search

appsmithorg / appsmith

Platform to build admin panels, internal tools, and dashboards. Integrates with 25+ databases and any API.
https://www.appsmith.com
Apache License 2.0
34.35k stars 3.72k forks source link

[Feature]: Support Docker Swarm deployments #9707

Open inmakum19 opened 2 years ago

inmakum19 commented 2 years ago

Is there an existing issue for this?

Current Behavior

appsmith in docker swarm

Since docker swarm doesn't have root privilege's, permissions related issues are throwing when running image inside a docker swarm.

below are the error's from docker service logs.

After initial error below modification is done in docker file

image

then observed the secondary error

logs

  1. Initial error

formbuilderui.1.nxlxqh55d5ux@ability-edge-sdk | Load environment configuration formbuilderui.1.nxlxqh55d5ux@ability-edge-sdk | Checking environment configuration formbuilderui.1.nxlxqh55d5ux@ability-edge-sdk | Init database formbuilderui.1.nxlxqh55d5ux@ability-edge-sdk | rm: cannot remove '/etc/letsencrypt/cli.ini': Permission denied formbuilderui.1.nxlxqh55d5ux@ability-edge-sdk | Check initialized database formbuilderui.1.nxlxqh55d5ux@ability-edge-sdk | Mounting Let's encrypt directory formbuilderui.1.joehd7ao0aez@ability-edge-sdk | rm: cannot remove '/etc/letsencrypt/cli.ini': Permission denied formbuilderui.1.r1ozq3kz7so5@ability-edge-sdk | rm: cannot remove '/etc/letsencrypt/cli.ini': Permission denied formbuilderui.1.fqmfftx1x0f3@ability-edge-sdk | rm: cannot remove '/etc/letsencrypt/cli.ini': Permission denied formbuilderui.1.zr1nngnpgspo@ability-edge-sdk | Checking configuration file formbuilderui.1.zr1nngnpgspo@ability-edge-sdk | Load environment configuration formbuilderui.1.zr1nngnpgspo@ability-edge-sdk | Checking environment configuration formbuilderui.1.zr1nngnpgspo@ability-edge-sdk | Init database formbuilderui.1.zr1nngnpgspo@ability-edge-sdk | Check initialized database formbuilderui.1.zr1nngnpgspo@ability-edge-sdk | Mounting Let's encrypt directory formbuilderui.1.zr1nngnpgspo@ability-edge-sdk | rm: cannot remove '/etc/letsencrypt/cli.ini': Permission denied

  1. Secondary error(supervisor error)

formbuilderui.1.4aqnl6refn06@ability-edge-sdk | Checking configuration file formbuilderui.1.4aqnl6refn06@ability-edge-sdk | Load environment configuration formbuilderui.1.4aqnl6refn06@ability-edge-sdk | Checking environment configuration formbuilderui.1.4aqnl6refn06@ability-edge-sdk | Init database formbuilderui.1.4aqnl6refn06@ability-edge-sdk | Check initialized database formbuilderui.1.4aqnl6refn06@ability-edge-sdk | Mounting Let's encrypt directory formbuilderui.1.4aqnl6refn06@ability-edge-sdk | 2021-12-10 12:58:13,707 INFO Included extra file "/etc/supervisor/conf.d/backend.conf" during parsing formbuilderui.1.4aqnl6refn06@ability-edge-sdk | 2021-12-10 12:58:13,707 INFO Included extra file "/etc/supervisor/conf.d/cron.conf" during parsing formbuilderui.1.4aqnl6refn06@ability-edge-sdk | 2021-12-10 12:58:13,707 INFO Included extra file "/etc/supervisor/conf.d/editor.conf" during parsing formbuilderui.1.4aqnl6refn06@ability-edge-sdk | 2021-12-10 12:58:13,707 INFO Included extra file "/etc/supervisor/conf.d/mongodb.conf" during parsing formbuilderui.1.4aqnl6refn06@ability-edge-sdk | 2021-12-10 12:58:13,708 INFO Included extra file "/etc/supervisor/conf.d/redis.conf" during parsing formbuilderui.1.4aqnl6refn06@ability-edge-sdk | 2021-12-10 12:58:13,708 INFO Included extra file "/etc/supervisor/conf.d/rts.conf" during parsing formbuilderui.1.4aqnl6refn06@ability-edge-sdk | 2021-12-10 12:58:13,722 INFO RPC interface 'supervisor' initialized formbuilderui.1.4aqnl6refn06@ability-edge-sdk | 2021-12-10 12:58:13,723 CRIT Server 'inet_http_server' running without any HTTP authentication checking formbuilderui.1.4aqnl6refn06@ability-edge-sdk | Error: Cannot open an HTTP server: socket.error reported errno.EACCES (13) formbuilderui.1.4aqnl6refn06@ability-edge-sdk | For help, use /usr/bin/supervisord -h formbuilderui.1.urbo9pbc1qal@ability-edge-sdk | Error: Cannot open an HTTP server: socket.error reported errno.EACCES (13) formbuilderui.1.urbo9pbc1qal@ability-edge-sdk | For help, use /usr/bin/supervisord -h formbuilderui.1.juc46ui0xq8e@ability-edge-sdk | Error: Cannot open an HTTP server: socket.error reported errno.EACCES (13) formbuilderui.1.juc46ui0xq8e@ability-edge-sdk | For help, use /usr/bin/supervisord -h formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | Checking configuration file formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | Load environment configuration formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | Checking environment configuration formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | Init database formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | Check initialized database formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | Mounting Let's encrypt directory formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | 2021-12-10 12:59:14,494 INFO Included extra file "/etc/supervisor/conf.d/backend.conf" during parsing formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | 2021-12-10 12:59:14,494 INFO Included extra file "/etc/supervisor/conf.d/cron.conf" during parsing formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | 2021-12-10 12:59:14,494 INFO Included extra file "/etc/supervisor/conf.d/editor.conf" during parsing formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | 2021-12-10 12:59:14,495 INFO Included extra file "/etc/supervisor/conf.d/mongodb.conf" during parsing formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | 2021-12-10 12:59:14,495 INFO Included extra file "/etc/supervisor/conf.d/redis.conf" during parsing formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | 2021-12-10 12:59:14,495 INFO Included extra file "/etc/supervisor/conf.d/rts.conf" during parsing formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | 2021-12-10 12:59:14,505 INFO RPC interface 'supervisor' initialized formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | 2021-12-10 12:59:14,506 CRIT Server 'inet_http_server' running without any HTTP authentication checking formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | Error: Cannot open an HTTP server: socket.error reported errno.EACCES (13) formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | For help, use /usr/bin/supervisord -h formbuilderui.1.kdbfyouwreh5@ability-edge-sdk | Checking configuration file formbuilderui.1.kdbfyouwreh5@ability-edge-sdk | Load environment configuration formbuilderui.1.kdbfyouwreh5@ability-edge-sdk | Checking environment configuration formbuilderui.1.kdbfyouwreh5@ability-edge-sdk | Init database formbuilderui.1.kdbfyouwreh5@ability-edge-sdk | Check initialized database formbuilderui.1.kdbfyouwreh5@ability-edge-sdk | Mounting Let's encrypt directory

Steps To Reproduce

  1. Created a new docker image.
  2. Pull the image.
  3. Create a service inside docker swarm.

Environment

Release

Version

Self-Hosted

mohanarpit commented 2 years ago

Can you share the Docker Swarm configuration that you have used to host Appsmith? Appsmith needs a persistent volume in order to issue certificates & persist data. Hence, asking for the swarm configuration.

inmakum19 commented 2 years ago

Below is the service configuration

Ability_ /home/ability $ docker service inspect formbuilderui [ { "ID": "ovf1w2ctrju63hrcju879ohqh", "Version": { "Index": 15243 }, "CreatedAt": "2021-12-10T17:22:43.4255516Z", "UpdatedAt": "2021-12-10T17:22:43.491757Z", "Spec": { "Name": "formbuilderui", "Labels": { "module": "true", "objectId": "4865206a-dcf3-47c6-b87c-08ccd3153b18", "system": "false", "traefik.enable": "true", "traefik.http.middlewares.formbuilderui.stripprefix.prefixes": "/formbuilderui/", "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme": "https", "traefik.http.routers.formbuilderui.entrypoints": "https", "traefik.http.routers.formbuilderui.middlewares": "formbuilderui", "traefik.http.routers.formbuilderui.rule": "PathPrefix(/{path:(?i:formbuilderui/)})", "traefik.http.routers.formbuilderui.tls": "true", "traefik.http.services.formbuilderui.loadbalancer.server.port": "80", "type": "abb.ia.edge.modules.formbuilderfrontendpoc.configuration@1", "version": "1" }, "TaskTemplate": { "ContainerSpec": { "Image": "registry.hub.docker.com/11616125/formbuilderui:latest", "Env": [ "module_id=formbuilderui", "host_rpc_server_path=/var/ability/rpc/socket", "object_id=4865206a-dcf3-47c6-b87c-08ccd3153b18", "device_id=6406240a-f8a4-4fd0-963e-119d04000416", "tenant_id=9ebcb34e-839d-4729-8389-0e4106efb2a1", "connectivity_mode=connectondemand", "reverse_proxy_url=https://unicorns10.iomind.abb.com", "authentication_server_url=https://unicorns10.iomind.abb.com/auth", "api_gateway_url=http://edgeapigateway:8880", "principal_id=8e1a23b2-467c-49cd-996d-2ee68665cc2c", "mqtt_client_id=formbuilderui", "mqtt_url=mqtt://edge-broker:1883", "mqtt_password_file=/run/secrets/formbuilderui", "topics_model_in=modules/formbuilderui/model/desired", "topics_model_out=modules/formbuilderui/model/reported", "topics_methods_in=modules/formbuilderui/methods/req", "topics_methods_out=modules/formbuilderui/methods/res", "topics_messages_in=modules/formbuilderui/messages/devicebound", "topics_messages_out=modules/formbuilderui/messages/events", "topics_local_in=modules/local/formbuilderui", "topics_local_out=modules/local", "topics_files_in=modules/formbuilderui/files/notifications", "topics_files_out=modules/formbuilderui/files/upload", "topics_lwt=modules/formbuilderui/lwt", "topics_status_in=modules/+/status", "topics_status_out=modules/formbuilderui/status", "topics_cold=cold/", "topics_warm=warm/", "topics_hot=hot/", "topics_audit_events=modules/formbuilderui/auditEvents", "appConfiguration__webApiUrl=formbuilderui", "log_level=Information" ], "User": "999:999", "Mounts": [ { "Type": "bind", "Source": "/var/ability/modules/formbuilderui/appsmith-stacks", "Target": "/appsmith-stacks" }, { "Type": "bind", "Source": "/var/ability/modules/formbuilderui/files", "Target": "/files" }, { "Type": "bind", "Source": "/var/ability/modules/sharedFiles", "Target": "/sharedFiles" } ], "StopGracePeriod": 10000000000, "DNSConfig": {}, "Secrets": [ { "File": { "Name": "formbuilderui", "UID": "0", "GID": "0", "Mode": 292 }, "SecretID": "r4kfd9wtpdmokg6gynrnprmcc", "SecretName": "formbuilderui" } ], "Isolation": "default" }, "Resources": {}, "RestartPolicy": { "Condition": "any", "Delay": 5000000000, "MaxAttempts": 0 }, "Placement": {}, "ForceUpdate": 0, "Runtime": "container" }, "Mode": { "Replicated": { "Replicas": 1 } }, "UpdateConfig": { "Parallelism": 1, "FailureAction": "rollback", "Monitor": 5000000000, "MaxFailureRatio": 0, "Order": "stop-first" }, "RollbackConfig": { "Parallelism": 1, "FailureAction": "pause", "Monitor": 5000000000, "MaxFailureRatio": 0, "Order": "stop-first" }, "Networks": [ { "Target": "x7rajl08w0y0oi7fm03iju8hn" } ], "EndpointSpec": { "Mode": "vip" } }, "Endpoint": { "Spec": { "Mode": "vip" }, "VirtualIPs": [ { "NetworkID": "x7rajl08w0y0oi7fm03iju8hn", "Addr": "10.0.1.192/24" } ] } } ]

sharat87 commented 2 years ago

Hey, thank for sharing this. We are looking into this currently.

inmakum19 commented 2 years ago

Hello all, thanks for working on the bug. Any solution?

sharat87 commented 2 years ago

Hey @inmakum19, sorry we're still working on this one. We'll share updates regarding this on this issue when we resolve it. Thank you for sharing your interest.

inmakum19 commented 2 years ago

Hello all, Any solution?

sharat87 commented 2 years ago

Hey @inmakum19, thanks for sharing your interest in this. This has actually gotten a little more elaborate than we initially expected. We are actually still working on this, figuring out the best path towards this. Thank you for your patience.

anvaravind commented 2 years ago

@sharat87 is this issue because of superviord software? Just wanted to know if I can contribute here

sharat87 commented 2 years ago

Hey @anvaravind, thanks for offering! The problem's actually not related to supervisord. The problem is to do with the fact that currently, the Docker image is built assuming commands are run as the root user inside the container. This is usually find, since the container is already a sandbox so the root user shouldn't have any affect on the host.

However, environments like Docker Swarm (and at least OpenShift I think) don't work with this. They need the image to use a user with less privileges than the user. I'm not really sure of the intricacies of why and how this is the case, but that's what we're observing. We're now trying to figure out how best to make this change without breaking existing installations.

ricardosantosmti commented 2 years ago

Any news? I'm experiencing the same problem in Openshift 4

inmakum19 commented 2 years ago

@ricardosantosmti Are you running as the docker service?

Nikhil-Nandagopal commented 6 months ago

We've solved this for open shift but I'll turn this into a feature request for docker swarm