su: cannot set groups: Operation not permitted for Daemon and Web Container

[JustCodeIt4Head]

Hello, managed to setup the Containers but the Daemon, as well as the Web Containers, won't Start and the Log, says: "su: cannot set groups: Operation not permitted".

Im running the Docker Containers on a Debian 9 machine with the following Docker Compose: docker-compose version 1.26.2, build eefe0d31 docker-py version: 4.2.2 CPython version: 3.7.7 Docker 19.03.13

[bschmalhofer]

Hi @JustCodeIt4Head ,

thanks for reporting this. It's good to have reports from different systems and different setups.

First, the versions of docker and docker-compose look fine. They are most likely not causing the problems.

That the command su is called is no surprise. su is used in _/opt/otoboinstall/entrypoint.sh. You can verify this by calling docker run -it --rm --volume otobo_opt_otobo:/opt/otobo rotheross/otobo:latest cat /opt/otobo_install/entrypoint.sh | grep su.

In OTOBO 10.0.3 the containers start as root, initially executing entrypoint.sh. This seems to work in principle, as otherwise you would not get the error message. Therefore I think that this is a problem with the Linux capabilites that root in the container has. My question is: Is your Docker daemon running on your local machine or are you using a container platform like openshift? I have to admit that so far we tested only with local Docker daemons .

There is another thing you could try. For the upcoming release of OTOBO 10.0.4 we have worked on Docker support. A big change is that the container _otobo_web1 and _otobo_daemon1 no longer run as root. They run as the user otobo instead. This means that su is no longer used in entrypoint.sh. So, you can add the line

OTOBO_IMAGE_OTOBO=rotheross/otobo:devel-rel-10_0

in your .env file. Then you can start OTOBO in a fresh state:

docker_admin>cd /opt/otobo-docker
docker_admin>docker-compose down -v                   # will remove volumes
docker_admin>docker-compose up -d
docker_admin>docker-compose ps

[JustCodeIt4Head]

Hello, the Docker Instance is running on a Physical Machine and not Virtualized. From what i understand the fix should be 4755 for /bin/su, which I can't do since the Container is crashing and I think they don't mean to change the rights to Host System. I will let you know if I find a Solution and if the OTOBO_IMAGE_OTOBO=rotheross/otobo:devel-rel-10_0 does work for me

[bschmalhofer]

Thanks for the testing. For reference here are the permissions that I have on my devel machine:

On the host:

ls -l /bin/su 
-rwsr-xr-x 1 root root 67816 Jul 21 09:49 /bin/su

Inside the container;

4263c87bb7be:~$ ls -l /bin/su 
-rwsr-xr-x 1 root root 63568 Jan 10  2019 /bin/su

I expect that /bin/su should have the identical privileges on your docker image, as that su comes from the base image perl:5.32.0-buster. Perhaps there is a magical way where su in the container checks the su on the host.

Glad that the devel version is working for you. Unfortunately the release date of OTOBO 10.0.4 has not been decided yet.

[bschmalhofer]

This was resolved for OTOBO 10.0.4. The fix was simply that the command 'su' is no longer used in _/opt/otoboinstall/entrypoint.sh . Closing the issue.

@JustCodeIt4Head : OTOBO 10.0.4 will be released today or tomorrow. There will be a public announcement.