/node_modules/@rocket.chat/apps-engine/src/server/runtime/deno/AppsEngineDenoRuntime.ts:346:24)
    at listOnTimeout (node:internal/timers:581:17)
    at processTimers (node:internal/timers:519:7)
{"level":30,"time":"2025-01-20T23:56:03.295Z","pid":1,"hostname":"myhost.myserver.com","name":"Rocket.Chat Apps","msg":"Loaded the Apps Framework and loaded a total of 0 Apps!"}
Subprocess stderr Download https://jsr.io/@std/cli/1.0.9_meta.json

Subprocess stderr error: Permission denied (os error 13) (for '/app/bundle/programs/server/npm/node_modules/@rocket.chat/apps-engine/.deno-cache/deps/https/jsr.io/c29b640a904c999165944cb8fa91773b04e6aababb971a93737582c5ecdb16a3')
    at file:///app/bundle/programs/server/npm/node_modules/@rocket.chat/apps-engine/deno-runtime/lib/parseArgs.ts:1:41

Server Setup Information:

  • Version of Rocket.Chat Server: 7.0.3
  • License Type: Starter + EE
  • Number of Users: 6-99
  • Operating System: CentOS 7 (can't upgrade for a few more months....)
  • Deployment Method: docker
  • Number of Running Instances: 1
  • DB Replicaset Oplog: enabled
  • NodeJS Version: As per docker
  • MongoDB Version: 7.0.x

Logs
RocketBug-7.0.4.txt
@reetp
Copy link
Author

reetp commented Jan 21, 2025

As a follow up.

Above two instances are on a single Prox server each in their own VM using the same CentOS based system. The setup is almost identical except the domain names.

I have a 3rd instance on the same CentOS OS with identical setup, but hosted on a Vultr instance. It also has the Jitsi app installed and I have upgraded it to 7.2.1 without any issues.

All instances run a local Mongo DB - not a Docker version.

@reetp
Copy link
Author

reetp commented Jan 22, 2025

So I think I have tracked this down.

The clue was in this comment from Debdut.

#34840 (comment)

For now though, we do have 34162 this going, which will enable non-root runtime, but any uid setting other than 65533 will still be broken.

When I checked the VM that had upgraded successfully I found that it had no docker user settings in the compose file whereas the older VMs did like this - this runs docker as a user other than root, in this case 'docker' :

user: 393:391

Those had corresponding settings in the /etc/passwd and /etc/group files

On the newer VM these were not there.

From looking at the files in the file store I could see that on the old VMs the files were owned by 'docker' but in the new VMs by 'root'.

Once I removed the compose 'user' entry and changed the perms on the /opt/upload dir it seemed start without errors, BUT the container now runs as root.....

@reetp
Copy link
Author

reetp commented Jan 22, 2025

As a test I added a rocketchat user and group something like this:

groupadd -g 65533 rocketchat
useradd -s /sbin/nologin -u 65533 -d /dev/null -g rocketchat rocketchat
usermod -a -G rocketchat rocketchat

I then added the user: line in the compose file:

- user: rocketchat:rocketchat

docker-compose up -d rocketchat

Error:

ERROR: for c73eab9eae99_rocketchat Cannot start service rocketchat: unable to find user rocketchat: no matching entries in passwd file

Then set this:

- user: 65533:65533

docker-compose up -d rocketchat

Error:

error on boot.js Error: EACCES: permission denied, open '/app/bundle/programs/server/npm/node_modules/meteor/webapp/node_modules/useragent-ng/lib/regexps.js'

So I can no longer run a container other than as root. Not great security then.

This definitely changed after 7.0.3

@reetp reetp added the Tasked Added to the internal issue tracking label Jan 22, 2025
@reetp reetp mentioned this issue Jan 22, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Tasked Added to the internal issue tracking
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@reetp