search

Icinga / docker-icingaweb2

GNU General Public License v2.0
16 stars 11 forks source link

We break LDAP by installing HTTPd #101

Closed Al2Klimov closed 1 year ago

Al2Klimov commented 1 year ago

Plain base image

$ docker run --rm -it debian:11-slim bash

root@5f995fc0c5f6:/# apt-get update >/dev/null 2>&1
root@5f995fc0c5f6:/# apt install ldap-utils ca-certificates -y >/dev/null 2>&1
root@5f995fc0c5f6:/# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@5f995fc0c5f6:/# ldapsearch -h none.of.your.business.netways.de -x -W -D none.of@your.business.netways.de -b (...) -ZZ '(CN=Alexander Klimov)'
Enter LDAP Password:

Our image

$ docker run --rm -itu 0 icinga/icingaweb2:master bash

[Mon Dec 5 14:42:05.846249576 2022] [docker_entrypoint:info] [pid 1] DOCKERE: Initializing /data as we're the init process
[Mon Dec 5 14:42:05.847958114 2022] [docker_entrypoint:debug] [pid 1] DOCKERE: Creating "/data/etc/icingaweb2/enabledModules"
[Mon Dec 5 14:42:05.848211874 2022] [docker_entrypoint:debug] [pid 1] DOCKERE: Creating "/data/var/lib/icingaweb2"
[Mon Dec 5 14:42:05.848340822 2022] [docker_entrypoint:debug] [pid 1] DOCKERE: Translating env vars to .ini config
[Mon Dec 5 14:42:05.84838843 2022] [docker_entrypoint:info] [pid 1] DOCKERE: Checking database resources used as backends
Created directory: /var/lib/snmp/cert_indexes
[Mon Dec 5 14:42:06.434221345 2022] [docker_entrypoint:info] [pid 1] DOCKERE: Looking up "bash" in $PATH
[Mon Dec 5 14:42:06.434356917 2022] [docker_entrypoint:info] [pid 1] DOCKERE: Running "/bin/bash"
root@9ebce0a5458e:/# apt-get update >/dev/null 2>&1
root@9ebce0a5458e:/# apt install ldap-utils ca-certificates -y >/dev/null 2>&1
root@9ebce0a5458e:/# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@9ebce0a5458e:/# ldapsearch -h none.of.your.business.netways.de -x -W -D none.of@your.business.netways.de -b (...) -ZZ '(CN=Alexander Klimov)'
ldap_start_tls: Connect error (-11)
    additional info: (unknown error code)
root@9ebce0a5458e:/#

Broken down

$ docker run --rm -it debian:11-slim bash

root@061ddffb406b:/# export DEBIAN_FRONTEND=noninteractive
root@061ddffb406b:/# apt-get update >/dev/null 2>&1
root@061ddffb406b:/# apt-get install --no-install-{recommends,suggests} -y apache2 >/dev/null 2>&1 # <== HERE
root@061ddffb406b:/# apt install ldap-utils ca-certificates -y >/dev/null 2>&1
root@061ddffb406b:/# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@061ddffb406b:/# ldapsearch -h none.of.your.business.netways.de -x -W -D none.of@your.business.netways.de -b (...) -ZZ '(CN=Alexander Klimov)'
ldap_start_tls: Connect error (-11)
    additional info: (unknown error code)
root@061ddffb406b:/#
Al2Klimov commented 1 year ago 
diff --git a/Dockerfile b/Dockerfile
index 28e31ac..e90afdf 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,7 +10,7 @@ RUN ["go", "build", "."]

 FROM debian:bullseye-slim

-RUN ["bash", "-exo", "pipefail", "-c", "export DEBIAN_FRONTEND=noninteractive; apt-get update; apt-get install --no-install-{recommends,suggests} -y apache2 ca-certificates libapache2-mod-php7.4 locales-all php-{imagick,redis} php7.4-{bcmath,bz2,common,curl,dba,enchant,gd,gmp,imap,interbase,intl,json,ldap,mbstring,mysql,odbc,opcache,pgsql,pspell,readline,snmp,soap,sqlite3,sybase,tidy,xml,xmlrpc,xsl,zip}; apt-get clean; rm -vrf /var/lib/apt/lists/*"]
+RUN ["bash", "-exo", "pipefail", "-c", "export DEBIAN_FRONTEND=noninteractive; apt-get update; apt-get install -y apache2; apt-get install --no-install-{recommends,suggests} -y ca-certificates libapache2-mod-php7.4 locales-all php-{imagick,redis} php7.4-{bcmath,bz2,common,curl,dba,enchant,gd,gmp,imap,interbase,intl,json,ldap,mbstring,mysql,odbc,opcache,pgsql,pspell,readline,snmp,soap,sqlite3,sybase,tidy,xml,xmlrpc,xsl,zip}; apt-get clean; rm -vrf /var/lib/apt/lists/*"]

 COPY --from=entrypoint /entrypoint/entrypoint /entrypoint
 COPY entrypoint/db-init /entrypoint-db-init

seems to help. Don’t ask me or the internet why.

Al2Klimov commented 1 year ago

Also helping, this time fully and effective:

https://stackoverflow.com/a/7586808

julianbrost commented 1 year ago

Don’t ask me or the internet why.

Well that should be fairly simple to figure out. Just compare the set of installed packages, install the missing ones one by one and see which one fixes it.

Also helping, this time fully and effective:

https://stackoverflow.com/a/7586808

Disabling certificate validation is almost certainly not what you want to do.