Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker: access log is owned by root #1422

Open
0x6f677548 opened this issue Sep 13, 2024 · 2 comments
Open

docker: access log is owned by root #1422

0x6f677548 opened this issue Sep 13, 2024 · 2 comments
Assignees
@javorszky

Comments

@0x6f677548
Copy link

Hi;
docker container image: unit:python3.12

my config includes:

  },
    "access_log": {
        "path": "/var/log/unit/unit-access.log",
        "format": "$remote_addr - [$time_local] $host \"$request_line\" $status $body_bytes_sent \"$header_referer\" \"$header_user_agent\" \"$remote_addr\""
    }

It seems that although unit is running as unit (uid:999), the log file is created as root:

# id
uid=0(root) gid=0(root) groups=0(root)
# ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  10084  4324 ?        Ss   15:59   0:00 unit: main v1.32.1 [unitd --no-daemon --control unix:/var/run/control.unit.sock]
unit        74  0.0  0.0   9440  1520 ?        S    15:59   0:00 unit: controller
unit        75  0.0  0.0 1206808 13376 ?       Sl   15:59   0:00 unit: router
unit        76  0.0  0.0  16572  4640 ?        S    15:59   0:00 unit: "fastapi" prototype
unit        77  2.5  0.5 1792776 83396 ?       Sl   15:59   0:01 unit: "fastapi" application
root       117  0.0  0.0   2480   520 pts/0    Ss   16:00   0:00 /bin/sh
root       127  0.0  0.0   8648  3276 pts/0    R+   16:00   0:00 ps aux
# ls -l /var/log/unit
total 0
-rw------- 1 root root 0 Sep 13 15:59 unit-access.log
  1. is there any way to run the container as non-root? I already tried to run it with the same user, but I get:
| /usr/local/bin/docker-entrypoint.sh: /var/lib/unit/ is not empty, skipping initial configuration...
| 2024/09/13 16:06:51 [warn] 1#1 Unit is running unprivileged, then it cannot use arbitrary user and group.
| 2024/09/13 16:06:51 [alert] 1#1 bind(6, unix:/var/run/control.unit.sock.tmp) failed (13: Permission denied)
  1. Is there any way to create the log file as non-root?

This is somehow related with #193 as I am trying to overcome this limitation by sharing the log file with another otel-collector container that does not run as root. Any alternative suggestion would be welcome.
thanks
@javorszky javorszky self-assigned this Sep 16, 2024
@ac000
Copy link
Member

ac000 commented Sep 16, 2024

2024/09/13 16:06:51 [alert] 1#1 bind(6, unix:/var/run/control.unit.sock.tmp) failed (13: Permission denied)

You will need to specify --control to point to someplace your user has permissions to read/write. Probably the same for --pid, --log & --statedir

unitd --version will show you the default values for these things...

@ac000
Copy link
Member

ac000 commented Sep 16, 2024

It seems that although unit is running as unit (uid:999), the log file is created as root:

This is due to

root         1  0.0  0.0  10084  4324 ?        Ss   15:59   0:00 unit: main v1.32.1 [unitd --no-daemon --control unix:/var/run/control.unit.sock]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@javorszky javorszky

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ac000 @javorszky @0x6f677548