nijel
commented
3 years ago Maybe you did run the container without the USER 1000 and in that times these files were created? Changing the owner of the files should fix this.
Closed weeblr closed 3 years ago
nijel
commented
3 years ago Maybe you did run the container without the USER 1000 and in that times these files were created? Changing the owner of the files should fix this.
github-actions[bot]
commented
3 years ago This issue looks more like a support question than an issue. We strive to answer these reasonably fast, but purchasing the support subscription is not only more responsible and faster for your business but also makes Weblate stronger. In case your question is already answered, making a donation is the right way to say thank you!
weeblr
commented
3 years ago Thanks for you reply, not sure I follow you though.
/etc/localtime) is internal to the Weblate container, it's not one of the files I add or stuff I install. Best regards
nijel
commented
3 years ago Sorry for not being clear enough - I was talking about the "is owned by different user" part. What happened in that case:
This can be only fixed by manually fixing the permissions in the Docker volume.
The localtime issue is probably caused by your container overriding changes done by Weblate container on that file:
This can probably happen once tzdata has update in Debian compared to what is part of the Weblate container.
nijel
commented
3 years ago The localtime issue should be addressed by https://github.com/WeblateOrg/docker/pull/961
weeblr
commented
3 years ago You used a container where Weblate ran as root. Did some operations in Weblate which did create these files. Now when running as UID 1000, you get this error.
makes sense.
This can be only fixed by manually fixing the permissions in the Docker volume.
Yes, so I gathered, working on that now, need to be root inside the container to fix that though?
The localtime issue should be addressed by #961
That'd be great!
That'd mean my added ' && apt-get update && apt-get -y upgrade \' may cause an update in tzdata since when the weblate image was built which whould cause /etc/localtime to be back again owned by rootn, causing the failure.
So maybe I could chown weblrate.weblate /app/data -R after doing the update and before switching back to USER 1000?
nijel
commented
3 years ago Yes, duplicating the logic (including replacing the symlink by a copy of the file) should fix the issue on your side as well.
weeblr
commented
3 years ago Ah ok, I have to duplicate this entire code block of yours to fix that issue as well after making any update that could have restored the default behavior. OK.
[EDIT] So all is well now, after
FROM {{ weblate_weblate_docker_image }}:{{ weblate_version_to_install }}
## Django settings overrides
COPY ./settings-override.py /app/data/settings-override.py
## Backup script
USER root
RUN set -x \
&& export DEBIAN_FRONTEND=noninteractive \
&& apt-get update \
&& apt-get -y upgrade \
&& apt-get install --no-install-recommends -y \
&& apt-get install -y unzip \
&& apt-get install -y rsync \
&& apt-get install -y curl \
&& apt-get -y autoremove \
&& apt-get clean
RUN curl https://rclone.org/install.sh | bash
RUN mkdir -p /wbl_scripts/ssh
COPY ./backup_code.sh /wbl_scripts/backup_code.sh
COPY ./known_hosts /root/.ssh/known_hosts
COPY ./ssh/* /wbl_scripts/ssh/
COPY ./rclone.conf /wbl_scripts/rclone.conf
RUN chown weblate:weblate app/data/settings-override.py \
&& chmod +rx /wbl_scripts/backup_code.sh \
&& chmod 600 /wbl_scripts/ssh/*
## Below code block copied from Weblate Dockerfile.
## See https://github.com/WeblateOrg/docker/issues/960
# Fix permissions and adjust files to be able to edit them as user on start
# - localtime/timezone is needed for setting system timezone based on environment
# - we generate nginx configuration based on environment
# - autorize passwd edition so we can fix weblate uid on startup
# - log, run and home directories
# - disable su for non root to avoid privilege escapation by chaging /etc/passwd
RUN rm -f /etc/localtime && cp /usr/share/zoneinfo/Etc/UTC /etc/localtime \
&& chgrp -R 0 /etc/nginx/sites-available/ /var/log/nginx/ /var/lib/nginx /app/data /run /home/weblate /etc/timezone /etc/localtime \
&& chmod -R 770 /etc/nginx/sites-available/ /var/log/nginx/ /var/lib/nginx /app/data /run /home /home/weblate /etc/timezone /etc/localtime \
&& chmod 664 /etc/passwd /etc/group \
&& sed -i '/pam_rootok.so/a auth requisite pam_deny.so' /etc/pam.d/su
USER 1000I have not included your latest version from #961 as it consists in adding a /etc/timezone but that file is created/updated by Weblate in the container start file. So I guess I need to wait until you release an updated Weblate image to be able to also update my code.
After all, I guess I'll have to monitor this each time to update my code in case you make any further change in that section.
nijel
commented
3 years ago It should be possible to remove that block once https://github.com/WeblateOrg/docker/pull/961 is merged.
weeblr
commented
3 years ago ok ,thanks. I have subscribed to #961. We can close this I think.
github-actions[bot]
commented
3 years ago Thank you for your report, the issue you have reported has just been fixed.
In #881 , I described how I am stuck to Weblate 4.2.2 with a fatal error
/app/bin/start: 47: /app/bin/start: cannot create /etc/localtime: Permission deniedhappening on starting up the Weblate docker setup.I tried digging a bit more as the problem is still the same for all recent versions of Weblate, and I have found the source of the issue without being able to solve it as the error itself happens inside of Weblate dockerfile.
I use the standard Dockerfile but extend it to add backup script and a couple of things:
Dockerfile used:
Issue
Problem is with changing the USER value. If found out that I need to change USER to root to be able to run apt-get install and such.
But then Weblate does not run as it expects the weblate user to be the owner of, for instance, git files. From the logs:
Which is why I appended
USER 1000at the end of my Dockerfile.But since version 4.3 (or about that), the USER 1000 instruction causes Weblate to fail with the
/app/bin/start: 47: /app/bin/start: cannot create /etc/localtime: Permission denied.At this point, the only thing I can think of is just copy your Dockerfile and modify it instead of extending it but then I'd have to check for changes before doing any update in the future.
I suspect I'm lacking in the Dockerfile and Docker compose sector to be able to solve this properly. Do you have any advice for me?
Thanks and regards