search

GameServerManagers / docker-gameserver

Dockerised Game Servers using LinuxGSM
MIT License
153 stars 15 forks source link

Setting UID/GID/USER is broken #76

Open noillt opened 3 weeks ago

noillt commented 3 weeks ago

We had an issue where the docker image gameservermanagers/gameserver:css was setting UID and GID to 1000 which was the wrong user (even if user linuxgsm existed for example on id 1006) on our server and the volume (dir) would get chowned for the wrong user.

After noticing that it's set through ENV we added variable overrides to docker-compose.yml (some data is redacted):

version: "3.8"
services:
  linuxgsm-css-bind:
    image: gameservermanagers/gameserver:css
    volumes:
      - /home/combat/combat-css-server:/data
    environment:
      - USER=combat
      - UID=1005
      - GID=1005

But the docker image would still fail with:

combat-css-server  | Switch to user combat
combat-css-server  | =================================
combat-css-server  | error: failed switching to "combat": unable to find user combat: no matching entries in passwd file
combat-css-server  | 
combat-css-server  | Check Permissions
combat-css-server  | =================================
combat-css-server  | setting UID to 1005
combat-css-server  | setting GID to 1005
combat-css-server  | updating permissions for /data
combat-css-server  | chown: invalid user: ‘combat:combat’
combat-css-server  | updating permissions for /app
combat-css-server  | chown: invalid user: ‘combat:combat’

The problem is that the user exists

# combat@noil:~$ id
uid=1005(combat) gid=1005(combat) groups=1005(combat),100(users),994(docker)

We are not and will not run docker or any other similar daemons or commands with sudo. The combat user is part of the docker group and is able to run docker images without sudo.

How should we proceed to start the linuxgsm (gameserver) on our combat user, so that the volume and the start scripts would get the correct UID/GID ?

Or is it only possible to start as non-root is with linuxgsm user and then deal with dir/file permissions so that combat user could modify files owned by linuxgam user ? (As it worked to start the docker image with user=linuxgsm,id=1006,gid=1006)

chmod 775 is not a solution, as everytime the docker container is started it overrides all ownerships and permissions

successtheman commented 1 week ago

I tried to make a user with the same UID and GID as the ones it was chowning the files to and then added my user to that group. Unfortunately when it detected that the user existed it would then chown all the files to a different UID and GID, I believe this is similar to what you are saying? I wish there was a flag to just make it run as root instead of linuxgsm user to bypass all this trouble because honestly I just start it when I want to play l4d2 (not CSS like in your case but it should still be similar) so I don't really care about how secure it is or not

Try using a bind mount as per https://docs.docker.com/storage/bind-mounts/#mount-into-a-non-empty-directory-on-the-container, this seemed to work for me and it sets the UID/GID I specified Bind mount didn't actually work nevermind