permissions problems on linux for contributor container

chistopher commented 1 year ago

i get an error when starting the contributor container after a clean checkout of domjudge source Steps as descibed here:

git clone git@github.com:DOMjudge/domjudge.git
docker run -it --name dj-mariadb -e MYSQL_ROOT_PASSWORD=rootpw -e MYSQL_USER=domjudge -e MYSQL_PASSWORD=djpw -e MYSQL_DATABASE=domjudge -p 13306:3306 mariadb --max-connections=1000
docker run -v [path-to-domjudge-checkout]:/domjudge -v /sys/fs/cgroup:/sys/fs/cgroup:ro --link dj-mariadb:mariadb -it -e MYSQL_HOST=mariadb -e MYSQL_USER=domjudge -e MYSQL_DATABASE=domjudge -e MYSQL_PASSWORD=djpw -e MYSQL_ROOT_PASSWORD=rootpw -p 12345:80 --name domjudge --privileged domjudge/domjudge-contributor

The last command fails with the following error:

[..] Setting timezone

Current default time zone: 'Europe/Amsterdam'
Local time is now:      Fri Feb 10 16:50:26 CET 2023.
Universal Time is now:  Fri Feb 10 15:50:26 UTC 2023.

[ok] Container timezone set to: Europe/Amsterdam

[..] Changing nginx and PHP configuration settings
[ok] Done changing nginx and PHP configuration settings

[..] Updating database credentials file
[ok] Updated database credentials file

[..] Performing maintainer-mode install for DOMjudge
aclocal -I m4
autom4te: cannot create autom4te.cache: No such file or directory
aclocal: error: echo failed with exit status: 1
make: *** [Makefile:161: aclocal.m4] Error 1

After some digging I found that it fails here because the domjudge user does not have enough permissions.

I tired

chmod -R a+rwx domjudge
docker rm domjudge
and then the docker run from above again

Now it runs for a bit longer but fails later with

... 
composer  install --prefer-dist --no-scripts --no-plugins
Installing dependencies from lock file (including require-dev)
Verifying lock file contents can be installed on current platform.
Nothing to install, update or remove
Package sensio/framework-extra-bundle is abandoned, you should avoid using it. Use Symfony instead.
Generating autoload files
122 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
echo "# This file was automatically created by 'make maintainer-conf' to run" > webapp/.env.local
echo "# the DOMjudge Symfony application in developer mode. Adjust as needed." >> webapp/.env.local
echo "APP_ENV=dev" >> webapp/.env.local
make -C etc config
make[1]: Entering directory '/domjudge/etc'
Substituting configure variables in 'apache.conf'.
Substituting configure variables in 'nginx-conf'.
Substituting configure variables in 'nginx-conf-inner'.
Substituting configure variables in 'domjudge-fpm.conf'.
Substituting configure variables in 'domserver-static.php'.
Substituting configure variables in 'judgehost-static.php'.
Substituting configure variables in 'runguard-config.h'.
Substituting configure variables in 'sudoers-domjudge'.
make[1]: Leaving directory '/domjudge/etc'
Recursing target `domserver' into: etc sql misc-tools webapp
make[1]: Entering directory '/domjudge/etc'
./gen_all_secrets 
Password file 'dbpasswords.secret' already exists, leaving untouched.
Running 'genrestapicredentials'... file 'restapi.secret' created.
Running 'gensymfonysecret'... file 'symfony_app.secret' created.
Running 'genadminpassword'... file 'initial_admin_password.secret' created.
make[1]: Leaving directory '/domjudge/etc'
make[1]: Entering directory '/domjudge/sql'
Substituting configure variables in 'dj_setup_database'.
make[1]: Leaving directory '/domjudge/sql'
make[1]: Entering directory '/domjudge/misc-tools'
Substituting configure variables in 'fix_permissions'.
Substituting configure variables in 'configure-domjudge'.
Substituting configure variables in 'import-contest'.
make[1]: Leaving directory '/domjudge/misc-tools'
make[1]: Entering directory '/domjudge/webapp'
Recursing target `domserver' into: config
make[2]: Entering directory '/domjudge/webapp/config'
Substituting configure variables in 'autoload.php'.
Substituting configure variables in 'static.yaml'.
make[2]: Leaving directory '/domjudge/webapp/config'
make[2]: Entering directory '/domjudge/webapp'
make[2]: Nothing to be done for 'domserver-l'.
make[2]: Leaving directory '/domjudge/webapp'
make[1]: Leaving directory '/domjudge/webapp'
make[1]: Entering directory '/domjudge'
make[1]: Nothing to be done for 'domserver-l'.
make[1]: Leaving directory '/domjudge'
Recursing target `judgehost' into: etc judge misc-tools
make[1]: Entering directory '/domjudge/etc'
make[1]: Nothing to be done for 'judgehost'.
make[1]: Leaving directory '/domjudge/etc'
make[1]: Entering directory '/domjudge/judge'
gcc -g -O1 -Wall -fstack-protector -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -pedantic -std=c11 -DREVISION="\"unknown\"" -I/domjudge/lib -I/domjudge/etc -std=c99   -c -o runguard.o runguard.c
gcc -fPIE -Wl,-z,relro -Wl,-z,now  runguard.o /usr/lib/x86_64-linux-gnu/libm.so /usr/lib/x86_64-linux-gnu/libcgroup.so   -o runguard
g++ -g -O1 -Wall -fstack-protector -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -pedantic -std=c++11 -DREVISION="\"unknown\"" -I/domjudge/lib -I/domjudge/etc -static -o runpipe runpipe.cc /domjudge/lib/lib.error.c /domjudge/lib/lib.misc.c
gcc -g -O1 -Wall -fstack-protector -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -pedantic -std=c11 -DREVISION="\"unknown\"" -I/domjudge/lib -I/domjudge/etc -o evict evict.c /domjudge/lib/lib.error.c /domjudge/lib/lib.misc.c
Substituting configure variables in 'judgedaemon'.
Substituting configure variables in 'chroot-startstop.sh'.
Substituting configure variables in 'create_cgroups'.
Substituting configure variables in 'create-cgroups.service'.
Substituting configure variables in 'domjudge-judgedaemon@.service'.
make[1]: Leaving directory '/domjudge/judge'
make[1]: Entering directory '/domjudge/misc-tools'
Substituting configure variables in 'dj_make_chroot'.
Substituting configure variables in 'dj_run_chroot'.
Substituting configure variables in 'dj_make_chroot_docker'.
Substituting configure variables in 'dj_judgehost_cleanup'.
make[1]: Leaving directory '/domjudge/misc-tools'
make[1]: Entering directory '/domjudge'
make[1]: Nothing to be done for 'judgehost-l'.
make[1]: Leaving directory '/domjudge'
Recursing target `build' into: lib misc-tools
make[1]: Entering directory '/domjudge/lib'
gcc -g -O1 -Wall -fstack-protector -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -pedantic -std=c11 -DREVISION="\"unknown\"" -I/domjudge/lib -I/domjudge/etc   -c -o lib.error.o lib.error.c
gcc -g -O1 -Wall -fstack-protector -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -pedantic -std=c11 -DREVISION="\"unknown\"" -I/domjudge/lib -I/domjudge/etc   -c -o lib.misc.o lib.misc.c
make[1]: Leaving directory '/domjudge/lib'
make[1]: Entering directory '/domjudge/misc-tools'
make[1]: Nothing to be done for 'build'.
make[1]: Leaving directory '/domjudge/misc-tools'
make[1]: Entering directory '/domjudge'
make[1]: Nothing to be done for 'build-l'.
make[1]: Leaving directory '/domjudge'
/usr/bin/install -c -d /domjudge/bin /domjudge/etc /domjudge/lib /domjudge/lib/vendor /domjudge/output/log /domjudge/output/run /domjudge/webapp/public/images/affiliations /domjudge/webapp/public/images/countries /domjudge/webapp/public/images/teams /domjudge/example_problems
/usr/bin/install: cannot change permissions of '/domjudge/etc': Operation not permitted
/usr/bin/install: cannot change permissions of '/domjudge/lib': Operation not permitted
/usr/bin/install: cannot change permissions of '/domjudge/webapp/public/images/affiliations': Operation not permitted
/usr/bin/install: cannot change permissions of '/domjudge/webapp/public/images/teams': Operation not permitted
/usr/bin/install: cannot change permissions of '/domjudge/example_problems': Operation not permitted
make: *** [Makefile:95: domserver-create-dirs] Error 1

nickygerritsen commented 1 year ago

I will try to investigate, but I'm guessing we need two things:

A setfacl on the project dir to give the domjudge user access.
To somehow fix that install command

Or maybe instead we should add a parameter UID (and GID) to specify under which user to run? I've seen that more often in the world of Docker and then you can use the user that the files belong to. Thoughts?

chistopher commented 1 year ago

If it helps, here are the permissions before I do the chmod.

chris@i11pcweyand:~/test$ ll domjudge/
total 856
drwxr-xr-x 15 chris algo   4096 Feb 10 17:06 ./
drwxr-xr-x  3 chris algo   4096 Feb 10 17:05 ../
-rwxr-xr-x  1 chris algo    241 Feb 10 17:06 bootstrap*
-rw-r--r--  1 chris algo  66735 Feb 10 17:06 ChangeLog
-rw-r--r--  1 chris algo    241 Feb 10 17:06 codecov.yml
-rw-r--r--  1 chris algo    153 Feb 10 17:06 CODINGSTYLE.md
-rw-r--r--  1 chris algo   4161 Feb 10 17:06 composer.json
-rw-r--r--  1 chris algo 483327 Feb 10 17:06 composer.lock
-rwxr-xr-x  1 chris algo  44826 Feb 10 17:06 config.guess*
-rwxr-xr-x  1 chris algo  35543 Feb 10 17:06 config.sub*
-rw-r--r--  1 chris algo  13916 Feb 10 17:06 configure.ac
-rw-r--r--  1 chris algo   3449 Feb 10 17:06 CONTRIBUTING.md
-rw-r--r--  1 chris algo  18001 Feb 10 17:06 COPYING
-rw-r--r--  1 chris algo   1499 Feb 10 17:06 COPYING.BSD
-rw-r--r--  1 chris algo   1023 Feb 10 17:06 COPYING.MIT
drwxr-xr-x  5 chris algo   4096 Feb 10 17:06 doc/
-rw-r--r--  1 chris algo    581 Feb 10 17:06 docker-compose.yml
-rw-r--r--  1 chris algo    357 Feb 10 17:06 .editorconfig
drwxr-xr-x  2 chris algo   4096 Feb 10 17:06 etc/
drwxr-xr-x  5 chris algo   4096 Feb 10 17:06 example_problems/
drwxr-xr-x  8 chris algo   4096 Feb 10 17:06 .git/
-rw-r--r--  1 chris algo     46 Feb 10 17:06 .gitattributes
drwxr-xr-x  6 chris algo   4096 Feb 10 17:06 .github/
-rw-r--r--  1 chris algo    199 Feb 10 17:06 .gitignore
drwxr-xr-x  3 chris algo   4096 Feb 10 17:06 gitlab/
-rw-r--r--  1 chris algo    290 Feb 10 17:06 .gitlab-ci.yml
-rwxr-xr-x  1 chris algo  14431 Feb 10 17:06 install-sh*
drwxr-xr-x  3 chris algo   4096 Feb 10 17:06 judge/
-rw-r--r--  1 chris algo   1119 Feb 10 17:06 .lgtm.yml
drwxr-xr-x  2 chris algo   4096 Feb 10 17:06 lib/
drwxr-xr-x  2 chris algo   4096 Feb 10 17:06 m4/
-rw-r--r--  1 chris algo  13488 Feb 10 17:06 Makefile
-rw-r--r--  1 chris algo   2965 Feb 10 17:06 Makefile.global
drwxr-xr-x  2 chris algo   4096 Feb 10 17:06 misc-tools/
-rw-r--r--  1 chris algo   5573 Feb 10 17:06 paths.mk.in
-rw-r--r--  1 chris algo    986 Feb 10 17:06 .phpmd-ruleset.xml
-rw-r--r--  1 chris algo   4141 Feb 10 17:06 README.md
-rw-r--r--  1 chris algo    311 Feb 10 17:06 .sastscanrc
-rw-r--r--  1 chris algo   1012 Feb 10 17:06 SECURITY.md
drwxr-xr-x  3 chris algo   4096 Feb 10 17:06 sql/
drwxr-xr-x  2 chris algo   4096 Feb 10 17:06 submit/
-rw-r--r--  1 chris algo  19350 Feb 10 17:06 symfony.lock
drwxr-xr-x 10 chris algo   4096 Feb 10 17:06 webapp/

As you can see, a user that is not part of the algo group has no write access which is probably the problem.

DOMjudge / domjudge-packaging

permissions problems on linux for contributor container #143