Adding support for non-root containers #1584
Conversation
…gacy command s6-setuidgid
…ons to dockerfile
…rfile due to permission changes
…ripts to use noroot
…ripts to use noroot
1447 non root
|
Thanks for getting this started! |
| @@ -215,7 +215,7 @@ http_interfaces = { "*", "::" } | |||
| http_interfaces = { "*" } | |||
| {{ end }} | |||
|
|
|||
| data_path = "/config/data" | |||
| data_path = "/config/noroot_data" | |||
There was a problem hiding this comment.
Don't do this please. It will break existing installations for no good reason.
There was a problem hiding this comment.
this is the only way I could get over permission issues while generating TLS certificates by prosody to /config/data.
it appears to me that something sets the permission of /config/data to root no matter what we set it in the Dockerfile. After creating noroot_data and setting the right ownerships, the SSL issue was solved and I was finally able to make a call. otherwise, JVB and Jicofo both failed while trying to reach prosody internally because it doesn't have cert files.
If you have any ideas that can preserve the current setup and still solve the SSL issue with this user I am definitely open to hearing. but I'm curious to know why this will break the existing installations. since the /config/data is still there and the prosody PID is also still in /config/data. this is just changing the data directory to noroot_data to be able to generate SSLs. It appears to me that once the 10-config script is done it will even move the certificates to /config/certs and removes them from noroot_data at the end of the file.
There was a problem hiding this comment.
What user does the 10-config script run as? A cursory look at https://github.com/bjc/prosody/blob/master/util/prosodyctl/cert.lua reveals some ownership changes if the user is root. Or maybe we should set prosody_user and prosody_group to the new user on the config file.
There was a problem hiding this comment.
The user is noroot, with user and group ids = 1000. I bet that's why it can't create the certs in /config/data since apparently we can't change that one's ownership but it can create the certs in noroot_data and move them to the correct location since it's the owner. I could not find a better way to make this work, so I reverted it back to noroot_data so prosody doesn't break.
There was a problem hiding this comment.
But we can configure the prosody user and group with the options I showed above, did you test that? Why can noroot create stuff in /config/data tough?
We need to fix this before this PR can land.
There was a problem hiding this comment.
Since it uses ~= that line checks if the user is NOT root and is NOT the owner of the certs directory, doesn't it? Maybe try creating the certs directory inside data?
There was a problem hiding this comment.
@saghul yes precisely. our uid = 1000 and the owner is root:daemon. therefore we hit that if statement and get the error: The directory /config/data is not owned by the current user, won't be able to write files to it.
I don't see why putting /config/certs directory inside/config/datawould help solve this problem. I feel like there is a misunderstanding about the nature of the issue. Ownership over /config/certs is not the issue here. Ownership over /config/data is the actual problem.
Prosody expects noroot to be the owner of that directory. But, regardless of changing that ownership to noroot in the dockerfile, something always overwrites its ownership to root:daemon. My guess is it has something to do with prosody.pid being there (not actually sure if it can be because of this).
The bottom line is, if we can't use noroot_data as a temp path for generating certificates, we need to find a way to change ownership of /config/data. Otherwise, it will keep trying to write the certs in that one and floods the container log with failed to load TLS certificates errors.
There was a problem hiding this comment.
yes precisely. our
uid = 1000and the owner isroot:daemon. therefore we hit that if statement and get the error:The directory/config/datais not owned by the current user, won't be able to write files to it.
Oh hold on. Why can't we change the permissions of that?
But, regardless of changing that ownership to noroot in the dockerfile, something always overwrites its ownership to
root:daemon. My guess is it has something to do withprosody.pidbeing there (not actually sure if it can be because of this).
Aha. Maybe try with chattr -i ?
There was a problem hiding this comment.
@saghul did not work. tried this:
// to install chattr cause it did not exist by default.
RUN apt-get install -y e2fsprogs
// Create /config/data (cause it does not exist at this stage) - change ownership - change attribute and remove immutability.
RUN mkdir -p /config/data && chown -R noroot:noroot /config/data && chattr -R -i /config/data
all of that resulted in:
│ The directory /config/data is not owned by the current user, won't be able to write files to it │
│ The directory /config/data is not owned by the current user, won't be able to write files to it │
│ mv: cannot stat '/config/data/.crt': No such file or directory │
│ mv: cannot stat '/config/data/.key': No such file or directory
same old same old.
There was a problem hiding this comment.
Hum, that's very odd, as if the user running prosodyctl is root or something. Can you please take care of the rest of the items and leave this one for last? I'll try to take a look too.
Thanks for the detailed review. I made a few changes, cleaned up Dockerfiles, and tried to adapt to the requests as much as possible. feel free to check it out. |
| mkdir -p /config/recordings && \ | ||
| mkdir -p /home/jibri && chown -R noroot:noroot /home/jibri | ||
|
|
||
| RUN chown -R noroot:noroot /etc/cont-init.d && \ |
There was a problem hiding this comment.
These 2 are already done in the base image. Is it necessary?
|
|
||
| RUN chown -R noroot:noroot /etc/cont-init.d && \ | ||
| chown -R noroot:noroot /etc/services.d && \ | ||
| chown -R noroot:noroot /etc/jitsi && \ |
There was a problem hiding this comment.
Why is this necessary? Even if files are owned by root we can read them, right?
| chown -R noroot:noroot /usr/bin | ||
|
|
||
| RUN chmod +x /etc/cont-init.d/* && \ | ||
| chmod +x /etc/services.d/10-xorg/* && \ |
There was a problem hiding this comment.
Any chance we can use wildcards to use a single command here?
| COPY rootfs/ / | ||
| COPY --chown=noroot:noroot rootfs/ / | ||
|
|
||
| RUN chown -R noroot:noroot /etc/cont-init.d && \ |
There was a problem hiding this comment.
Same, is this necessary? If it is, which I'd like you to double-check, let's a script in the base image which all mages call, instead of duplicating the code on each of them.
| chown -R noroot:noroot /usr/share/jicofo && \ | ||
| chown -R noroot:noroot /etc/jitsi && \ | ||
| chown -R noroot:noroot /etc/jitsi/jicofo && \ | ||
| mkdir -p /config && chown -R noroot:noroot /config |
There was a problem hiding this comment.
This should go on the base image.
| COPY --chown=noroot:noroot --from=builder /usr/local/lib/lua/5.4 /usr/local/lib/lua/5.4 | ||
| COPY --chown=noroot:noroot --from=builder /usr/local/share/lua/5.4 /usr/local/share/lua/5.4 | ||
|
|
||
| RUN mkdir -pm777 /var/run/saslauthd && \ |
There was a problem hiding this comment.
Please use a single RUN block, here and elsewhere.
| @@ -215,7 +215,7 @@ http_interfaces = { "*", "::" } | |||
| http_interfaces = { "*" } | |||
| {{ end }} | |||
|
|
|||
| data_path = "/config/data" | |||
| data_path = "/config/noroot_data" | |||
There was a problem hiding this comment.
But we can configure the prosody user and group with the options I showed above, did you test that? Why can noroot create stuff in /config/data tough?
We need to fix this before this PR can land.
|
I've just had an idea about the certificate generation @bsobbe . We could stop using |
|
@bsobbe do you intend to pick this back up? |
Steps:
Useful links during my process:
https://github.com/just-containers/s6-overlay/blob/master/MOVING-TO-V3.md
just-containers/s6-overlay#539
just-containers/s6-overlay#526