Permissions denied on Air gap network

DiouxX / docker-glpi

Project to deploy GLPI with docker

239 stars 188 forks source link

Permissions denied on Air gap network #109

Closed s0p4L1n3 closed 8 months ago

s0p4L1n3 commented 8 months ago

Hello,

I'm working in physical isolated network. When I start the compose, It does not download the glpi-10.0.14.tar.gz. If I deploy manually glpi folder, the first problem is resolved but I have another issue saying that It does not have the permissions to write on config folder.

Indeed, inside the container the permissions UID:GID on /var/www/html/glpi are 1000:1000 (my non root user)

On my server test which has Internet access, the container permissions on /var/www/html/glpi are www-data:www-data It explain the permissions issue.

I tried adding user: www-data:www-data or its UID/GID 33:33 in the compose file without success

The temporary fix is to enter inside the container and change the permissions to www-data but as it is not permanent, it will be pain in the a** in production.

s0p4L1n3 commented 8 months ago

I rebuilded the image to fix temporary my issue:

Added wget line to Dockerfile to download static latest version (glpi is downloaded not from the container but during the build)
- && wget -P /var/www/html/ https://github.com/glpi-project/glpi/releases/download/10.0.14/glpi-10.0.14.tgz
Edited the glpi-start.sh to adapt the code to new method:

I've forked the project, the image is available on Docker Hub. docker-glpi

DiouxX commented 8 months ago

Hello,

If you're in an isolated network, how do you download the Docker image from Docker Hub ?

s0p4L1n3 commented 8 months ago

I pull my rebuilded image, save it. USB transfer and then load it on the isolated network.

It works like a charm with the « custom » image even though I do not change much, just that glpi is downloaded during the build.

Is possible for you to adapt your Image to let the user choose between internet / isolated mode ?

s0p4L1n3 commented 8 months ago

Other solution for me to work, I can use your image, even if it does not download glpi. Inside the container, permissions are www-data:www-data but on the host, the permissions are 33:tape (I'm on Oracle Linux 9.3)

I just need to apply on the docker host: chown -R 33:tape /home/user/docker-glpi/var/www/html/glpi

The main issue is the UID/GID permissions between container/host for /var/www/html/glpi or /var/lib/mysql

s0p4L1n3 commented 8 months ago

I will also update my DockerFile to customize www-data UID/GID at building so it can match my host volume owner UID/GID. I'm not sure if there is a way to automate this ?

Even if the main issue is not resolved for you image, I found a way to fix it by building what I want.