[BUG] OpenRMF Template API Container is failing to start

[rsf123]

Describe the bug The openRMF Template API container is failing to start. Configured keycloak and then ran ./start.sh in the scripts directory. All containers have pulled down. However, the openrmf-template-api container starts, then fails. Was able to manually start up using docker-compose up (no daemon mode) and tailing the logfile for the api container. It appears that authentication to the mongoDB is failing.

NOTE: this has occured after changing ports for the Keycloak and openrmf-web containers, and providing a custom auth.js. Have not yet tried it with an "out of the box" configuration due to firewall issues preventing port 9001.

To Reproduce Steps to reproduce the behavior:

1. Change keycloak to port 8080
2. Change openweb-rmf to port 80
3. Modify .env file to point to
4. Create custom auth.js file to point to :8080 for keycloak
5. Add bind mount to openweb-rmf to mount the custom auth.js file
6. Start containers with ./start.sh or just docker-compose up | grep openrmf-template-api to tail api container's log files.

Expected behavior Everything to start up correctly.

Screenshots Errors in log file for openrmf-template-api container: 2021-02-04 17:09:35.3704|6|FATAL|Microsoft.AspNetCore.Hosting.Diagnostics|Application startup exception MongoDB.Driver.MongoAuthenticationException: Unable to authenticate using sasl protocol mechanism SCRAM-SHA-1. openrmf-template-api | ---> MongoDB.Driver.MongoCommandException: Command saslStart failed: Authentication failed.. openrmf-template-api | at MongoDB.Driver.Core.WireProtocol.CommandUsingQueryMessageWireProtocol1.ProcessReply(ConnectionId connectionId, ReplyMessage1 reply) openrmf-template-api | at MongoDB.Driver.Core.WireProtocol.CommandUsingQueryMessageWireProtocol1.ExecuteAsync(IConnection connection, CancellationToken cancellationToken) openrmf-template-api | at MongoDB.Driver.Core.Authentication.SaslAuthenticator.AuthenticateAsync(IConnection connection, ConnectionDescription description, CancellationToken cancellationToken) openrmf-template-api | --- End of inner exception stack trace --- openrmf-template-api | at openrmf_templates_api.Data.TemplateRepository.RemoveSystemTemplates() in /app/Data/TemplateRepository.cs:line 130|url: |action: openrmf-template-api | 2021-02-04 17:09:35.3704|6|FATAL|Microsoft.AspNetCore.Hosting.Diagnostics|Application startup exception MongoDB.Driver.MongoAuthenticationException: Unable to authenticate using sasl protocol mechanism SCRAM-SHA-1`

Desktop (please complete the following information): Ubuntu

Additional context Unable to test using "stock" configuration due to port 9001 being blocked in our network as non-standard traffic for web

[Cingulara]

That is odd the template API is failing. I will have to load that up later today. Unfortunately I cannot right now. You could bring down the openrmf stack, do a docker volume ls and see what persistent volume the Template made with "scripts_template-data-volume" or some name. Then do a docker volume rm xxxxxx where xxxx is that name. Then you can start the openrmf stack back up and see if it remakes it correctly.

The user/pwd is created in the initialization JS https://github.com/Cingulara/openrmf-docs/blob/master/scripts/initializeTemplate.js and then used in the docker-compose https://github.com/Cingulara/openrmf-docs/blob/master/scripts/docker-compose.yml#L452 there.

The db connection is here https://github.com/Cingulara/openrmf-docs/blob/master/scripts/docker-compose.yml#L324 in the ENV. Make sure they all match up.

[rsf123]

I'll poke around in the links you provided and see if something jumps out. I had already tried removing the volumes to no avail. I may also try and pull this down onto a personal machine that isn't hampered by firewall and try the "stock" configuration. I imagine it'd be very odd for the port changes I made to cause this, but stranger things have happened!

[rsf123]

Found the issue. When I did a git clone of the repo, all of the script files that initialize the databases had permissions set for both user and group readability. The mongodb containers were throwing errors "permission denied" trying to read them when they were mounted.

When I changed them to user/group/world readable the containers were able to start up and initialize properly and then the rest of the stack behaved appropriately.

As an aside, I had the same issue when I created a custom auth.js file... I had to set the permissions to be world readable for it to be read properly on the nginx container.

[Cingulara]

@rsf123 Is this working?

[rsf123]

Yes. With the change in permissions it now works. I didn't close the issue since I didn't know if you needed to use it to make a change on the git repo.

[Cingulara]

What would change? the code? or the write-up documentation on how to change the AUTH? Not sure what change would happen.

[rsf123]

The issue ended up being the file permissions assigned to the initializat javascript files that were preventing the mongoDB from initializing. When I cloned the repo, they came out as just user/group readable. So when they were bind mounted into the containers, the container couldn't read them.

I changed them to chmod a+r and they would work. So I don't think its a code change, perhaps a change to the files' default permissions?

[Cingulara]

Ok. This may be an issue when doing a git clone, not a fork and not a download/setup of the ZIP files on the release. I have had 2 people setup SSL as well as use different ports and do this, but they d/l the ZIP files and then modified. I wonder if the clone on the master branch made an issue. I will have to make sure of all that before I document it. Ok.

These five files? These are what I am listing (on my MacBook) from that openrmf-docs/scripts/ folder.

-rw-r--r--   1 dalebingham  staff    300 May 31  2020 initializeAudit.js
-rw-r--r--   1 dalebingham  staff    394 May 31  2020 initializeChecklist.js
-rw-r--r--   1 dalebingham  staff    862 May 31  2020 initializeReport.js
-rw-r--r--   1 dalebingham  staff    310 May 31  2020 initializeScore.js
-rw-r--r--   1 dalebingham  staff    330 May 31  2020 initializeTemplate.js

[rsf123]

Yep. When I git cloned them into an Ubuntu system the world read bit wasn’t set.

Sent from my iPhone

On Feb 6, 2021, at 13:11, Cingulara CTO notifications@github.com wrote:



Ok. This may be an issue when doing a git clone, not a fork and not a download/setup of the ZIP files on the release. I have had 2 people setup SSL as well as use different ports and do this, but they d/l the ZIP files and then modified. I wonder if the clone on the master branch made an issue. I will have to make sure of all that before I document it. Ok.

These five files? These are what I am listing (on my MacBook) from that openrmf-docs/scripts/ folder.

-rw-r--r-- 1 dalebingham staff 300 May 31 2020 initializeAudit.js -rw-r--r-- 1 dalebingham staff 394 May 31 2020 initializeChecklist.js -rw-r--r-- 1 dalebingham staff 862 May 31 2020 initializeReport.js -rw-r--r-- 1 dalebingham staff 310 May 31 2020 initializeScore.js -rw-r--r-- 1 dalebingham staff 330 May 31 2020 initializeTemplate.js

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCingulara%2Fopenrmf-docs%2Fissues%2F221%23issuecomment-774518105&data=04%7C01%7C%7C704ec84ac80e45e1c6f008d8cacaa7a4%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637482319023508953%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=KM5Q2aM3eIcDLurJCITRCD1hlwRbriWHxjYIW8vZI1o%3D&reserved=0, or unsubscribehttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAOPCVWB2YNECKGBMY4S7YX3S5WA53ANCNFSM4XDG7FCA&data=04%7C01%7C%7C704ec84ac80e45e1c6f008d8cacaa7a4%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637482319023518945%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=O%2B%2B%2FRq2ZV%2Fjvx4klwsi0oI2z3l4FO1MyWZsDY8qbTz8%3D&reserved=0.

[Cingulara]

Put this into a few places in the documentation.